WO2016116034A1 - Method, apparatus, and system for data transmission - Google Patents

Method, apparatus, and system for data transmission Download PDF

Info

Publication number
WO2016116034A1
WO2016116034A1 PCT/CN2016/071359 CN2016071359W WO2016116034A1 WO 2016116034 A1 WO2016116034 A1 WO 2016116034A1 CN 2016071359 W CN2016071359 W CN 2016071359W WO 2016116034 A1 WO2016116034 A1 WO 2016116034A1
Authority
WO
WIPO (PCT)
Prior art keywords
terminal device
hash function
port number
target
fingerprint information
Prior art date
Application number
PCT/CN2016/071359
Other languages
French (fr)
Chinese (zh)
Inventor
肖晶
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2016116034A1 publication Critical patent/WO2016116034A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • the present invention relates to the field of communications and, more particularly, to a method, apparatus and system for transmitting data.
  • a media communication technology for example, video conferencing technology, etc.
  • H.323 protocol which can establish a session connection through the H.323 protocol, and thus can perform connection with other terminal devices through the session connection.
  • Embodiments of the present invention provide a method, apparatus, and system for transmitting data, which can improve security of transmitted data.
  • a first aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device and a second terminal device, and the first terminal device and the second terminal device pass the H.323 protocol.
  • Communicating the method includes: the first terminal device receives a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device, Determining a first hash function in the first hash function list, and determining first fingerprint information corresponding to the first hash function, and transmitting the first hash function and the first fingerprint to the second terminal device Information, wherein the first hash function belongs to a hash function supported by the first terminal device, the first hash function and the first fingerprint information are used to authenticate the first terminal device;
  • the second terminal device sends a second hash function list, where the second hash function list includes at least one hash function supported by the first terminal device, and receives the second hash sent by the second terminal.
  • a second number of fingerprint information wherein the second hash function to the second terminal device is determined from the second list of the hash function, the hash function and the second terminal belong to the second set a supported hash function, the second fingerprint information is fingerprint information corresponding to the second hash function, and the second hash function and the second fingerprint information are used for authenticating the second terminal device;
  • the terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information to establish a data packet transport layer security protocol DTLS protocol. Connect and transfer data between the second terminal device through the DTLS protocol connection.
  • the method further includes: the first terminal device sends a first port number to the second terminal device, where the first port number is the first terminal device a port number used to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection; the first terminal device receives a second port number sent by the second terminal device, and the second port number is the second terminal a port number used by the device to establish an SCTP connection based on the DTLS protocol connection; the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, in the DTLS On the protocol connection, data is transmitted between the SCTP connection and the second terminal device.
  • the method further includes: the first terminal device sends the first role indication information to the second terminal device, where the first role indication information is used to indicate the first a role supported by the terminal device, the role is at least one of "active" and "passive"; the first terminal device receives the second role indication information sent by the second terminal device, and the second role indication information is used to indicate a role supported by the second terminal device; and the first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information The first terminal device according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, and a corner supported by the first terminal device And the role of the second terminal device performs an authentication process supported by the
  • a second aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device and a second terminal device, and the first terminal device and the second terminal device pass the H.323 protocol.
  • Communicating the method includes: the first terminal device receives a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device; The first terminal device determines a target hash function from the first hash function list, and determines fingerprint information corresponding to the target hash function, wherein the target hash function a hash function supported by the first terminal device; the first terminal device sends the target hash function and the fingerprint information to the second terminal device; the first terminal device according to the target hash function and the fingerprint information And performing authentication processing with the second terminal device to establish a data packet transport layer security protocol DTLS protocol connection, and transmitting data between the second terminal device and the second terminal device through the DTLS protocol connection.
  • the method before the determining, by the first terminal device, the target hash function from the first hash function list, the method further includes: receiving, by the first terminal device The role indication information sent by the second terminal device, the role indication information is used to indicate a role supported by the second terminal device, the role is at least one of “active” and “passive”; the first terminal device is according to the role Determining information, determining a role supported by the second terminal device; and determining, by the first terminal device, the target hash function from the first hash function list, including: determining, by the first terminal device, that the first terminal device supports When the role includes "active" and the role supported by the second terminal device includes "passive", the target hash function is determined from the first hash function list.
  • the first terminal device determines the target hash function from the first hash function list, including: the first terminal device is configured according to A hash function supported by itself determines a target hash function from the first hash function list.
  • the method before the determining, by the first terminal device, the target hash function from the first hash function list, the method further includes: The first terminal device sends a second hash function list to the second terminal device, where the second hash function list includes at least one hash function supported by the first terminal device, so that the second terminal device is configured according to the first a second hash function list, the first hash function list is determined, wherein the hash function included in the first hash function list belongs to the second hash function list; and the first terminal device is from the first Determining the target hash function in the hash function list includes: the first terminal device determines that any of the hash functions in the first hash function list is a target hash function.
  • the method further includes: the first terminal device sends a first port number to the second terminal device, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol (SCTP) connection based on the DTLS protocol connection; the first terminal device receives a second port number sent by the second terminal device, the second port number a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection; the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number To connect to the DTLS protocol Data is transmitted between the SCTP connection and the second terminal device.
  • SCTP flow control transport protocol
  • a third aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device and a second terminal device, and the first terminal device and the second terminal device pass the H.323 protocol.
  • Communicating the method includes: the second terminal device sends a first hash function list to the first terminal device, where the first hash function list includes at least one hash function supported by the second terminal device; The second terminal device receives the target hash function sent by the first terminal device and the fingerprint information corresponding to the target hash function, where the target hash function is that the first terminal device is from the first hash function list.
  • Determining, and the target hash function belongs to a hash function supported by the first terminal device; the second terminal device performs authentication processing with the first terminal device according to the target hash function and the fingerprint information to establish data
  • the packet transport layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
  • the method further includes: the second terminal device sends the role indication information to the first terminal device, where the role indication information is used to indicate a role supported by the second terminal device, and the role is at least one of “active” or “passive” So that the first terminal device determines the target ha from the first hash function list when determining that the role supported by the first terminal device includes “active” and the role supported by the second terminal device includes “passive” Greek function.
  • the target hash function is that the first terminal device is configured from the first hash function list according to a hash function supported by the first terminal device definite.
  • the second terminal device receives, at the second terminal device, a target hash function sent by the first terminal device and corresponding to the target hash function.
  • the method further includes: the second terminal device receiving the second hash function list sent by the first terminal device, where the second hash function list includes at least one hash function supported by the first terminal device. The second terminal device determines the first hash function list according to the second hash function list, so that the hash function included in the first hash function list belongs to the second hash function list.
  • the method further includes: receiving, by the second terminal device, the first port number sent by the first terminal device, the first port number Is the flow control used by the first terminal device to establish a connection based on the DTLS protocol.
  • the second terminal device sends a second port number to the first terminal device, where the second port number is used by the second terminal device to establish an SCTP connection based on the DTLS protocol a port number of the connection; the second terminal device establishes an SCTP connection with the first terminal device according to the first port number and the second port number, to connect to the first terminal device through the SCTP connection on the DTLS protocol connection Transfer data between.
  • a fourth aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device, a second terminal device, and a gateway device, where the first terminal device and the gateway device pass H.323 The protocol communication, the second terminal device and the gateway device communicate with each other through a session initiation protocol, the method comprising: the gateway device receiving at least one first hash function sent by the second terminal device, the first hash function a hash function supported by the second terminal device, sending, to the first terminal device, a first hash function list recorded with the first hash function, and receiving a target first hash function sent by the first terminal device And the first fingerprint information, wherein the target first hash function is determined by the first terminal device from the first hash function list, and the target first hash function belongs to the first terminal device supported by the first terminal device a first function, the first fingerprint information is fingerprint information corresponding to the target first hash function, and the target first hash function and the first fingerprint information are used to set the first terminal Performing authentication; the gateway device receives
  • Fingerprint information, the target second hash function and the second fingerprint information are used to authenticate the second terminal device; the gateway device sends the target first hash function and the first fingerprint information to the second terminal device, And sending the target second hash function and the second fingerprint information to the first terminal device, so that the first terminal device and the second terminal device according to the target first hash function,
  • the first fingerprint information, the target second hash function and the second fingerprint information are subjected to an authentication process to establish a data packet transport layer security protocol DTLS protocol connection, and the data is transmitted through the DTLS protocol connection.
  • the method further includes: the gateway device receiving the first role indication information sent by the first terminal device, and the second role indication sent by the second terminal device Information, the first role indication information is used to indicate that the first terminal device supports a role, the second role indication information is used to indicate a role supported by the second terminal device, the role is at least one of “active” and “passive”; the gateway device sends the first to the second terminal device The role indicates information, and sends the second role indication information to the first terminal device, so that the first terminal device and the second terminal device according to the first hash function, the first fingerprint information, and the second The function, the second fingerprint information, the role supported by the first terminal device, and the role supported by the second terminal device perform authentication processing.
  • the method further includes: receiving, by the gateway device, the first port number sent by the first terminal device and the second terminal device a second port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection; the gateway device forwards the first port number to the second terminal device, and forwards the second port number to the first terminal device, to facilitate the The first terminal device and the second terminal device establish an SCTP connection according to the first port number and the second port number, and transmit data through the SCTP connection.
  • a fifth aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device, a second terminal device, and a gateway device, where the first terminal device and the gateway device pass H.323
  • the second terminal device communicates with the gateway device through the session initiation protocol SIP
  • the method includes: the first terminal device receiving the first hash function list sent by the gateway device, where the first hash is Recording, in the function list, at least one first hash function sent by the second terminal device to the gateway device, the first hash function belonging to a hash function supported by the second terminal device, from the first hash function Determining a target first hash function in the list, and determining first fingerprint information corresponding to the target first hash function, wherein the target first hash function belongs to a hash function supported by the first terminal device, The target first hash function and the first fingerprint information are used to authenticate the first terminal device, and send the target first hash function and the first fingerprint letter to the gateway device.
  • the gateway device sends the target first hash function and the first fingerprint information to the second terminal device;
  • the first terminal device sends a second hash function list to the gateway device, the second hash
  • the function list includes at least one second hash function supported by the first terminal device, and receives a target second hash function and second fingerprint information sent by the gateway device, where the target second hash function is the second Determining, by the terminal device, part or all of the second hash function sent by the gateway device, and the target second hash function belongs to the second terminal device a hash function, the second fingerprint information is fingerprint information corresponding to the target second hash function, and the target second hash function and the second fingerprint information are used for authenticating the second terminal device; a terminal device performs authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information to establish a data packet transport layer security protocol.
  • the DTLS protocol is connected, and data is transmitted between the second terminal device through the DTLS protocol connection
  • the method further includes: the first terminal device sends a first port number to the gateway device, where the first port number is used by the first terminal device a port number for establishing a flow control transport protocol SCTP connection based on the DTLS protocol connection, so that the gateway device sends the first port number to the second terminal device; the first terminal device receives the sent by the gateway device a second port number, the second port number is sent by the second terminal device to the gateway device, and the second port number is used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection. a port number; the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit between the SCTP connection and the second terminal device on the DTLS protocol connection. data.
  • the method further includes: the first terminal device sends the first role indication information to the gateway device, where the first role indication information is used to indicate the first a role supported by the terminal device, the role is at least one of "active" and "passive", so that the gateway device sends the first role indication information to the second terminal device; the first terminal device receives the gateway a second role indication information sent by the device, where the second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is used to indicate a role supported by the second terminal device; a terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information and the second terminal device
  • the authentication process includes: the first terminal device according to the target first hash function, the first fingerprint information, the target second
  • a sixth aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device, a second terminal device, and a gateway device, where the first terminal device and the gateway device pass H.323 Protocol communication, the second terminal device and the gateway device pass the session initialization protocol
  • the SIP communication includes: the gateway device receiving a hash function list sent by the first terminal device, the hash function list including at least one hash function supported by the first terminal device; the gateway device according to the The hash function list is negotiated with the second terminal device to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device;
  • the gateway device sends the candidate hash function to the first terminal device, so that the first terminal device determines a target hash function from the candidate hash function, and determines a fingerprint corresponding to the target hash function.
  • the gateway device receives the target hash function and the fingerprint information sent by the first terminal device, and sends the target hash function and the fingerprint information to the second terminal, so as to facilitate the first terminal device and the first
  • the second terminal device performs authentication processing according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and passes the DTL
  • the S protocol connection transmits data.
  • the gateway device performs a negotiation process with the second terminal device according to the hash function list, to determine at least one candidate from the hash function list.
  • the hash function includes: the gateway device sends a to-be-verified hash function to the second terminal device, where the to-be-verified hash function is any hash function in the hash function list; the gateway device receives the second terminal device a verification message, the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device; and the gateway device determines, according to the verification message, that the to-be-verified hash function belongs to the second When the hash function supported by the terminal device is used, the hash function to be verified is determined as an alternative hash function.
  • the gateway device determines, according to the verification message, that the to-be-verified hash function belongs to a hash function supported by the second terminal device Determining the to-be-verified hash function as an alternative hash function includes: determining, by the gateway device, that the verification message carries the to-be-verified hash function, determining that the to-be-verified hash function belongs to the second terminal device support a hash function and determine the hash function to be verified as an alternate hash function.
  • the method further includes: receiving, by the gateway device, the first port number sent by the first terminal device and the second terminal device a second port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection; the gateway device forwards the first port number to the second terminal device, and to the first The terminal device forwards the second port number, so that the first terminal device and the second terminal device establish an SCTP connection according to the first port number and the second port number, and transmit data through the SCTP connection.
  • a seventh aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device, a second terminal device, and a gateway device, where the first terminal device and the gateway device pass H.323 Protocol communication, the second terminal device communicates with the gateway device through a session initiation protocol SIP, the method includes: the first terminal device sends a hash function list to the gateway device, the hash function list including the first terminal At least one hash function supported by the device, so that the gateway device performs a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, where The candidate hash function belongs to the hash function supported by the second terminal device; the first terminal device receives the candidate hash function sent by the gateway device; the first terminal device determines from the candidate hash function a target hash function, and determining fingerprint information corresponding to the target hash function; the first terminal device sends the target hash function to the gateway device The fingerprint information, so that the gateway device forwards the target has
  • the method further includes: the first terminal device sends a first port number to the gateway device, so that the gateway device forwards the first port device to the second terminal device a first port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol (SCTP) connection based on the DTLS protocol connection; the first terminal device receives the first a second port number sent by the second terminal device to the gateway device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
  • SCTP flow control transport protocol
  • an apparatus for transmitting data configured in a communication system including the apparatus and the second terminal device, wherein the apparatus communicates with the second terminal device by using an H.323 protocol
  • the apparatus The receiving unit is configured to receive a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device, and a processing unit, configured to Determining the first hash function in the first hash function list, and determining a first fingerprint information corresponding to the first hash function; a sending unit, configured to send the first hash function and the first fingerprint information to the second terminal device, where the first hash function belongs to the device a supported hash function, the first hash function and the first fingerprint information are used for authentication of the device; the sending unit is further configured to send a second hash function list to the second terminal device, the second hash The function list includes at least one hash function supported by the device; the receiving unit is further configured to receive the second hash function and the second fingerprint information sent by
  • the second hash function and the second fingerprint information are used to authenticate the second terminal device; the processing unit is further configured to: according to the first hash function, the first fingerprint information, the second hash function And the first Fingerprint information of the second terminal device performs an authentication process, to establish a data packet transport layer security protocol DTLS protocol connection, and connected to transfer data between the second terminal device via the DTLS protocol.
  • the sending unit is further configured to send, by the second terminal device, a first port number, where the first port number is used by the device for establishing a port number of the SCTP connection of the flow control transmission protocol connected to the DTLS protocol; the receiving unit further receives and receives a second port number sent by the second terminal device, where the second port number is used by the second terminal device Establishing a port number of the SCTP connection connected according to the DTLS protocol; the processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to pass the DTLS protocol connection The SCTP connection transmits data between the second terminal device.
  • the sending unit is further configured to send, to the second terminal device, first role indication information, where the first role indication information is used to indicate The role supported by the device, the role is at least one of "active" and "passive”;
  • the receiving unit is further configured to receive second role indication information sent by the second terminal device, where the second role indication information is used Determining a role supported by the second terminal device;
  • the processing unit is specifically configured to: according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role and a role supported by the device The role supported by the second terminal device performs authentication processing with the second terminal device.
  • a ninth aspect provides an apparatus for transmitting data, configured in a communication system including the apparatus and the second terminal device, where the apparatus and the second terminal apparatus are performed by using an H.323 protocol Communication
  • the device includes: a receiving unit, configured to receive a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device; And determining a target hash function from the first hash function list, and determining fingerprint information corresponding to the target hash function, wherein the target hash function belongs to a hash function supported by the device; sending a unit, configured to send the target hash function and the fingerprint information to the second terminal device; the processing unit is further configured to perform authentication processing with the second terminal device according to the target hash function and the fingerprint information to establish data
  • the packet transport layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
  • the receiving unit is further configured to receive role indication information that is sent by the second terminal device, where the role indication information is used to indicate a role supported by the second terminal device.
  • the role is at least one of "active” and “passive”;
  • the processing unit is further configured to determine a role supported by the second terminal device according to the role indication information, and determine that the role supported by the device includes "active” And when the role supported by the second terminal device includes "passive", the target hash function is determined from the first hash function list.
  • the processing unit is specifically configured to determine a target hash from the first hash function list according to a hash function supported by the processing unit. function.
  • the sending unit is further configured to send, to the second terminal device, a second hash function list, where the second hash function list includes At least one hash function supported by the device, so that the second terminal device determines the first hash function list according to the second hash function list, wherein the hash included in the first hash function list The function belongs to the second hash function list; and the processing unit is specifically configured to determine that any of the hash functions in the first hash function list is a target hash function.
  • the sending unit is further configured to send, to the second terminal device, a first port number, where the first port number is used by the device a port number for establishing a flow control transport protocol SCTP connection based on the DTLS protocol connection;
  • the receiving unit is further configured to receive a second port number sent by the second terminal device, where the second port number is the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection;
  • the processing unit further establishes an SCTP connection with the second terminal device according to the first port number and the second port number, in the DTLS On the protocol connection, data is transmitted between the SCTP connection and the second terminal device.
  • an apparatus for transmitting data configured in a communication system including a first terminal device and the device, wherein the first terminal device communicates with the device by using an H.323 protocol
  • the device The sending unit is configured to send, to the first terminal device, a first hash function list, where the first hash function list includes at least one hash function supported by the device, and a receiving unit, configured to receive the first terminal a target hash function sent by the device and fingerprint information corresponding to the target hash function, wherein the target hash function is determined by the first terminal device from the first hash function list, and the target hash is The function belongs to the hash function supported by the first terminal device; the processing unit is configured to perform authentication processing with the first terminal device according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol. Connect and transfer data between the device through the DTLS protocol connection.
  • the sending unit is further configured to send role indication information to the first terminal device, where the role indication information is used to indicate a role supported by the device, where the role is At least one of "active” or “passive”, so that the first terminal device is from the first when determining that the role supported by the first terminal device includes “active” and the role supported by the device includes "passive"
  • the target hash function is determined in the list of hash functions.
  • the target hash function is that the first terminal device is configured from the first hash function list according to a hash function supported by the first terminal device definite.
  • the receiving unit is further configured to receive a second hash function list sent by the first terminal device, where the second hash function list is Include at least one hash function supported by the first terminal device; the processing unit is further configured to determine the first hash function list according to the second hash function list, so that the first hash function list is included The hash function belongs to the second hash function list.
  • the receiving unit is further configured to receive a first port number that is sent by the first terminal device, where the first port number is the first a port number used by the terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection;
  • the sending unit is further configured to send a second port number to the first terminal device, where the second port number is the device a port number used to establish an SCTP connection based on the DTLS protocol connection;
  • the processing unit is further configured to establish an SCTP connection with the first terminal device according to the first port number and the second port number, in the DTLS On the protocol connection, data is transmitted between the SCTP connection and the first terminal device.
  • an apparatus for transmitting data configured in a communication system including a first terminal device, a second terminal device, and the device, between the first terminal device and the device Communicating by the H.323 protocol, the second terminal device communicates with the device through a session initiation protocol SIP, the device includes: a receiving unit, configured to receive at least one first hash function sent by the second terminal device, where The first hash function belongs to the hash function supported by the second terminal device, and receives the second hash function list sent by the first terminal device, where the second hash function list includes the first terminal device supported by the first terminal device.
  • At least one second hash function configured to send, to the first terminal device, a first hash function list recorded with the first hash function, and send the second hash function to the second terminal device Part or all of the receiving unit, the receiving unit is further configured to receive the target first hash function and the first fingerprint information sent by the first terminal device, and receive the target sent by the second terminal device a second hash function and the second fingerprint information, wherein the target first hash function is determined by the first terminal device from the first hash function list, and the target first hash function belongs to the first terminal device a supported hash function, the first fingerprint information is fingerprint information corresponding to the target first hash function, and the target first hash function and the first fingerprint information are used to authenticate the first terminal device, where The target second hash function is determined by the second terminal device from part or all of the second hash function, and the target second hash function belongs to a hash function supported by the second terminal device, the second The fingerprint information is fingerprint information corresponding to the second hash function of the target, the
  • the receiving unit is further configured to receive the first role indication information sent by the first terminal device and the second role indication sent by the second terminal device Information, the first role indication information is used to indicate a role supported by the first terminal device, and the second role indication information is used to indicate a role supported by the second terminal device, where the role is “active” and “passive” At least one type;
  • the sending unit is further configured to send the first role indication information to the second terminal device, and send the second role indication information to the first terminal device, so as to facilitate the first terminal device and the second The terminal device according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role supported by the first terminal device, and the second terminal
  • the role supported by the end device is authenticated.
  • the receiving unit is further configured to receive, by the first terminal device, the first port number and the second terminal device a second port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection; the sending unit is further configured to forward the first port number to the second terminal device, and forward the second port number to the first terminal device, So that the first terminal device and the second terminal device establish an SCTP connection according to the first port number and the second port number, and transmit data through the SCTP connection.
  • an apparatus for transmitting data configured in a communication system including the apparatus, a second terminal device, and a gateway device, where the device communicates with the gateway device by using an H.323 protocol,
  • the second terminal device communicates with the gateway device through the session initiation protocol SIP
  • the device includes: a receiving unit, configured to receive a first hash function list sent by the gateway device, where the first hash function list records Having at least one first hash function sent by the second terminal device to the gateway device, the first hash function belongs to a hash function supported by the second terminal device; and the processing unit is configured to use the first hash Determining a target first hash function in the function list, and determining first fingerprint information corresponding to the target first hash function, wherein the target first hash function belongs to a hash function supported by the device, the target a hash function and the first fingerprint information are used for authentication of the device; and a sending unit, configured to send the target first hash function and the first fingerprint letter to the gateway device So that
  • the sending unit is further configured to send, to the gateway device, a first port number, where the first port number is used by the device for establishing The flow control connection protocol of the DTLS protocol is connected to the port number of the SCTP connection, so that the gateway device sends the first port number to the second terminal device; the receiving unit is further configured to receive the second port number sent by the gateway device.
  • the second port number is sent by the second terminal device to the gateway device, and the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
  • the processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
  • the sending unit is further configured to send, to the gateway device, first role indication information, where the first role indication information is used to indicate a role supported by the device, the role is at least one of "active" and "passive", so that the gateway device sends the first role indication information to the second terminal device;
  • the receiving unit is further configured to receive the a second role indication information sent by the gateway device, where the second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is used to indicate a role supported by the second terminal device;
  • the processing unit is specifically configured to: according to the target first hash function, the first fingerprint information, the target second hash function, the second fingerprint information, a role supported by the device, and a role supported by the second terminal device The second terminal device performs an authentication process.
  • an apparatus for transmitting data configured in a communication system including a first terminal device, a second terminal device, and the device, the first terminal device and the device passing the H.323 Protocol communication, the second terminal device communicates with the device through a session initiation protocol SIP, the device includes: a receiving unit, configured to receive a hash function list sent by the first terminal device, where the hash function list includes the first At least one hash function supported by a terminal device; a processing unit, configured to perform a negotiation process with the second terminal device according to the hash function list, to determine at least one candidate hash function from the hash function list, The candidate hash function belongs to the hash function supported by the second terminal device, and the sending unit is configured to send the candidate hash function to the first terminal device, so that the first terminal device obtains the candidate Determining a target hash function in the hash function, and determining fingerprint information corresponding to the target hash function; the receiving unit is further configured to receive the first terminal device to send Certain hash function and the fingerprint
  • the sending unit is further configured to send a to-be-verified hash function to the second terminal device, where the to-be-verified hash function is the hash function list Any one of the hash functions;
  • the receiving unit is further configured to receive the verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device;
  • the processing unit is specifically configured to determine, according to the verification message, that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and determine the to-be-verified hash function as an alternate hash function.
  • the processing unit is specifically configured to: when determining that the verification message carries the to-be-verified hash function, determine the to-be-verified The hash function belongs to a hash function supported by the second terminal device, and the hash function to be verified is determined as an alternate hash function.
  • the receiving unit is further configured to receive, by the first terminal device, the first port number and the second terminal device a second port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection; the sending unit is further configured to forward the first port number to the second terminal device, and forward the second port number to the first terminal device, So that the first terminal device and the second terminal device establish an SCTP connection according to the first port number and the second port number, and transmit data through the SCTP connection.
  • an apparatus for transmitting data configured in a communication system including the apparatus, a second terminal device, and a gateway device, where the device communicates with the gateway device by using an H.323 protocol,
  • the second terminal device communicates with the gateway device through a session initiation protocol SIP.
  • the device includes: a sending unit, configured to send a hash function list to the gateway device, where the hash function list includes at least one supported by the device.
  • the gateway device performs a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device; a receiving unit, configured to receive the candidate hash function sent by the gateway device; and a processing unit, configured to determine a target hash function from the candidate hash function, and determine Relative to the target hash function
  • the sending unit is further configured to send the target hash function and the fingerprint information to the gateway device, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal;
  • the processing unit The method is further configured to perform an authentication process with the second terminal device according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and connect and transmit data through the DTLS protocol.
  • the sending unit is further configured to send the first port number to the gateway device, so that the gateway device forwards the first to the second terminal device a port number, where the first port number is a port number used by the device to establish a flow control transport protocol (SCTP) connection based on the DTLS protocol connection;
  • the receiving unit is further configured to receive a second port number sent by the gateway device, The second port number is sent by the second terminal device to the gateway device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
  • the processing unit The method is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
  • a system for transmitting data including a first terminal device, a second terminal device, and a gateway device, where the first terminal device communicates with the gateway device by using an H.323 protocol, where the The second terminal device communicates with the gateway device through a session initiation protocol SIP, wherein the gateway device is configured to receive at least one first hash function sent by the second terminal device, where the first hash function belongs to the second terminal a hash function supported by the device, sending, to the first terminal device, a first hash function list recorded with the first hash function, and receiving the target first hash function and the first fingerprint information sent by the first terminal device
  • the target first hash function is determined by the first terminal device from the first hash function list, and the target first hash function belongs to a hash function supported by the first terminal device, where the The fingerprint information is fingerprint information corresponding to the target first hash function, and the target first hash function and the first fingerprint information are used for authenticating the first terminal device, and are used for a second hash function list sent by
  • the target second hash function is determined by the second terminal device from part or all of the second hash function sent by the gateway device, and the target second hash function belongs to the second terminal a hash function supported by the device
  • the second fingerprint information is fingerprint information corresponding to the target second hash function
  • the target second hash function and the second fingerprint information are used to authenticate the second terminal device
  • performing authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information to establish data.
  • the packet transport layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
  • a system for transmitting data includes: a first terminal device, a second terminal device, and a gateway device, where the first terminal device communicates with the gateway device by using an H.323 protocol, where the The second terminal device communicates with the gateway device through a session initiation protocol SIP, wherein the gateway device is configured to receive a hash function list sent by the first terminal device, where the hash function list includes the first terminal device supported by the first terminal device At least one hash function for performing a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device, configured to send the candidate hash function to the first terminal device, so that the first terminal device determines a target hash function from the candidate hash function, and determines a fingerprint letter corresponding to the target hash function And receiving the target hash function and the fingerprint information sent by the first terminal device, and sending the target hash function and the fingerprint
  • a method, apparatus, and system for transmitting data by enabling a first terminal device to negotiate a hash function and fingerprint information with a second terminal device based on an H.323 protocol, capable of being in the first terminal device and
  • the second terminal device performs authentication processing based on the hash function and the fingerprint information and establishes a DTLS protocol connection, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol.
  • the security authentication mechanism improves the security of the transmitted data, and enables the DTLS protocol to be applied to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 1 is a schematic flowchart of a method of transmitting data according to an embodiment of the present invention.
  • FIG. 2 is a schematic flow chart of a method of transmitting data according to another embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a method of transmitting data according to still another embodiment of the present invention.
  • FIG. 4 is a schematic flow chart of a method of transmitting data according to still another embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of a method of transmitting data according to still another embodiment of the present invention.
  • FIG. 6 is a schematic flowchart of a method of transmitting data according to still another embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a method of transmitting data according to still another embodiment of the present invention.
  • FIG. 8 is a schematic block diagram of an apparatus for transmitting data according to an embodiment of the present invention.
  • FIG. 9 is a schematic block diagram of an apparatus for transmitting data according to another embodiment of the present invention.
  • FIG. 10 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • FIG. 11 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • FIG. 12 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • FIG. 13 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • FIG. 14 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • Figure 15 is a schematic block diagram of an apparatus for transmitting data in accordance with an embodiment of the present invention.
  • 16 is a schematic block diagram of an apparatus for transmitting data according to another embodiment of the present invention.
  • FIG. 17 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • FIG. 18 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • FIG. 19 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • 20 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • 21 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • FIG. 22 is a schematic architectural diagram of a system for transmitting data according to still another embodiment of the present invention.
  • 23 is a schematic architectural diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
  • the technical solution of the present invention can be applied to various communication systems that implement media communication, such as a video conference system.
  • the terminal device in the communication system may be configured with a video codec module, an audio codec module, a signaling module, a control module, a configuration module, and other functional modules, and the main function is to receive and initiate a remote conference terminal.
  • the call encodes the video and audio streams collected by the local camera and the MIC to the remote end, and simultaneously decodes the video and audio streams of the far end and outputs them to the display and the speaker of the local end, thereby, two or two
  • the above terminal equipment is in the above hard Under the support of the device, video communication can be performed based on various standard protocols provided by the communication system.
  • the terminal device may be a user equipment (UE, User Equipment), etc., such as a smart mobile terminal or a computer, etc., which exchange voice and/or data via the Internet or a data transmission cable, and may also be a network side device.
  • UE user equipment
  • UE User Equipment
  • MCU Multi-point Control Unit
  • Selective Forwarding Unit a Selective Forwarding Unit
  • both terminal devices may be devices that establish a session connection using the H.323 protocol (ie, Case 1), or one terminal device may be a device that establishes a session connection using the H.323 protocol, and another device.
  • the device can be a device that establishes a session connection using SIP (ie, Case 2).
  • two devices that establish a session connection by using the H.323 protocol may negotiate a hash function and fingerprint information for performing security authentication in the following manner A or mode B to establish a DTLS connection.
  • the DTLS connection may be based on a User Datagram Protocol (UDP) or may be based on a Transmission Control Protocol (TCP).
  • UDP User Datagram Protocol
  • TCP Transmission Control Protocol
  • FIG. 1 shows a schematic flow diagram of a method 100 of transmitting data in accordance with an embodiment of the present invention.
  • the first terminal device communicates with the second terminal device by using the H.323 protocol.
  • the method 100 includes:
  • the first terminal device receives, according to the H.323 protocol, a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device. Determining a first hash function from the first hash function list, and determining first fingerprint information corresponding to the first hash function, and transmitting the first hash function and the first terminal device to the second terminal device a fingerprint information, wherein the first hash function belongs to a hash function supported by the first terminal device, and the first hash function and the first fingerprint information are used to authenticate the first terminal device;
  • the first terminal device sends the second terminal device to the second terminal device according to the H.323 protocol.
  • a hash function list the second hash function list includes at least one hash function supported by the first terminal device, and receives a second hash function and second fingerprint information sent by the second terminal, where the second The hash function is determined by the second terminal device from the second hash function list, and the second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is the second The fingerprint information corresponding to the hash function, the second hash function and the second fingerprint information are used to authenticate the second terminal device;
  • the first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information to establish a data packet transport layer security.
  • the protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
  • the first terminal device (hereinafter, for convenience of understanding and distinction, recorded as: terminal device # ⁇ ) and the second terminal device (hereinafter, in order to facilitate understanding and distinction, note: terminal The device # ⁇ ) may be configured in a communication system using the H.323 protocol (specifically, establishing a session connection using the H.323 protocol), whereby the terminal device # ⁇ and the terminal device # ⁇ can be based on the H.323
  • the protocol communicates, for example, signaling.
  • the terminal device # ⁇ may record a hash function that it can support in the hash function list # ⁇ (ie, an example of the first hash function list), and encapsulate the hash function list # ⁇ table according to the H.323 protocol.
  • the message provided by the communication system can be transmitted between the terminal device # ⁇ and the terminal device # ⁇ , and the message is transmitted to the terminal device # ⁇ .
  • the terminal device # ⁇ can record the hash function that it can support in the hash function list # ⁇ (ie, an example of the second hash function list), and list the hash function according to the H.323 protocol.
  • the alpha table is encapsulated into a message provided by the communication system that can be transmitted between the terminal device # ⁇ and the terminal device # ⁇ , and the message is transmitted to the terminal device # ⁇ .
  • the first hash function list is carried by a terminal capability set (Terminal Capability Set) message sent by the first terminal device to the second terminal device, where the second hash function list is sent to the second terminal device and sent to the second A terminal capability set message of a terminal device.
  • Terminal Capability Set Terminal Capability Set
  • hash function list # ⁇ and hash function list # ⁇ can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
  • terminal capability set message enumerated above is only an exemplary description of the message carrying the above hash function list # ⁇ and hash function list # ⁇ , and the present invention is also limited thereto, and other can be in the terminal device # ⁇ Message transmitted between terminal device # ⁇ , or terminal device # ⁇ and terminal
  • the end device # ⁇ can send and receive messages based on the H.323 protocol, and all fall within the protection scope of the present invention.
  • the hash function recorded by the terminal device # ⁇ in the hash function list # ⁇ may be all the hash functions supported by the terminal device # ⁇ , or may be the terminal device # ⁇ .
  • the supported partial hash function is not particularly limited in the present invention.
  • the number of hash functions recorded by the hash function list may be determined according to a system (or standard) or a message carried by the hash function list. The capacity (or the amount of information that the message can carry) is arbitrarily changed.
  • the hash function recorded by the terminal device # ⁇ in the hash function list # ⁇ may be all the hash functions supported by the terminal device # ⁇ , or may be a partial hash function supported by the terminal device # ⁇ ,
  • the invention is not particularly limited.
  • the number of hash functions recorded by the hash function list may be determined according to a system (or standard) or a capacity of a message carried by the hash function list (or, the message can The amount of information carried is arbitrarily changed.
  • the terminal device # ⁇ can receive the above-described message carrying the hash function list # ⁇ , and decapsulate the message based on the H.323 protocol to acquire the hash function list # ⁇ .
  • the terminal device # ⁇ can receive the above message carrying the hash function list # ⁇ , and decapsulate the message based on the H.323 protocol to acquire the hash function list # ⁇ .
  • the terminal device # ⁇ may compare the hash function in the hash function list # ⁇ with the hash function supported by itself, thereby determining that the hash function list # ⁇ belongs to the terminal device # ⁇ .
  • the hash function that can be supported is used as the hash function # ⁇ (i.e., the first hash function) for authentication of the terminal device # ⁇ by the terminal device # ⁇ .
  • the terminal device # ⁇ may perform the above-described collation processing in a prescribed order (eg, from the first hash function in the hash function list # ⁇ ), when determining that one belongs to
  • the hash function list # ⁇ belongs to a hash function that can be supported by the terminal device # ⁇
  • the hash function is used as the hash function # ⁇ , and the above-described collation processing is ended.
  • the terminal device # ⁇ may select any hash function from the determined hash function after determining all the hash functions in the hash function list # ⁇ that are supported by the terminal device # ⁇ , as the Greek function # ⁇ .
  • the terminal device # ⁇ may determine the fingerprint information corresponding to the hash function # ⁇ (ie, the first fingerprint information, hereinafter, for the sake of distinction, the fingerprint information # ⁇ ), and the process can be similar to the process of determining the fingerprint information corresponding to a hash function in the prior art, and a detailed description thereof will be omitted herein to avoid redundancy.
  • the fingerprint information corresponding to the hash function # ⁇ ie, the first fingerprint information, hereinafter, for the sake of distinction, the fingerprint information # ⁇
  • the process can be similar to the process of determining the fingerprint information corresponding to a hash function in the prior art, and a detailed description thereof will be omitted herein to avoid redundancy.
  • the terminal device # ⁇ can use the hash function in the hash function list # ⁇ and its self.
  • the body-supported hash function performs a collation process to determine a hash function that the terminal device ## can support in the hash function list # ⁇ , as the terminal device # ⁇ performs for the terminal device # ⁇
  • the authenticated hash function # ⁇ ie, the second hash function
  • the terminal device # ⁇ can determine the fingerprint information corresponding to the hash function # ⁇ (ie, the second fingerprint information, hereinafter, for convenience) Distinguish, record as fingerprint information # ⁇ ).
  • the terminal device # ⁇ can encapsulate the hash function # ⁇ and the fingerprint information # ⁇ determined by the communication device to be able to transmit between the terminal device # ⁇ and the terminal device # ⁇ according to the H.323 protocol. Within the message, and the message is transmitted to the terminal device # ⁇ .
  • the terminal device # ⁇ can encapsulate the hash function # ⁇ and the fingerprint information # ⁇ determined by the terminal device into a communication system capable of being transmitted between the terminal device # ⁇ and the terminal device # ⁇ according to the H.323 protocol. Within the message, and transmit the message to terminal device # ⁇ .
  • the first hash function and the first fingerprint information are carried in an Open Logical Channel message
  • the second hash function and the second fingerprint information are carried in an Open Logical Channel (Open Logical Channel) Ack) message
  • the second hash function and the second fingerprint information are carried in an open logical channel message, and the first hash function and the first fingerprint information are carried in an open logical channel acknowledgement message.
  • the target hash function and the fingerprint information can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
  • open logical channel message and open logical channel acknowledgement message are merely exemplary descriptions, and the present invention is also limited thereto, and other messages that can be transmitted between the terminal device # ⁇ and the terminal device # ⁇ , or It is said that the terminal device # ⁇ and the terminal device # ⁇ can transmit and receive messages based on the H.323 protocol, and all fall within the protection scope of the present invention.
  • both the terminal device # ⁇ and the terminal device # ⁇ can know the target hash function and the fingerprint information, and thus, the terminal device # ⁇ and the terminal device # ⁇ can be determined according to the hash function # ⁇ , the fingerprint information # determined as described above.
  • the ⁇ , the hash function # ⁇ , and the fingerprint information # ⁇ perform secure authentication processing, and the secure authentication processing can be performed in the DTLS handshake phase.
  • the terminal device # ⁇ can generate the verification information # ⁇ 1 according to the hash function # ⁇ and the fingerprint information # ⁇ (for example, the terminal device # ⁇ can generate a code according to the hash function # ⁇ and the fingerprint information # ⁇ ), and The verification information is sent to the terminal device # ⁇ through DTLS signaling.
  • the terminal device # ⁇ generates the verification information # ⁇ 2 based on the hash function # ⁇ and the fingerprint information # ⁇ (for example, the terminal device # ⁇ can generate a code based on the hash function # ⁇ and the fingerprint information # ⁇ ).
  • the terminal device # ⁇ determines that the above-described verification information # ⁇ 1 transmitted by the terminal device # ⁇ by DTLS coincides with the verification information # ⁇ 2 generated by the terminal device # ⁇ , the terminal device # ⁇ can determine that the terminal device # ⁇ passes the security verification, and can The terminal device # ⁇ establishes a DTLS connection.
  • the terminal device # ⁇ can generate the verification information # ⁇ 1 according to the hash function # ⁇ and the fingerprint information # ⁇ (for example, the terminal device # ⁇ can encrypt the fingerprint information # ⁇ according to the hash function # ⁇ to generate a code. And send the verification information to the terminal device # ⁇ .
  • the terminal device # ⁇ generates the authentication information # ⁇ 2 based on the hash function # ⁇ and the fingerprint information # ⁇ (for example, the terminal device # ⁇ can encrypt the fingerprint information # ⁇ according to the hash function # ⁇ to generate a code).
  • the terminal device # ⁇ determines that the above-described verification information # ⁇ 1 transmitted by the terminal device # ⁇ coincides with the verification information # ⁇ 2 generated by the terminal device # ⁇ , the terminal device # ⁇ can determine that the terminal device # ⁇ passes the security verification and can communicate with the terminal.
  • Device # ⁇ establishes a DTLS connection.
  • the method before the first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information, the method further include:
  • the second role indication information that is sent by the second terminal device according to the H.323 protocol, where the second role indication information is used to indicate a role supported by the second terminal device, where the role is “active” And at least one of "passive";
  • the first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information, including:
  • the first terminal device according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role supported by the first terminal device, and a role supported by the second terminal device
  • the second terminal device performs an authentication process.
  • the system can provide three roles, namely, “active”, “passive”, and “active passive” (hereinafter, for ease of understanding and explanation, simply referred to as “all can be”)
  • the terminal device # ⁇ and the terminal device # ⁇ can notify each other of the roles of each other, thereby determining the originator of the above DTLS handshake based on the role.
  • the terminal device# ⁇ can be used as the initiator of the above DTLS handshake.
  • the terminal device # ⁇ can be used as the initiator of the above DTLS handshake.
  • the second role indication information is carried in the same message as the first hash function list, and the first role indication information and the second hash function list are carried in the same message.
  • the terminal device # ⁇ may send the hash function list # ⁇ and the second role indication information to the terminal device # ⁇ at the same time, and the terminal device # ⁇ may The hash function list # ⁇ and the first role indication information are transmitted to the terminal device # ⁇ at the same time, thereby reducing the information interaction process, and the message exchanged between the terminal device # ⁇ and the terminal device # ⁇ can be reduced.
  • the amount of processing increases processing efficiency.
  • the terminal device # ⁇ and the terminal device # ⁇ can establish a DTLS protocol connection.
  • the method and the process for establishing the DTLS protocol connection between the terminal device # ⁇ and the terminal device # ⁇ may be similar to the prior art, and a detailed description thereof is omitted herein to avoid redundancy.
  • the terminal device # ⁇ and the terminal device # ⁇ can connect and transmit the related data of the video conference through the DTLS protocol.
  • the terminal device # ⁇ and the terminal device # ⁇ can perform authentication authentication exchange according to the procedure specified in RFC 6347, and after the authentication authentication is successful, the logical channel is turned on to perform data transmission.
  • the terminal device # ⁇ and the terminal device # ⁇ can establish an application layer protocol connection, for example, a Stream Control Transmission Protocol (SCTP) connection, and transmit data through the SCTP connection, based on the connection of the DTLS protocol.
  • SCTP Stream Control Transmission Protocol
  • SCTP is only an exemplary description of the transport layer protocol, and the present invention is not limited thereto, and various other transport layer protocols for transmitting data are all within the scope of the present invention.
  • a process of establishing an SCTP connection by using a DTLS protocol connection will be described as an example.
  • the method further includes:
  • the first terminal device sends a first port number to the second terminal device, where the first port number is used by the first terminal device to establish a flow control transmission protocol based on the DTLS protocol connection.
  • the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, so as to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
  • the terminal device # ⁇ can determine the port number to be connected based on the DTLS protocol, and further, can select a port number for establishing an SCTP connection with the terminal device # ⁇ (hereinafter, for ease of understanding and distinction, note: port No. # ⁇ ), and the terminal device # ⁇ can transmit the port number # ⁇ to the terminal device # ⁇ according to the H.323 protocol.
  • the terminal device # ⁇ can determine the port number to be connected based on the DTLS protocol, and further, the port number for establishing an SCTP connection with the terminal device # ⁇ can be selected therefrom (hereinafter, for ease of understanding and distinction, it is noted as: port number # ⁇ ), and the terminal device # ⁇ can transmit the port number # ⁇ to the terminal device # ⁇ according to the H.323 protocol.
  • the first port number is carried in a terminal capability set message or a logical channel message
  • the second port number is carried in a terminal capability set message or a logical channel message.
  • the terminal device # ⁇ and the terminal device # ⁇ have been able to confirm that the DTLS protocol connection is to be established, they can transmit the port number selected for establishing the SCTP connection to the other party before establishing the DTLS protocol connection.
  • the terminal device # ⁇ can transmit the selected port number (ie, port number # ⁇ ) to the terminal device # ⁇ through the above Open Logical Channel message.
  • the terminal device # ⁇ can transmit its selected port number (ie, port number # ⁇ ) to the terminal device # ⁇ through the above Open Logical Channel message.
  • terminal device # ⁇ and the terminal device # ⁇ may also transmit the port number selected for establishing the SCTP connection to the other party through the terminal capability set message.
  • the terminal device # ⁇ may transmit the selected port number (ie, port number # ⁇ ) to the terminal device # ⁇ through the above-mentioned Terminal Capability Set message or by updating the Terminal Capability Set message.
  • the terminal device # ⁇ may transmit its selected port number (ie, port number # ⁇ ) to the terminal device # ⁇ through the above-described Terminal Capability Set message or by updating the Terminal Capability Set message.
  • the first port number and the first hash function and the first fingerprint information are carried in the same type of message, and the second port number and the second hash function and the second fingerprint information are carried in the same message. .
  • the first port number and the second hash function list are carried in the same type of message, and the second port number is carried in the same message as the first hash function list.
  • the terminal device # ⁇ and the terminal device # ⁇ can know the port number used by each other, thereby establishing an SCTP connection according to the port number, and performing data transmission, and establishing an SCTP connection according to the port number and passing
  • the method and process for transmitting data by the SCTP connection may be similar to the prior art. Here, in order to avoid redundancy, detailed description thereof is omitted.
  • the hash function is negotiated between the terminal device # ⁇ and the terminal device # ⁇ listed above to establish a DTLS connection process, but the present invention is not limited thereto, and other parameters for establishing a DTLS connection may be used. It is determined by a negotiation process between the terminal device # ⁇ and the terminal device # ⁇ , and the negotiation process is similar to the negotiation process enumerated in the above method 100.
  • the hash function # ⁇ and the hash function # ⁇ determined as described above may be the same or different, and the present invention is not particularly limited.
  • the first terminal device and the second terminal device can negotiate the hash function and the fingerprint information based on the H.323 protocol, and can be in the first terminal device and the second terminal device.
  • a DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data.
  • And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 2 shows a schematic flow chart of a method 200 of transmitting data according to an embodiment of the present invention, as described from the perspective of a first terminal device (ie, a decision device described later).
  • the first terminal device and the second terminal device communicate through the H.323 protocol.
  • the method 200 includes:
  • the first terminal device receives, according to the H.323 protocol, a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device ;
  • the first terminal device determines a target hash function from the first hash function list, and Determining fingerprint information corresponding to the target hash function, wherein the target hash function belongs to a hash function supported by the first terminal device;
  • the first terminal device sends the target hash function and the fingerprint information to the second terminal device according to the H.323 protocol.
  • the first terminal device establishes a data packet transport layer security protocol DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information, to transmit data between the second terminal device and the second terminal device through the DTLS protocol connection.
  • the first terminal device (hereinafter, for ease of understanding and distinction, recorded as: terminal device #1) and the second terminal device (hereinafter, for ease of understanding and distinction, note: terminal Device #2) may be configured in a communication system using the H.323 protocol (specifically, establishing a session connection using the H.323 protocol), whereby terminal device #1 and terminal device #2 can be based on the H.323
  • the protocol communicates, for example, signaling.
  • the terminal device #1 and the terminal device #2 may determine a hash function and fingerprint information (also referred to as a security parameter) through negotiation, so that a data packet may be established based on the hash function and the fingerprint information.
  • the Datagram Transport Layer Security (DTLS) protocol is used to transmit data through the DTLS protocol, thereby effectively utilizing the DTLS protocol security authentication mechanism (ie, encryption and authentication based on hash functions and fingerprint information). The security of data transmission.
  • DTLS Datagram Transport Layer Security
  • the process in which the terminal device #1 negotiates with the terminal device #2 to determine the hash function and the fingerprint information may be: the terminal device (ie, the decision device) that makes the decision is determined from one of the supported hash functions.
  • the target hash function finally used for the above encryption and authentication, the target hash function and the fingerprint information are sent to another device, and a DTLS connection establishment process, that is, a DTLS handshake, is initiated based on the target hash function and its corresponding fingerprint information.
  • a DTLS connection establishment process that is, a DTLS handshake
  • the terminal device #2 can record the hash function that it can support in the hash function list (hereinafter, for ease of understanding and differentiation, as follows: the first hash function list), according to the H.323 protocol.
  • a hash function list is encapsulated into a message provided by the communication system that can be transmitted between the terminal device #1 and the terminal device #2, and the message is transmitted to the terminal device #1.
  • the first hash function list is carried in a terminal capability set message.
  • a terminal device may be mentioned. Terminal Capability Set message.
  • the first hash function list can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
  • terminal capability set message enumerated above is only an exemplary description of the message carrying the first hash function list, and the present invention is limited thereto, and the other can be between the terminal device #1 and the terminal device #2.
  • the hash function recorded by the terminal device #2 in the first hash function list may be all the hash functions supported by the terminal device #2, or may be the terminal device #2.
  • the supported partial hash function is not particularly limited in the present invention.
  • the number of hash functions recorded by the hash function list may be determined according to a system (or standard) or a message carried by the hash function list. The capacity (or the amount of information that the message can carry) is arbitrarily changed.
  • the terminal device #1 can receive the message carrying the first hash function list and decapsulate the message based on the H.323 protocol to obtain the first hash function list.
  • the method before the determining, by the first terminal device, the target hash function from the first hash function list, the method further includes:
  • the first terminal device receives, according to the H.323 protocol, role indication information sent by the second terminal device, where the role indication information is used to indicate a role supported by the second terminal device, and the role is “active” and “passive”. At least one of them;
  • Determining, by the first terminal device, the target hash function from the first hash function list including:
  • the first terminal device determines a target hash function from the first hash function list when determining that the role supported by the first terminal device includes “active" and the role supported by the second terminal device includes “passive”.
  • the system can provide three roles, namely, “active”, “passive”, and “all”.
  • the terminal device whose role is “active” can be used as the above-mentioned decision device, and the terminal device whose role is "passive” or “all” can be confirmed as the active terminal, that is, the participant of the video conference needs to establish the DTLS described later. Connect and transmit data related to video conferencing (for example, video data and audio data, etc.).
  • the terminal device #2 is in the information that can be used to indicate the role it supports (ie, the role refers to The information is sent to the terminal device #1. It should be noted that since the present specification is described by using the terminal device #1 as a decision terminal, it is necessary to make the role of the terminal device #2 "passive” or "all". Or, the role indicated by the role indication information needs to include "passive”, that is, the role of the terminal device #2 is "passive” or "all”.
  • the terminal device #1 determines that it can support the "active" role (or can be used as the above-described decision device), and determines that the terminal device #2 can support "passive” according to the above-described role support information (or, say, the terminal device # After the role of 2 is "passive” or "all", at S220, a hash function that both terminal device #1 and terminal device #2 can support is determined from the first hash function list as used for establishing The target hash function of the DTLS connection described later.
  • the role indication information is carried in the same message as the first hash function list.
  • the terminal device #2 may send the first hash function list and the role indication information to the terminal device #1 through the same message, thereby reducing the information interaction process, thereby reducing The number of messages exchanged between the terminal device #1 and the terminal device #2 improves the processing efficiency.
  • the terminal device #1 can determine the manner of the target hash function by any of the following modes 1 and 2.
  • the first terminal device determines the target hash function from the first hash function list, including:
  • the terminal device #1 may compare the hash function in the first hash function list with the hash function supported by itself, thereby determining the first hash function list.
  • the hash function that the terminal device #1 can support is used as the target hash function.
  • the terminal device #1 may perform the above-described collation processing in a prescribed order (eg, from the first hash function in the first hash function list), when determining one belongs to
  • the first hash function list belongs to the hash function that can be supported by the terminal device #1
  • the hash function is used as the target hash function, and the above-mentioned comparison processing is ended.
  • the terminal device #1 may select any hash function from the determined hash function as the target after determining all the hash functions in the first hash function list that are supported by the terminal device #1. Hash function.
  • the terminal device #2 can determine the first hash function list only according to a hash function that can be supported by itself, or the first hash function list can be in advance (for example, the factory When it is configured in the terminal device #2, the processing load of the terminal device #2 can be reduced, and the performance requirement for the terminal device #2 can be reduced.
  • the method before the determining, by the first terminal device, the target hash function from the first hash function list, the method further includes:
  • the first terminal device sends a second hash function list to the second terminal device according to the H.323 protocol, where the second hash function list includes at least one hash function supported by the first terminal device, so as to facilitate Determining, by the second terminal device, the first hash function list according to the second hash function list, wherein the hash function included in the first hash function list belongs to the second hash function list;
  • Determining, by the first terminal device, the target hash function from the first hash function list including:
  • the first terminal device determines that any of the hash functions in the first hash function list is a target hash function.
  • the terminal device #1 can record the hash function that it can support in the hash function list (hereinafter, for ease of understanding and differentiation, as follows: the second hash function list), according to H
  • the .323 protocol encapsulates the second hash function list into a message provided by the communication system that can be transmitted between the terminal device #1 and the terminal device #2, and transmits the message to the terminal device #1.
  • the second hash function list is carried in a terminal capability set message.
  • a terminal capability set message may be listed, so that the second hash function list can be carried by using the message provided in the existing protocol, thereby improving the versatility of the present invention. And practicality.
  • terminal capability set message enumerated above is only an exemplary description of the message carrying the second hash function list, and the present invention is limited thereto, and the other can be between the terminal device #1 and the terminal device #2.
  • the hash function recorded by the terminal device #1 in the second hash function list may be all the hash functions supported by the terminal device #1, or may be the terminal device #1.
  • the supported partial hash function is not particularly limited in the present invention, for example, the hash function list
  • the number of recorded hash functions may be arbitrarily changed according to the system (or standard) specification or the capacity of the message carried by the hash function list (or the amount of information that the message can carry).
  • the terminal device #2 can receive the above message carrying the second hash function list, and decapsulate the message based on the H.323 protocol to obtain the second hash function list.
  • the terminal device #2 can compare the hash function in the second hash function list with the hash function supported by itself, thereby determining that the first hash function list belongs to the terminal device #2.
  • a supported hash function and record the hash function in the second hash function list For example, by way of example and not limitation, the terminal device #2 may perform the above-described collation processing in a prescribed order (eg, from the first hash function in the second hash function list), when determining one belongs to When the second hash function list belongs to a hash function that can be supported by the terminal device #2, the hash function is recorded in the first hash function list. Also, in this case, the terminal device #2 can appropriately adjust the number of times of the above-described collation processing according to the number of hash functions that the second hash function list needs to record.
  • the hash function recorded in the first hash function list received by the terminal device #1 in S210 is a hash function that both the terminal device #1 and the terminal device #2 can support, and therefore, at S220 In the terminal device #1, any hash function may be selected from the determined hash functions as the target hash function.
  • the terminal device #1 can confirm the target hash function by performing a simple selection action, and the second hash function list can be configured in advance (for example, at the time of shipment) at the terminal.
  • the processing load of the terminal device #1 can be reduced, and the performance requirement for the terminal device #1 can be reduced.
  • the terminal device #1 may determine the fingerprint information corresponding to the target hash function, and the process may be related to determining a fingerprint corresponding to the hash function in the prior art.
  • the process of the information is similar, and the detailed description thereof is omitted here to avoid redundancy.
  • the terminal device #1 may encapsulate the target hash function and the fingerprint information into a message that can be transmitted between the terminal device #1 and the terminal device #2 according to the H.323 protocol. And the message is transmitted to terminal device #2.
  • the target hash function and the fingerprint information are carried in the open logical channel message.
  • an Open Logical Channel message may be enumerated, so that the target hash function and the fingerprint information can be carried by using the message provided in the existing protocol.
  • the versatility and utility of the present invention are enhanced.
  • the above-listed open logical channel message is only an exemplary description of the message carrying the above-mentioned target hash function and fingerprint information, and the present invention is also limited thereto, and other can be in the terminal device #1 and the terminal device #2.
  • the terminal device #2 can receive the above message carrying the target hash function and the fingerprint information, and decapsulate the message based on the H.323 protocol to acquire the target hash function and the fingerprint information.
  • both the terminal device #1 and the terminal device #2 can know the target hash function and the fingerprint information, and thus, at S240, the terminal device #1 and the terminal device #2 can establish a DTLS connection according to the target hash function and the fingerprint information.
  • the terminal device #1 can perform security authentication (also referred to as a DTLS handshake) with the terminal device #2 according to the target hash function and the fingerprint information.
  • the terminal device #1 can generate the verification information #1 according to the target hash function and the fingerprint information (for example, the terminal device #1 can encrypt the fingerprint information according to the target hash function to generate a code), and the verification information # 1 is sent to terminal device #2.
  • the terminal device #2 can generate the verification information #2 according to the target hash function and the fingerprint information (for example, the terminal device #2 can encrypt the fingerprint information according to the target hash function to generate a code), and the verification information # 2 is sent to terminal device #1.
  • the terminal device #2 when the terminal device #2 determines that the above-described verification information #1 transmitted by the terminal device #1 coincides with the verification information #2 generated by it, the terminal device #2 can determine that the terminal device #1 passes the security verification, and can be associated with the terminal device # 1 Establish a DTLS connection.
  • the terminal device #1 determines that the above-mentioned verification information #2 transmitted by the terminal device #2 coincides with the verification information #1 generated by it, the terminal device #1 can determine that the terminal device #2 passes the security verification, and can be associated with the terminal device. #2 Establish a DTLS connection.
  • the method and process for establishing the DTLS protocol connection between the terminal device #1 and the terminal device #2 may be similar to the prior art.
  • detailed description thereof is omitted.
  • the method further includes:
  • the confirmation information sent by the second terminal device to the second terminal device according to the H.323 protocol is used to indicate that the second terminal device receives the target hash function and the fingerprint information.
  • the terminal device #2 may According to the H.323 protocol, the confirmation information for indicating that the terminal device #2 has received the target hash function is encapsulated into a message provided by the communication system that can be transmitted between the terminal device #1 and the terminal device #2, And the message is transmitted to terminal device #1.
  • the acknowledgement information is carried in an open logical channel acknowledgement message.
  • an Open Logical Channel Ack message may be listed, so that the acknowledgement information can be carried by using the message provided in the existing protocol, thereby improving the versatility of the present invention and Practicality.
  • the above-mentioned open logical channel acknowledgement message is only an exemplary description of the message carrying the above acknowledgement information, and the present invention is also limited thereto, and other messages that can be transmitted between the terminal device #1 and the terminal device #2.
  • the terminal device #1 and the terminal device #2 can transmit and receive messages based on the H.323 protocol, and all fall within the protection scope of the present invention.
  • the terminal device #1 can receive the message carrying the confirmation information, and decapsulate the message based on the H.323 protocol to obtain the confirmation information, thereby determining that the terminal device #2 has received the target hash function, and can execute The operation in the above S240.
  • the terminal device #1 After the terminal device #2 returns the confirmation information to the terminal device #1 after receiving the target hash function and the fingerprint information, the terminal device #1 can determine, according to the confirmation information, that the terminal device #2 is ready to perform DTLS establishment. Thereby, the reliability of the method for transmitting data of the embodiment of the present invention can be further improved.
  • the terminal device #1 and the terminal device #2 can connect and transmit related data of the video conference through the DTLS protocol.
  • the terminal device #1 and the terminal device #2 can perform authentication authentication exchange according to the procedure specified in RFC 6347, and after the authentication authentication is successful, the logical channel is turned on for data transmission.
  • the terminal device #1 and the terminal device #2 may establish an application layer protocol connection, for example, a Stream Control Transmission Protocol (SCTP) connection, and transmit data through the SCTP connection, based on the DTLS protocol connection.
  • SCTP Stream Control Transmission Protocol
  • SCTP is only an exemplary description of the application layer protocol, and the present invention is not limited thereto, and various other application layer protocols for transmitting data are all within the scope of the present invention.
  • a process of establishing an SCTP connection by using a DTLS protocol connection will be described as an example.
  • the method further includes:
  • the first terminal device sends a first port number to the second terminal device, where the first port number is the a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection;
  • the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, so as to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
  • the terminal device #1 can determine the port number based on the DTLS protocol connection, and further, can select a port number for establishing an SCTP connection with the terminal device #2 (hereinafter, In order to facilitate understanding and differentiation, it is recorded as: port number #1), and the terminal device #1 can transmit the port number #1 to the terminal device #2 according to the H.323 protocol.
  • the terminal device #2 can determine the port number based on the DTLS protocol connection, and further, can select a port number for establishing an SCTP connection with the terminal device #1 (hereinafter, for ease of understanding and distinction, note: port number # 2), and the terminal device #2 can transmit the port number #2 to the terminal device #1 according to the H.323 protocol.
  • the first port number is carried in a terminal capability set message or a logical channel message is started, and
  • the second port number is carried in a terminal capability set message or a logical channel open message.
  • the terminal device #1 and the terminal device #2 have been able to confirm the DTLS protocol connection to be established, and thus, before establishing the DTLS protocol connection, Select the port number used to establish the SCTP connection and send it to the other party.
  • the terminal device #1 can transmit the selected port number (ie, port number #1) to the terminal device #2 through the above Open Logical Channel message.
  • the terminal device #2 can transmit its selected port number (ie, port number #2) to the terminal device #1 through the above Open Logical Channel message.
  • the terminal device #1 and the terminal device #2 may also send the port number selected for establishing the SCTP connection to the other party through the terminal capability set message.
  • the terminal device #1 may transmit its selected port number (ie, port number #1) to the terminal device #2 through the above-described Terminal Capability Set message or by updating the Terminal Capability Set message.
  • Terminal device #2 can pass The above Terminal Capability Set message, or by updating the Terminal Capability Set message, sends its selected port number (ie, port number #2) to the terminal device #1.
  • the first port number and the second hash function list are carried in the same type of message.
  • the terminal device #1 can carry the port number #1, the second hash function list, and the role information in the same type of message.
  • terminal device #2 can host port number #2 and the first hash function list in the same type of message.
  • the first port number is carried in the same message as the target hash function and the fingerprint information.
  • the terminal device #1 can carry the port number #1, the target hash function, and the fingerprint information in the same message.
  • terminal device #2 can carry port number #2 and acknowledgment information in the same message.
  • the terminal device #1 and the terminal device #2 can know the port number used by each other, thereby establishing an SCTP connection according to the port number, and performing data transmission, and establishing an SCTP connection according to the port number and passing
  • the method and process for transmitting data by the SCTP connection may be similar to the prior art. Here, in order to avoid redundancy, detailed description thereof is omitted.
  • the hash function is negotiated between the terminal device #1 and the terminal device #2 listed above to establish a DTLS connection process, but the present invention is not limited thereto, and other parameters for establishing a DTLS connection may be used. It is determined by a negotiation process between the terminal device #1 and the terminal device #2, and the negotiation process is similar to the negotiation process enumerated in the above method 200.
  • the communication between the first terminal device and the second terminal device by the H.323 protocol refers to passing the H through the hash function list, the hash function, and the fingerprint information before performing the authentication process.
  • the .323 protocol communicates, after determining the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information for performing authentication as described above, the signaling or message that can be provided according to the DTLS protocol.
  • the authentication process is performed, that is, the first terminal device and the second terminal device may perform communication without using the H.323 protocol when performing authentication processing.
  • the first terminal device and the second terminal device can negotiate the hash function and the fingerprint information based on the H.323 protocol, and can be in the first terminal device and the second terminal device. Establishing a DTLS protocol connection based on the hash function and the fingerprint information, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection.
  • the security authentication mechanism of the DTLS protocol can be effectively utilized to improve the security of the transmitted data, and the DTLS protocol can be applied to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • the device that establishes the session connection by using the H.323 protocol and the device that establishes the session connection by using the SIP may negotiate the hash function and the fingerprint information for performing security authentication through the gateway device in the following manner C or manner D.
  • the DTLS connection may be UDP based or TCP based.
  • FIG. 3 shows a schematic flow diagram of a method 300 of transmitting data in accordance with another embodiment of the present invention, as described from the perspective of a gateway device.
  • the first terminal device communicates with the gateway device through an H.323 protocol, and the second terminal device and the gateway device Through session initiation protocol SIP communication, as shown in FIG. 3, the method 300 includes:
  • the gateway device receives at least one first hash function sent by the second terminal device, where the first hash function belongs to a hash function supported by the second terminal device, and sends the record to the first terminal device.
  • a first hash function list of the first hash function receiving the target first hash function and the first fingerprint information sent by the first terminal device, where the target first hash function is the first terminal device from the Determining in the first hash function list, and the target first hash function belongs to a hash function supported by the first terminal device, and the first fingerprint information is fingerprint information corresponding to the target first hash function,
  • the target first hash function and the first fingerprint information are used to authenticate the first terminal device;
  • the gateway device receives the second hash function list sent by the first terminal device, where the second hash function list includes at least one second hash function supported by the first terminal device, to the second terminal device Sending part or all of the second hash function, receiving the target second hash function and the second fingerprint information sent by the second terminal device, where the target second hash function is the second terminal device from the first Determined in part or all of the two hash functions, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is a fingerprint corresponding to the target second hash function.
  • Information, the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
  • the gateway device sends the target first hash function and the first to the second terminal device. Fingerprint information, and sending the target second hash function and the second fingerprint information to the first terminal device, so that the first terminal device and the second terminal device according to the target first hash function, the first The fingerprint information, the target second hash function and the second fingerprint information are subjected to an authentication process to establish a packet transport layer security protocol DTLS protocol connection, and the data is transmitted through the DTLS protocol connection.
  • the media communication technology can provide a variety of sessions (also referred to as "calls") to establish protocols, thereby, the terminal device can be based on its own capabilities (for example, The supported session establishment protocol selects a corresponding session establishment protocol to establish a session connection, and then can negotiate with other terminal devices through the session connection to establish a data transmission connection, thereby completing media communication with other terminal devices.
  • sessions also referred to as "calls”
  • the supported session establishment protocol selects a corresponding session establishment protocol to establish a session connection, and then can negotiate with other terminal devices through the session connection to establish a data transmission connection, thereby completing media communication with other terminal devices.
  • H.323 protocol corresponds to a data transmission connection based on the H.235 protocol
  • SIP Session Initiation Protocol
  • DTLS Datagram Transport Layer Security
  • the gateway device forwards the data transmitted between the two terminal devices (for example, converting the encoding format, etc.), thereby increasing the burden on the gateway device, reducing the transmission performance of the system, and seriously affecting user experience.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a relationship between the first terminal device and the second terminal device.
  • the DTLS protocol of the security parameter is connected, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving Affect the user experience.
  • the first terminal device (hereinafter, for ease of understanding and distinction, recorded as: terminal device #X) and can be configured to use the H.323 protocol (specifically, using H. The sub-communication system in which the 323 protocol establishes a session connection), the second terminal device (hereinafter, for ease of understanding and distinction, recorded as: terminal device #Y) can be configured to use the SIP protocol (specifically, establishing a session connection using the SIP protocol) Sub-communication system, thus, terminal device #X and gateway The devices can communicate based on the H.323 protocol, for example, transmitting signaling, and the terminal device #Y and the gateway device can communicate based on the SIP protocol, for example, transmitting signaling.
  • the terminal device #X and the terminal device #Y may negotiate to determine a hash function and fingerprint information (also referred to as a security parameter) via the gateway device, so that data may be established based on the hash function and the fingerprint information.
  • the Datagram Transport Layer Security (DTLS) is used to transmit data through the DTLS protocol, thereby effectively utilizing the security authentication mechanism of the DTLS protocol (ie, encryption and authentication based on hash functions and fingerprint information). Improve the security of data transmission.
  • the terminal device #X may record a hash function (ie, a second hash function) that it can support in the second hash function list, and encapsulate the second hash function list into the communication system according to the H.323 protocol.
  • a hash function ie, a second hash function
  • the second hash function list sent by the first terminal device to the gateway device is carried in a terminal capability set message sent by the first terminal device to the gateway device.
  • a terminal capability set (Terminal Capability Set) message may be listed, so that the hash function list can be carried by using the message provided in the existing protocol, thereby improving the present invention. Versatility and practicality.
  • the terminal capability set message enumerated above is only an exemplary description of the message carrying the second hash function list, and the present invention is limited thereto, and the other can be transmitted between the terminal device #X and the gateway device.
  • the second hash function recorded by the terminal device #X in the second hash function list may be all the hash functions supported by the terminal device #X, or may be the terminal device.
  • the partial hash function supported by #X is not specifically limited.
  • the number of second hash functions recorded by the second hash function list may be specified according to a system (or standard) or the hash function list.
  • the capacity of the message carried (or the amount of information that the message can carry) is arbitrarily changed.
  • the description of the same over-same situation that occurs when communication between the terminal device #X and the gateway device is omitted.
  • the terminal device #Y may encapsulate the first hash function that it can support according to the transmission mode specified by the SIP into the message that can be transmitted between the terminal device #Y and the gateway device provided by the communication system, and The message is transmitted to the gateway device.
  • the first hash function sent by the second terminal device to the gateway device is carried by the session description protocol (SDP, Session) of the SIP message sent by the second terminal device to the gateway device. Descrption Protocol) in the message body.
  • SDP session description protocol
  • Session Session protocol
  • Descrption Protocol Descrption Protocol
  • a SIP message including an SDP message body may be enumerated, so that the hash function column can be carried by using the message provided in the existing protocol, thereby improving the versatility of the present invention and Practicality.
  • the SDP message enumerated above is only an exemplary description of the message carrying the first hash function, and the present invention is also limited thereto, and other messages that can be transmitted between the terminal device #Y and the gateway device, or It is said that the message that the terminal device #Y and the gateway device can transmit and receive based on the SIP-defined manner falls within the protection scope of the present invention.
  • the first hash function sent by the terminal device #Y to the gateway device may be all the hash functions supported by the terminal device #Y, or may be supported by the terminal device #Y.
  • the partial hash function is not particularly limited in the present invention.
  • the second terminal device may separately separate the plurality of first hash functions by using multiple SDP messages (ie, each SDP message carries a first hash function) Transfer to the gateway device.
  • SDP messages ie, each SDP message carries a first hash function
  • the gateway device can receive the message carrying the second hash function list, and decapsulate the message according to the H.323 protocol to obtain the second hash function list, and obtain the record in the second hash function.
  • the second hash function in the list may transmit part or all of the second hash function to the terminal device #Y based on SIP.
  • the gateway device may first select any one of the second hash function lists (for example, the second The first hash function in the list of function functions, and encapsulates the hash function into a message provided by the communication system between the gateway device and the terminal device #Y according to SIP, and transmits the message to the terminal.
  • Device #Y and the gateway device can also transfer the remaining hash function in the second hash function list to #Y by a similar method.
  • the terminal device #Y can receive (one or more) messages carrying the second hash function described above, and decapsulate the message based on the SIP to obtain part or all of the second hash function. And, the terminal device #Y may compare some or all of the second hash function with a hash function supported by itself, thereby determining one or more belonging to the terminal from part or all of the second hash function.
  • the hash function that device #Y can support ie, the target second hash function.
  • the terminal device #Y can determine the fingerprint information (ie, the second fingerprint information) corresponding to the target second hash function. Thereafter, the terminal device #Y may transmit the target second hash function and the second fingerprint information determined as described above to the gateway device by, for example, an SDP message or the like.
  • the specific process may be that the gateway device first selects any hash function from the second hash function list, encapsulates it in the SDP message body of the SIP invite message, and sends it to the terminal device #Y, and then needs to send
  • the other hash functions in the second hash function list can be encapsulated in the SDP message body of the SIP Update message and sent to the terminal device #Y.
  • the terminal device #Y After receiving a hash function, the terminal device #Y encapsulates the hash function in the SDP message body of the SIP response message (such as SIP 183 response message, SIP Update response message) if it is confirmed that the hash function can be supported. Sent to the gateway device. And, the terminal device #Y confirms one of the hash functions that can be supported as the target second hash function, and encapsulates the target second hash function and its corresponding fingerprint information (ie, the second fingerprint information). The SDP message body of the SIP Update message is sent to the gateway device.
  • SDP message body of the SIP Update message is sent to the gateway device.
  • the gateway device may send the target second hash function and the second fingerprint information to the terminal device #X according to the H.323 protocol by, for example, turning on a logical channel message or a terminal capability set message.
  • the terminal device #X can know the hash function and the fingerprint information for the verification of the terminal device #Y, that is, the above-described target second hash function and second fingerprint information.
  • the gateway device can receive the message carrying the first hash function(s) supported by the terminal device #Y, and decapsulate the message according to the manner specified by the SIP to obtain the first hash function. .
  • the gateway device records part or all of the first hash function in a hash function list (ie, the first hash function list), and may pass, for example, a terminal capability set message based on the H.323 protocol. Sending the above list of the first hash function to the terminal device #X.
  • a hash function list ie, the first hash function list
  • the terminal device #X can receive the message carrying the first hash function list, and decapsulate the message based on the H.323 protocol to obtain the first hash function list, thereby being able to know that the terminal device #Y can Support some or all of the above first hash function. And, the terminal device #X may compare some or all of the first hash function with a hash function supported by itself, thereby determining one or more belonging to the terminal from part or all of the first hash function. The hash function that device #X can support (ie, the target first hash function). And, the terminal device #Y can determine the fingerprint information (ie, the first fingerprint information) corresponding to the target first hash function. Thereafter, the terminal device #X may transmit the target first hash function and the first fingerprint information determined as described above to the gateway device by, for example, turning on a logical channel message or the like.
  • the gateway device may, according to the SIP, pass the target first through, for example, an SDP message.
  • the Greek function and the first fingerprint information are sent to the terminal device #Y.
  • the terminal device #Y can know the hash function and the fingerprint information for the verification of the terminal device #X, that is, the above-described target first hash function and the first fingerprint information.
  • the target first hash function is recorded as the hash function #X
  • the first fingerprint information is recorded as the fingerprint information #X
  • the target second hash function is recorded as the hash function #Y
  • the second fingerprint information is recorded as fingerprint information #Y. That is, both the terminal device #X and the terminal device #Y can know the hash function and the fingerprint information for authenticating each other, and thus, the terminal device #X and the terminal device #Y can be determined according to the hash function # as described above.
  • X, fingerprint information #X, hash function #Y, and fingerprint information #Y perform security authentication (also referred to as: DTLS handshake).
  • the terminal device #X can generate the authentication information #X 1 according to the hash function #X and the fingerprint information #X (for example, the terminal device #X can generate a code according to the hash function #X and the fingerprint information #X), and The verification information is sent to the terminal device #Y through DTLS signaling.
  • the terminal device #Y generates the verification information #X 2 based on the hash function #X and the fingerprint information #X (for example, the terminal device #Y can generate a code based on the hash function #X and the fingerprint information #X).
  • the terminal device may determine the terminal device #X #Y via secure authentication, may be The terminal device #X establishes a DTLS connection.
  • the terminal device may #Y #Y generate verification hash function #Y #Y. 1 and the fingerprint information (e.g., the terminal device may encrypt #Y fingerprint information #Y hash function to generate a code for #Y ) and send the verification information to the terminal device #X.
  • the fingerprint information e.g., the terminal device may encrypt #Y fingerprint information #Y hash function to generate a code for #Y .
  • the terminal device #X generates the verification information #Y 2 based on the hash function #Y and the fingerprint information #Y (for example, the terminal device #X can encrypt the fingerprint information #Y according to the hash function #Y to generate a code).
  • the terminal device #X determines that the above-described verification information #Y 1 transmitted by the terminal device #Y coincides with the verification information #Y 2 generated by the terminal device #X, the terminal device #X can determine that the terminal device #Y passes the security verification, and can be associated with the terminal Device #Y establishes a DTLS connection.
  • the method further includes:
  • the gateway device receives the first role indication information sent by the first terminal device and the second role indication information sent by the second terminal device, where the first role indication information is used to indicate a role supported by the first terminal device, where the The second role indication information is used to indicate a role supported by the second terminal device, and the role is at least one of “active” and “passive”;
  • the gateway device sends the first role indication information to the second terminal device, and sends the second role indication information to the first terminal device, so that the first terminal device and the second terminal device are configured according to the first The function, the first fingerprint information, the second hash function, the second fingerprint information, the role supported by the first terminal device, and the role supported by the second terminal device perform authentication processing.
  • the system can provide three roles, namely, “active”, “passive”, and “active passive” (hereinafter, for ease of understanding and explanation, simply referred to as “all can be”)
  • the terminal device #X and the terminal device #Y can notify each other of the roles of each other via the gateway device.
  • the terminal device #X may send information (ie, first role indication information) for supporting a role that can be supported by the terminal capability set message or the open logical channel message to the gateway device, and the gateway device sends the information through the SDP message.
  • a role indication message is sent to the terminal device #Y.
  • the terminal device #Y may send, by using an SDP message, information for supporting a role that it can support (ie, second role indication information) to the gateway device, and the gateway device uses the terminal capability set message or the logical channel to open the first
  • the second role indication information is sent to the terminal device #X.
  • the initiator of the above DTLS handshake is determined.
  • the terminal device #X Can be used as the initiator of the above DTLS handshake.
  • the terminal device# X can be used as the initiator of the above DTLS handshake.
  • the terminal device #X and the terminal device #Y can establish a DTLS protocol connection.
  • the method and the process for establishing the DTLS protocol connection between the terminal device #X and the terminal device #Y may be similar to the prior art, and a detailed description thereof is omitted herein to avoid redundancy.
  • the terminal device #X and the terminal device #Y can connect and transmit related data of the video conference through the DTLS protocol.
  • the terminal device #X and the terminal device #Y can perform authentication authentication exchange according to the procedure specified in RFC 6347, and after the authentication authentication is successful, the logical channel is turned on to perform data transmission.
  • the terminal device #X and the terminal device #Y may be based on the connection of the DTLS protocol.
  • Establish an application layer protocol connection for example, a Stream Control Transmission Protocol (SCTP) connection, and transmit data through the SCTP connection.
  • SCTP Stream Control Transmission Protocol
  • SCTP is only an exemplary description of the application layer protocol, and the present invention is not limited thereto, and various other application layer protocols for transmitting data are all within the scope of the present invention.
  • a process of establishing an SCTP connection by using a DTLS protocol connection will be described as an example.
  • the method further includes:
  • the method also includes:
  • the first terminal device sends a first port number to the gateway device, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, so as to facilitate
  • the gateway device sends the first port number to the second terminal device;
  • the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, so as to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
  • the terminal device #X can determine the port number to be connected based on the DTLS protocol, and further, can select a port number for establishing an SCTP connection with the terminal device #Y (hereinafter, for ease of understanding and distinction, note: port No. #X), and the terminal device #X can transmit the port number #X to the gateway device by, for example, turning on a logical channel message or a terminal capability set message according to the H.323 protocol, whereby the gateway device can pass, for example, SDP or the like. The message sends the port number #X to the terminal device #Y.
  • the terminal device #Y can determine the port number connected based on the DTLS protocol, and further, can select a port number for establishing an SCTP connection with the terminal device #X (hereinafter, for ease of understanding and distinction, it is noted as: port number #Y), and the terminal device #Y can transmit the port number #Y to the gateway device by, for example, an SDP message according to the SIP, so that the gateway device can connect the port by, for example, turning on a logical channel message or a terminal capability set message or the like. #X is sent to the terminal device #X.
  • the terminal device #X and the terminal device #Y can know the port number used by each other, thereby being able to establish an SCTP connection according to the port number, and perform data transmission, and
  • the method and process for establishing an SCTP connection according to the port number and transmitting data through the SCTP connection may be similar to the prior art.
  • a detailed description thereof will be omitted.
  • the hash function is negotiated between the terminal device #X and the terminal device #Y listed above to establish a DTLS connection process, but the present invention is not limited thereto, and other parameters for establishing a DTLS connection may be used. It is determined by a negotiation process between the terminal device #X and the terminal device #Y, and the negotiation process is similar to the negotiation process enumerated in the above method 300.
  • the hash function #X and the hash function #Y determined as described above may be the same or different, and the present invention is not particularly limited.
  • a method for transmitting data according to an embodiment of the present invention using a H.323 protocol, a first terminal device, and a second terminal device using SIP to negotiate a hash function and fingerprint information via a gateway device, capable of being in the first terminal device and A DTLS protocol connection based on the hash function and the fingerprint information is established between the two terminal devices, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism.
  • the security of the transmitted data, and the DTLS protocol can be applied to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • the method 400 includes:
  • the gateway device receives a hash function list sent by the first terminal device, where the hash function list includes at least one hash function supported by the first terminal device;
  • the gateway device performs a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, where the candidate hash function belongs to the second a hash function supported by the terminal device;
  • the gateway device sends the candidate hash function to the first terminal device, so that the first terminal device determines a target hash function from the candidate hash function, and determines that the target hash function is corresponding to the target hash function. Fingerprint information;
  • the gateway device receives the target hash function and the fingerprint information sent by the first terminal device, and sends the target hash function and the fingerprint information to the second terminal, so as to facilitate the first terminal.
  • the end device and the second terminal device establish a data packet transport layer security protocol DTLS protocol connection according to the target hash function and the fingerprint information, and transmit data through the DTLS protocol connection.
  • the media communication technology can provide a variety of sessions (also referred to as "calls") to establish protocols, thereby, the terminal device can be based on its own capabilities (for example, The supported session establishment protocol selects a corresponding session establishment protocol to establish a session connection, and then can negotiate with other terminal devices through the session connection to establish a data transmission connection, thereby completing media communication with other terminal devices.
  • sessions also referred to as "calls”
  • the supported session establishment protocol selects a corresponding session establishment protocol to establish a session connection, and then can negotiate with other terminal devices through the session connection to establish a data transmission connection, thereby completing media communication with other terminal devices.
  • H.323 protocol corresponds to a data transmission connection based on the H.235 protocol
  • SIP Session Initiation Protocol
  • DTLS Datagram Transport Layer Security
  • the gateway device forwards the data transmitted between the two terminal devices (for example, converting the encoding format, etc.), thereby increasing the burden on the gateway device, reducing the transmission performance of the system, and seriously affecting user experience.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a relationship between the first terminal device and the second terminal device.
  • the DTLS protocol of the security parameter is connected, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving Affect the user experience.
  • the first terminal device (hereinafter, for convenience of understanding and distinction, recorded as: terminal device #A) and can be configured to use the H.323 protocol (specifically, using H. The sub-communication system in which the 323 protocol establishes a session connection), the second terminal device (hereinafter, for ease of understanding and distinction, recorded as: terminal device #B) can be configured to use the SIP protocol (specifically, establishing a session connection using the SIP protocol) a sub-communication system, whereby the terminal device #A and the gateway device can communicate based on the H.323 protocol, for example, transmitting signaling, and the terminal device #B and the gateway device can communicate based on the SIP protocol, For example, signaling is transmitted.
  • H.323 protocol specifically, using H.
  • SIP protocol establishing a session connection using the SIP protocol
  • the terminal device #A and the terminal device #B may negotiate via the gateway device. Determining a hash function and fingerprint information (which may also be referred to as a security parameter), whereby a data packet transport layer security (DTLS) may be established based on the hash function and the fingerprint information to perform the DTLS protocol. Data transmission, thereby enabling efficient use of the DTLS protocol's secure authentication mechanism (ie, encryption and authentication based on hash functions and fingerprint information) to improve data transmission security.
  • DTLS data packet transport layer security
  • the terminal device #A can record the hash function that it can support in the hash function list, and encapsulate the hash function list into the communication system to provide the terminal device #A and the gateway device according to the H.323 protocol.
  • the message is transmitted between and transmitted to the gateway device.
  • the hash function list sent by the first terminal device to the gateway device is carried in a terminal capability set message sent by the first terminal device to the gateway device.
  • a terminal capability set (Terminal Capability Set) message may be listed, so that the hash function list can be carried by using the message provided in the existing protocol, thereby improving the present invention. Versatility and practicality.
  • terminal capability set message enumerated above is only an exemplary description of a message carrying the above hash function list, and the present invention is also limited thereto, and other messages that can be transmitted between the terminal device #A and the gateway device, In other words, the message that the terminal device #A and the gateway device can send and receive based on the H.323 protocol falls within the protection scope of the present invention.
  • the hash function recorded by the terminal device #A in the hash function list may be all the hash functions supported by the terminal device #A, or may be supported by the terminal device #A.
  • the partial hash function is not particularly limited in the present invention.
  • the number of hash functions recorded by the hash function list may be determined according to a system (or standard) or a capacity of a message carried by the hash function list ( In other words, the amount of information that the message can carry is arbitrarily changed.
  • the gateway device can receive the message carrying the hash function list and decapsulate the message based on the H.323 protocol to obtain the hash function list.
  • the gateway device may perform a negotiation process with the terminal device #B based on the SIP function list according to the foregoing hash function list to determine, from the hash function list, the one or more supported by the terminal device #B.
  • Alternative hash function As an example and not a limitation, the following specific process of the negotiation process can be cited.
  • the gateway device performs a negotiation process with the second terminal device according to the hash function list, to determine at least one candidate hash function from the hash function list, including:
  • the gateway device sends a to-be-verified hash function to the second terminal device, the to-be-verified hash function Is any hash function in the list of hash functions;
  • the gateway device receives the verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device;
  • the gateway device determines, according to the verification message, that the to-be-verified hash function belongs to the hash function supported by the second terminal device, and determines the to-be-verified hash function as an alternative hash function.
  • the gateway device may select any hash function (for example, the first one in the hash function list) from the hash function list as a hash function to be verified, and encapsulate the to-be-verified hash function according to SIP.
  • the message provided by the communication system can be transmitted between the gateway device and the terminal device #B, and the message is transmitted to the terminal device #B.
  • the to-be-verified hash function sent by the gateway device to the second terminal device is carried in the session description protocol invitation SDP Offer message body in the SIP message sent by the gateway device to the second terminal device.
  • the hash function to be verified can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
  • the terminal device #B can receive the message of the hash function to be verified, and decapsulate the message based on the SIP to obtain the hash function to be verified.
  • the terminal device #B can compare the hash function to be verified with the hash function supported by itself, thereby determining whether the to-be-verified hash function belongs to a hash function that the terminal device #B can support.
  • the terminal device #B may send a verification to the gateway device according to the SIP that the terminal device #B can support the to-be-verified hash function.
  • Message hereinafter, for ease of understanding and differentiation, remember: the first type of verification message. Therefore, when receiving the first type of verification message, the gateway device may determine that the to-be-verified hash function sent to the terminal device #B belongs to the terminal device #B and can support the to-be-verified hash function, thereby further verifying the to-be-verified
  • the hash function is determined to be an alternate hash function.
  • the terminal device #B may send a notification to the gateway device according to the SIP that the terminal device #B does not support the to-be-verified hash function.
  • Verification message (hereinafter, for ease of understanding and differentiation, it is recorded as: the second type of verification message). Therefore, when receiving the second type of verification message, the gateway device may determine that the to-be-verified hash function sent to the terminal device #B does not belong to the terminal device #B, and can support the to-be-verified hash function, and thus does not The hash function to be verified is determined as an alternative hash function.
  • the gateway device determines, according to the verification message, that the to-be-verified hash function belongs to the When the hash function supported by the second terminal device is used, the hash function to be verified is determined as an alternate hash function, including:
  • the gateway device determines that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and determines the to-be-verified hash function as an alternative. Greek function.
  • the gateway device may determine whether the verification message carries the gateway device and sends the message to the terminal device #B.
  • the hash function to be verified may be verified.
  • the terminal device #B determines that the to-be-verified hash function sent by the gateway device belongs to a hash function supported by the terminal device #B
  • the hash function to be verified may be encapsulated in the verification message and sent to the verification message.
  • the gateway device when the gateway device determines that the verification message carries the hash function to be verified, the verification message may be determined to be the first type of verification message, that is, the carried hash function to be verified belongs to the candidate hash function. .
  • the gateway device may determine that the verification message is the second type of verification message, that is, the to-be-verified hash function sent to the terminal device #B is not in the standby mode. Select the hash function.
  • the verification message sent by the second terminal device to the gateway device is a SIP message
  • the to-be-verified hash function sent by the second terminal device to the gateway device is carried in the SDP Answer message body of the SIP message.
  • the gateway device may determine an alternate hash function (for example, the gateway device may sequentially select a plurality of hash functions to be verified and perform multiple negotiation with the terminal device #B until an alternative hash function is determined. ), stop the above consultation.
  • an alternate hash function for example, the gateway device may sequentially select a plurality of hash functions to be verified and perform multiple negotiation with the terminal device #B until an alternative hash function is determined.
  • the gateway device may also perform N (ie, the number of hash functions included in the hash function list) with the terminal device #B to determine that all of the hash function lists can be used as an alternative hash function. Greek function.
  • the gateway device may encapsulate the candidate hash function into the communication system to provide the terminal device according to the H.323 protocol. #A and the message transmitted between the gateway device, and transmit the message to the terminal Prepare #A.
  • an alternate hash function sent by the gateway device to the first terminal device is carried in a terminal capability set message sent by the gateway device to the first terminal device.
  • a terminal capability set (Terminal Capability Set) message may be listed, so that the candidate hash function can be carried by using the message provided in the existing protocol, thereby improving the present The versatility and utility of the invention.
  • terminal capability set message listed above is only an exemplary description of the message carrying the above-mentioned alternative hash function, and the present invention is also limited thereto, and other messages that can be transmitted between the terminal device #A and the gateway device.
  • the terminal device #A and the gateway device can send and receive messages based on the H.323 protocol, and all fall within the protection scope of the present invention.
  • the terminal device #A can receive the message of the above alternative hash function and decapsulate the message based on the H.323 protocol to obtain the above-described alternative hash function. Since the alternative hash function is a hash function that both terminal device #A and terminal device #B can support, terminal device #A can select any hash function from the candidate hash function as the target. Greek function.
  • the terminal device #A may determine the fingerprint information corresponding to the target hash function, and the process may be related to determining a fingerprint corresponding to the hash function in the prior art.
  • the process of the information is similar, and the detailed description thereof is omitted here to avoid redundancy.
  • the terminal device #A may encapsulate the target hash function and the fingerprint information into a message that can be transmitted between the terminal device #A and the gateway device according to the H.323 protocol, and the message is Transfer to the gateway device.
  • the target hash function and the fingerprint information sent by the first terminal device to the gateway device are carried in an open logical channel message sent by the first terminal device to the gateway device.
  • an Open Logical Channel message may be enumerated, so that the target hash function and the fingerprint information can be carried by using the message provided in the existing protocol.
  • the versatility and utility of the present invention are enhanced.
  • the above-listed open logical channel message is only an exemplary description of the message carrying the above-mentioned target hash function and fingerprint information, and the present invention is also limited thereto, and other can be transmitted between the terminal device #A and the gateway device.
  • the gateway device can receive the above-mentioned carrying target hash function and fingerprint The message of the information, and decapsulating the message based on the H.323 protocol to obtain the above-mentioned target hash function and fingerprint information.
  • the target hash function and the fingerprint information may be encapsulated into a message that can be transmitted between the terminal device #B and the gateway device according to the SIP, and the message is transmitted to the terminal device #B.
  • the target hash function and the fingerprint information sent by the gateway device to the second terminal device are carried in an SDP Offer message body in the SIP message sent by the gateway device to the second terminal device.
  • the target hash function and the fingerprint information can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
  • the above-listed open logical channel message is only an exemplary description of the message carrying the above-mentioned target hash function and fingerprint information, and the present invention is also limited thereto, and other can be transmitted between the terminal device #B and the gateway device.
  • the message, or the message that the terminal device #B and the gateway device can send and receive based on the SIP, are all within the scope of the present invention.
  • the terminal device #B can receive the above-mentioned message carrying the target hash function and the fingerprint information, and decapsulate the message based on the SIP to acquire the target hash function and the fingerprint information.
  • the method further includes:
  • the gateway device receives the confirmation information sent by the second terminal device, where the confirmation information is used to indicate that the second terminal device has received the target hash function and the fingerprint information;
  • the gateway device sends the confirmation information to the first terminal device, so that the first terminal device establishes a DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information based on the confirmation information.
  • the terminal device #B may encapsulate the confirmation information indicating that the terminal device #B has received the target hash function into the communication system according to the SIP protocol.
  • the message can be transmitted between the terminal device #B and the gateway device and transmitted to the gateway device.
  • the acknowledgment information sent by the second terminal device to the gateway device is carried in the SDP Answer message body in the SIP message sent by the second terminal device to the gateway device.
  • the acknowledgment information can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
  • the gateway device can receive the message carrying the confirmation information, and decapsulate the message based on the SIP to obtain the confirmation information, and can encapsulate the confirmation information into the terminal device provided by the communication system based on the H.323 protocol.
  • the acknowledgment information sent by the gateway device to the first terminal device is carried in an open logical channel response message sent by the gateway device to the first terminal device.
  • the logical channel response message is opened, so that the acknowledgement information can be carried by the message provided in the existing protocol, thereby improving the versatility and practicability of the present invention.
  • the terminal device #A can receive the message carrying the confirmation information, and decapsulate the message based on the H.323 protocol to obtain the confirmation information, thereby determining that the terminal device #B has received the target hash function, thereby Perform the above actions to establish a DTLS protocol connection.
  • the terminal device #A After the terminal device #B receives the confirmation information from the gateway device to the terminal device #A after receiving the target hash function and the fingerprint information, the terminal device #A can determine, according to the confirmation information, that the terminal device #B is ready to establish the DTLS protocol. The preparation of the connection, thereby, can further improve the reliability of the method for transmitting data of the embodiment of the present invention.
  • both the terminal device #A and the terminal device #B can know the target hash function and the fingerprint information, and thus, the terminal device #A and the terminal device #B can establish a DTLS protocol connection according to the target hash function and the fingerprint information.
  • the terminal device #A can perform security authentication (also referred to as a DTLS handshake) with the terminal device #A according to the target hash function and the fingerprint information.
  • the terminal device #A can generate the verification information #A according to the target hash function and the fingerprint information (for example, the terminal device #A can encrypt the fingerprint information according to the target hash function to generate a code), and the verification information # A is sent to terminal device #B.
  • the terminal device #B can generate the verification information #B according to the target hash function and the fingerprint information (for example, the terminal device #B can encrypt the fingerprint information according to the target hash function to generate a code), and the verification information # B is sent to terminal device #A.
  • the terminal device #B determines that the above-described verification information #A transmitted by the terminal device #A coincides with the verification information #B generated by it, the terminal device #B can determine that the terminal device #A passes the security verification, and can be associated with the terminal device # A establishes a DTLS connection.
  • the terminal device #A determines that the above-mentioned verification information #B transmitted by the terminal device #B coincides with the verification information #A generated by the terminal device #B, the terminal device #A can determine that the terminal device #B passes the security verification and can communicate with the terminal device.
  • #A Establish a DTLS connection.
  • the process of the above-mentioned DTLS handshake is only an exemplary description, and the present invention is not limited thereto.
  • the terminal device #A and the terminal device #B may also perform authentication authentication exchange according to the procedure specified in RFC 6347, and After the authentication is successful, the logical channel is opened for data transmission.
  • the terminal device #A and the terminal device #B can connect and transmit related data of the video conference through the DTLS protocol.
  • the terminal device #A and the terminal device #B can establish an application layer protocol connection, for example, a Stream Control Transmission Protocol (SCTP) connection, and transmit data through the SCTP connection, based on the DTLS protocol connection.
  • SCTP Stream Control Transmission Protocol
  • SCTP is only an exemplary description of the application layer protocol, and the present invention is not limited thereto, and various other application layer protocols for transmitting data are all within the scope of the present invention.
  • a process of establishing an SCTP connection by using a DTLS protocol connection will be described as an example.
  • the method further includes:
  • the first terminal device sends a first port number to the gateway device, so that the gateway device forwards the first port number to the second terminal device, where the first port number is used by the first terminal device for establishing a port number of a flow control transport protocol SCTP connection connected based on the DTLS protocol;
  • the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
  • the terminal device #A can determine the port number based on the DTLS protocol connection, and further, can select a port number for establishing an SCTP connection with the terminal device #B (hereinafter, In order to facilitate understanding and distinction, it is recorded as: port number #A), and the terminal device #A can transmit the port number #A to the gateway device according to the H.323 protocol.
  • the gateway device can receive the port number #A from the terminal device #A according to the H.323 protocol, and transmit the port number #A to the terminal device #B according to the SIP.
  • the terminal device #B can determine the port number based on the DTLS protocol connection, and further, the port number for establishing the SCTP connection with the terminal device #A can be selected therefrom (hereinafter, for ease of understanding and distinction, note: port number # B), and the terminal device #B can transmit the port number #B to the gateway device according to the SIP.
  • the gateway device can receive the port number #B from the terminal device #B according to the SIP, and The port number #B is transmitted to the terminal device #A according to the H.323 protocol.
  • the first port number that is sent by the first terminal device to the gateway device is carried in the open logical channel message
  • the second port number sent by the gateway device to the first terminal device is carried in the open logical channel response message
  • the first port number sent by the gateway device to the second terminal device is carried in the SDP Offer message body of the SIP message
  • the second port number sent by the second terminal device to the gateway device is carried in the SDP Answer message body of the SIP message.
  • the terminal device #A and the terminal device #B have been able to confirm the connection of the DTLS protocol to be established, and thus, before establishing the DTLS protocol connection, Select the port number used to establish the SCTP connection and send it to the other party.
  • the terminal device #A can send the selected port number (ie, port number #A) to the gateway device through the above Open Logical Channel message.
  • the gateway device may send the port number selected by the terminal device #B (ie, port number #B) to the terminal device #A through the above Open Logical Channel Ack message.
  • the gateway device can send the port number (ie, port number #A) selected by the terminal device #A to the terminal device #B through the SDP message body of the SIP update message.
  • the terminal device #B can transmit the selected port number (ie, port number #B) to the gateway device through the SDP message body of the SIP update response message described above.
  • the first port number sent by the first terminal device to the gateway device, the target hash function, and the fingerprint information are carried in the same message.
  • the first port number sent by the gateway device to the second terminal device, the target hash function, and the fingerprint information are carried in the same message.
  • the terminal device #A and the gateway device can carry the port number #A, the target hash function, and the fingerprint information in the same message.
  • terminal device #B and the gateway device can carry port number #B and acknowledgment information in the same message.
  • the terminal device #A and the terminal device #B can know each other's use. a port number, so that an SCTP connection can be established according to the port number, and data transmission is performed, and a method and a process for establishing an SCTP connection according to the port number and transmitting data through the SCTP connection can be similar to the prior art, where The details are omitted.
  • the hash function is negotiated between the terminal device #A and the terminal device #B listed above to establish a DTLS connection process, but the present invention is not limited thereto, and other parameters for establishing a DTLS connection may be used. It is determined by a negotiation process between the terminal device #A and the terminal device #B, and the negotiation process is similar to the negotiation process enumerated in the above method 400.
  • a method for transmitting data according to an embodiment of the present invention using a H.323 protocol, a first terminal device, and a second terminal device using SIP to negotiate a hash function and fingerprint information via a gateway device, capable of being in the first terminal device and A DTLS protocol connection based on the hash function and the fingerprint information is established between the two terminal devices, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism.
  • the security of the transmitted data, and the DTLS protocol can be applied to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 5 shows a method for transmitting data according to still another embodiment of the present invention, from the perspective of a second terminal device (a device that communicates with the first terminal device using the H.323 protocol, for example, the above-described terminal device #2) 500 is a schematic flowchart of the method 500 applied to a communication system including a first terminal device and a second terminal device, where the first terminal device communicates with the second terminal device by using an H.323 protocol.
  • the method 500 includes:
  • the first terminal device sends the first hash function list to the first terminal device according to the H.323 protocol, where the first hash function list includes at least one hash function supported by the second terminal device. ;
  • the second terminal device receives, according to the H.323 protocol, a target hash function sent by the first terminal device and fingerprint information corresponding to the target hash function, where the target hash function is the first
  • the terminal device is determined from the first hash function list, and the target hash function belongs to a hash function supported by the first terminal device;
  • the second terminal device establishes a data packet transport layer security protocol DTLS protocol connection with the first terminal device according to the target hash function and the fingerprint information, to transmit data between the second terminal device and the second terminal device through the DTLS protocol connection.
  • the method before the second terminal device receives the target hash function sent by the first terminal device and the fingerprint information corresponding to the target hash function according to the H.323 protocol, the method further include:
  • the second terminal device sends role indication information to the second terminal device according to the H.323 protocol, where the role indication information is used to indicate a role supported by the second terminal device, and the role is “active” or “passive”.
  • the role indication information is used to indicate a role supported by the second terminal device, and the role is “active” or “passive”.
  • At least one of the first terminal device in order to determine that the role supported by the first terminal device includes "active" and the role supported by the second terminal device includes "passive", from the first hash function list Determine the target hash function.
  • the role indication information is carried in the same message as the first hash function list.
  • the target hash function is determined by the first terminal device from the first hash function list according to a hash function supported by the first terminal device.
  • the method further includes:
  • the second terminal device Receiving, by the second terminal device, the second hash function list sent by the first terminal device according to the H.323 protocol, where the second hash function list includes at least one hash function supported by the first terminal device;
  • the second terminal device determines the first hash function list according to the second hash function list, so that the hash function included in the first hash function list belongs to the second hash function list.
  • the method further includes:
  • the confirmation information sent by the second terminal device to the second terminal device according to the H.323 protocol is used to indicate that the second terminal device supports the target hash function and the fingerprint information.
  • the first hash function list is carried in a terminal capability set message
  • the target hash function and the fingerprint information are carried on the open logical channel message.
  • the method further includes:
  • the second terminal device receives the first port number sent by the first terminal device, where the first port number is used by the first terminal device in the port number provided by the DTLS protocol connection to establish a flow control transmission protocol SCTP connection. Port number;
  • the second terminal device sends a second port number to the first terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection in the port number provided by the DTLS protocol connection;
  • the second terminal device and the first terminal device according to the first port number and the second port number
  • An SCTP connection is established to transfer data between the first terminal device through the SCTP connection.
  • the first port number is carried in the open logical channel message
  • the second port number is carried in the open logical channel acknowledgement message.
  • the first port number is carried in the same message as the target hash function and the fingerprint information.
  • the action of the second terminal device is similar to the action of the terminal device #2 in the method 200
  • the action of the first terminal device is similar to the action of the terminal device #1 in the method 200, and is omitted in order to avoid redundancy.
  • the first terminal device can negotiate the hash function and the fingerprint information with the second terminal device based on the H.323 protocol, and can be in the first terminal device and the second terminal device.
  • a DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data.
  • And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 6 shows a further embodiment according to the present invention from the perspective of a first terminal device (ie, a device that communicates with a terminal device using SIP via a gateway device using a H.323 protocol, eg, the terminal device #X described above)
  • a first terminal device ie, a device that communicates with a terminal device using SIP via a gateway device using a H.323 protocol, eg, the terminal device #X described above
  • a schematic flowchart of a method 600 for transmitting data the method 600 being applied to a communication system including a first terminal device, a second terminal device, and a gateway device, the first terminal device and the gateway device passing the H.323 In the protocol communication, the second terminal device communicates with the gateway device through the session initiation protocol SIP.
  • the method 600 includes:
  • the first terminal device receives the first hash function list sent by the gateway device, where the first hash function list records at least one first hash function sent by the second terminal device to the gateway device.
  • the first hash function belongs to a hash function supported by the second terminal device, and the target first hash function is determined from the first hash function list, and the first hash function corresponding to the target is determined.
  • a first fingerprint information wherein the target first hash function belongs to a hash function supported by the first terminal device, and the target first hash function and the first fingerprint information are used to authenticate the first terminal device, Sending the target first hash function and the first fingerprint information to the gateway device, so that the gateway device sends the target first hash function and the first fingerprint information to the second terminal device;
  • the first terminal device sends a second hash function list to the gateway device, where the second The hash function list includes at least one second hash function supported by the first terminal device, and receives the target second hash function and the second fingerprint information sent by the gateway device, where the target second hash function is the first
  • the second terminal device is determined from part or all of the second hash function sent by the gateway device, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is a fingerprint information corresponding to the target second hash function, where the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
  • the first terminal device performs authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, to establish a data packet transmission.
  • the layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
  • the method further includes:
  • the first terminal device sends a first port number to the gateway device, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, so as to facilitate
  • the gateway device sends the first port number to the second terminal device;
  • the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, so as to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
  • the method before the first terminal device performs the authentication process with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, the method also includes:
  • the first terminal device sends the first role indication information to the gateway device, where the first role indication information is used to indicate a role supported by the first terminal device, and the role is at least one of “active” and “passive”. So that the gateway device sends the first role indication information to the second terminal device;
  • the first terminal device according to the target first hash function, the first fingerprint information, the target number
  • the second hash function and the second fingerprint information are authenticated by the second terminal device, including:
  • the first terminal device according to the target first hash function, the first fingerprint information, the target second hash function, the second fingerprint information, the role supported by the first terminal device, and the second terminal device support The role performs authentication processing with the second terminal device.
  • the action of the first terminal device is similar to the action of the terminal device #X in the method 300
  • the action of the second terminal device is similar to the action of the terminal device #Y in the method 300
  • the action of the gateway device is as described above.
  • the operations of the gateway device in the method 300 are similar to those described above in order to avoid redundancy, and detailed description thereof will be omitted.
  • a method 600 for transmitting data using a H.323 protocol, a first terminal device, and a second terminal device using SIP, to negotiate a hash function and fingerprint information through a gateway device, capable of being in the first terminal device and A DTLS protocol connection based on the hash function and the fingerprint information is established between the second terminal devices, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism.
  • Improve the security of the transmitted data and without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
  • FIG. 7 illustrates still another embodiment of the present invention from the perspective of a first terminal device (ie, a device that communicates with a terminal device using SIP via a gateway device using a H.323 protocol, eg, the terminal device #A described above)
  • a first terminal device ie, a device that communicates with a terminal device using SIP via a gateway device using a H.323 protocol, eg, the terminal device #A described above
  • a schematic flowchart of a method 700 for transmitting data the method 700 being applied to a communication system including a first terminal device, a second terminal device, and a gateway device, the first terminal device and the gateway device passing the H.323 In the protocol communication, the second terminal device communicates with the gateway device through the session initiation protocol SIP.
  • the method 700 includes:
  • the first terminal device sends a hash function list to the gateway device, where the hash function list includes at least one hash function supported by the first terminal device, so that the gateway device according to the hash function list and the second
  • the terminal device performs a negotiation process to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device;
  • the first terminal device determines a target hash function from the candidate hash function, and determines fingerprint information corresponding to the target hash function;
  • the first terminal device sends the target hash function and the fingerprint information to the gateway device, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal;
  • the first terminal device establishes a data packet transport layer security protocol DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information, to transmit data through the DTLS protocol connection.
  • the candidate hash function is determined by the gateway device according to the verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function sent by the gateway device to the second terminal device is A hash function supported by the second terminal device, the hash function to be verified is any hash function in the hash function list.
  • the candidate hash function is determined by the gateway device according to the to-be-verified hash function when determining that the verification message carries the to-be-verified hash function.
  • the to-be-verified hash function sent by the gateway device to the second terminal device is carried in a session description protocol invitation SDP Offer message body of the SIP message sent by the gateway device to the second terminal device,
  • the verification message sent by the second terminal device to the gateway device is a SIP message
  • the to-be-verified hash function sent by the second terminal device to the gateway device is carried in the SDP response Answer message body of the SIP message.
  • the hash function list sent by the first terminal device to the gateway device is carried in a terminal capability set message sent by the first terminal device to the gateway device,
  • the candidate hash function sent by the gateway device to the first terminal device is carried in the terminal capability set message sent by the gateway device to the first terminal device,
  • the target hash function and the fingerprint information sent by the first terminal device to the gateway device are carried in the open logical channel message sent by the first terminal device to the gateway device.
  • the method further includes:
  • the confirmation information is used to indicate that the second terminal device supports the target hash function and the fingerprint Information
  • the first terminal device establishes a data packet transport layer security protocol DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information, including:
  • the first terminal device establishes a DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information based on the confirmation information.
  • the acknowledgment information sent by the gateway device to the first terminal device is carried in an open logical channel response message sent by the gateway device to the first terminal device.
  • the method further includes:
  • the first terminal device sends a first port number to the gateway device, so that the gateway device forwards the first port number to the second terminal device, where the first port number is the port number provided by the DTLS protocol connection.
  • a port number used by a terminal device to establish a flow control transport protocol SCTP connection;
  • the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
  • the first port number that is sent by the first terminal device to the gateway device is carried in the open logical channel message
  • the second port number sent by the gateway device to the first terminal device is carried in the open logical channel response message.
  • the first port number sent by the first terminal device to the gateway device, the target hash function, and the fingerprint information are carried in the same message.
  • the action of the first terminal device is similar to the action of the terminal device #A in the method 400
  • the action of the second terminal device is similar to the action of the terminal device #B in the method 400
  • the action of the gateway device is as described above.
  • the operations of the gateway device in the method 700 are similar to those described above in order to avoid redundancy, and detailed description thereof is omitted.
  • a method 700 for transmitting data uses a H.323 protocol first terminal device and a second terminal device using SIP to negotiate a hash function and fingerprint information through a gateway device, which can be in the first terminal device and A DTLS protocol connection based on the hash function and the fingerprint information is established between the second terminal devices, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism.
  • Improve the security of the transmitted data and without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
  • FIG. 8 shows a schematic block diagram of an apparatus 800 for transmitting data in accordance with an embodiment of the present invention.
  • the device 800 is configured in a communication system including the device 800 and the second terminal device, and the device 800 communicates with the second terminal device by using an H.323 protocol, and the device 800 includes:
  • the receiving unit 810 is configured to receive a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device;
  • the processing unit 820 is configured to determine a first hash function from the first hash function list, and determine first fingerprint information corresponding to the first hash function;
  • the sending unit 830 is configured to send the first hash function and the first fingerprint information to the second terminal device, where the first hash function belongs to a hash function supported by the device, the first hash function and the The first fingerprint information is used for authentication of the device;
  • the sending unit 830 is further configured to send, to the second terminal device, a second hash function list, where the second hash function list includes at least one hash function supported by the device;
  • the receiving unit 810 is further configured to receive the second hash function and the second fingerprint information sent by the second terminal, where the second hash function is determined by the second terminal device from the second hash function list. And the second hash function belongs to a hash function supported by the device, the second fingerprint information is fingerprint information corresponding to the second hash function, and the second hash function and the second fingerprint information are used for The second terminal device performs authentication;
  • the processing unit 820 is further configured to perform authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information to establish a data packet transport layer security.
  • the protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
  • the sending unit further sends a first port number to the second terminal device, where the first port number is a port used by the device to establish a flow control transmission protocol SCTP connection based on the DTLS protocol connection. number;
  • the receiving unit further receives and receives a second port number sent by the second terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
  • the processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
  • the sending unit is further configured to send, to the second terminal device, first role indication information, where the first role indication information is used to indicate a role supported by the device, where the role is “active” and “passive” At least one
  • the receiving unit is further configured to receive second role indication information that is sent by the second terminal device, where the second role indication information is used to indicate a role supported by the second terminal device;
  • the processing unit is specifically configured to: according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role supported by the device, and a role supported by the second terminal device
  • the second terminal device performs authentication processing.
  • the apparatus 800 for transmitting data may correspond to a first terminal device (for example, the above-described terminal device # ⁇ ) in the method of the embodiment of the present invention, and in the apparatus 800 for transmitting data
  • a first terminal device for example, the above-described terminal device # ⁇
  • the modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 100 in FIG. 1 , and are not described herein again for brevity.
  • An apparatus for transmitting data by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 9 shows a schematic block diagram of an apparatus 900 for transmitting data in accordance with an embodiment of the present invention.
  • the device 900 is configured in a communication system including the device 900 and the second terminal device, and the device 900 communicates with the second terminal device by using an H.323 protocol, and the device 900 includes:
  • the receiving unit 910 is configured to receive a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device;
  • the processing unit 920 is configured to determine a target hash function from the first hash function list, and determine fingerprint information corresponding to the target hash function, where the target hash function belongs to a hash supported by the device function;
  • a sending unit 930 configured to send the target hash function and the fingerprint information to the second terminal device
  • the processing unit 940 is further configured to perform an authentication process with the second terminal device according to the target hash function and the fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection, and Data is transmitted between the DTLS protocol connection and the second terminal device.
  • the receiving unit is further configured to receive role indication information sent by the second terminal device, where the role indication information is used to indicate a role supported by the second terminal device, where the role is “active” and “passive” At least one
  • the processing unit is further configured to determine, according to the role indication information, a role supported by the second terminal device, and when determining that the role supported by the device includes “active” and the role supported by the second terminal device includes “passive”, The target hash function is determined in the first hash function list.
  • the processing unit is specifically configured to determine a target hash function from the first hash function list according to a hash function supported by the processing unit.
  • the sending unit is further configured to send, to the second terminal device, a second hash function list, where the second hash function list includes at least one hash function supported by the device, to facilitate the second terminal device. Determining, according to the second hash function list, the first hash function list, wherein the hash function included in the first hash function list belongs to the second hash function list;
  • the processing unit is specifically configured to determine that any of the hash functions in the first hash function list is a target hash function.
  • the sending unit is further configured to send, to the second terminal device, a first port number, where the first port number is a port used by the device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection. number;
  • the receiving unit is further configured to receive a second port number sent by the second terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
  • the processing unit further establishes an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data between the SCTP connection and the second terminal device over the DTLS protocol connection.
  • the apparatus 900 for transmitting data may correspond to a first terminal device (for example, the above-described terminal device #1) in the method of the embodiment of the present invention, and in the apparatus 900 for transmitting data
  • a first terminal device for example, the above-described terminal device #1
  • the apparatus 900 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 200 in FIG. 2, and are not described herein again for brevity.
  • An apparatus for transmitting data by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device Establish a DTLS protocol connection based on the hash function and fingerprint information, The first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data, and can make the DTLS protocol applicable to the H.323 protocol.
  • the terminal device further improves the reliability and practicability of the terminal device and improves the user experience.
  • FIG. 10 shows a schematic block diagram of an apparatus 1000 for transmitting data in accordance with an embodiment of the present invention.
  • the device 1000 is configured in a communication system including a first terminal device and the device 1000.
  • the device 1000 communicates with the first terminal device through an H.323 protocol, and the device 1000 includes:
  • a sending unit 1100 configured to send, to the first terminal device, a first hash function list, where the first hash function list includes at least one hash function supported by the device;
  • the receiving unit 1200 is configured to receive a target hash function sent by the first terminal device and fingerprint information corresponding to the target hash function, where the target hash function is the first terminal device from the first hash Determined in the function list, and the target hash function belongs to a hash function supported by the first terminal device;
  • the processing unit 1300 is configured to perform authentication processing with the first terminal device according to the target hash function and the fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection, and transmit the connection between the device and the device through the DTLS protocol. data.
  • the sending unit is further configured to send, to the first terminal device, role indication information, where the role indication information is used to indicate a role supported by the device, where the role is at least one of “active” or “passive”.
  • the target hash function is determined from the first hash function list, so that the first terminal device determines that the role supported by the first terminal device includes "active” and the role supported by the device includes "passive”.
  • the target hash function is determined by the first terminal device from the first hash function list according to a hash function supported by the first terminal device.
  • the receiving unit is further configured to receive a second hash function list sent by the first terminal device, where the second hash function list includes at least one hash function supported by the first terminal device;
  • the processing unit is further configured to determine the first hash function list according to the second hash function list, so that the hash function included in the first hash function list belongs to the second hash function list.
  • the receiving unit is further configured to receive a first port number sent by the first terminal device, where the first port number is used by the first terminal device to establish a flow control transmission protocol based on the DTLS protocol connection.
  • the sending unit is further configured to send a second port number to the first terminal device, where the second port number is The port number used by the device to establish an SCTP connection based on the DTLS protocol connection;
  • the processing unit is further configured to establish an SCTP connection with the first terminal device according to the first port number and the second port number, to transmit data between the first terminal device and the first terminal device on the DTLS protocol connection.
  • the apparatus 1000 for transmitting data may correspond to a second terminal device (for example, the above-described terminal device #2) in the method of the embodiment of the present invention, and in the apparatus 1000 for transmitting data
  • a second terminal device for example, the above-described terminal device #2
  • the modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 500 in FIG. 5, and are not described herein again for brevity.
  • An apparatus for transmitting data by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 11 shows a schematic block diagram of an apparatus 1100 for transmitting data in accordance with an embodiment of the present invention.
  • the device 1100 is configured in a communication system including a first terminal device, a second terminal device, and the device, where the device 1100 communicates with the first terminal device by using an H.323 protocol, and between the device 1100 and the second terminal device.
  • Communicating via SIP the apparatus 1100 includes:
  • the receiving unit 1110 is configured to receive at least one first hash function sent by the second terminal device, where the first hash function belongs to a hash function supported by the second terminal device, and receives the first terminal device a second hash function list, the second hash function list including at least one second hash function supported by the first terminal device;
  • the sending unit 1120 is configured to send, to the first terminal device, a first hash function list recorded with the first hash function, and send part or all of the second hash function to the second terminal device;
  • the receiving unit 1110 is further configured to receive the target first hash function and the first fingerprint information sent by the second terminal device, and receive the target second hash function and the second fingerprint information sent by the second terminal device, where
  • the target first hash function is determined by the first terminal device from the first hash function list, and the target first hash function belongs to a hash function supported by the first terminal device, and the first fingerprint information is Fingerprint information corresponding to the target first hash function, the target first hash function and the first fingerprint information are used to authenticate the first terminal device, the target second hash function
  • the second terminal device is determined from part or all of the second hash function, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is related to the target a fingerprint information corresponding to the second hash function, where the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
  • the sending unit 1120 is further configured to send the target first hash function and the first fingerprint information to the second terminal device, and send the target second hash function and the second fingerprint information to the first terminal device, So that the first terminal device and the second terminal device perform authentication processing according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information to establish a data packet transmission.
  • the layer security protocol is connected to the DTLS protocol and transmits data through the DTLS protocol connection.
  • the receiving unit is further configured to receive the first role indication information that is sent by the first terminal device, and the second role indication information that is sent by the second terminal device, where the first role indication information is used to indicate the first terminal.
  • the first role indication information is used to indicate the first terminal.
  • a role supported by the device where the second role indication information is used to indicate a role supported by the second terminal device, where the role is at least one of “active” and “passive”;
  • the sending unit is further configured to send the first role indication information to the second terminal device, and send the second role indication information to the first terminal device, so that the first terminal device and the second terminal device are configured according to the The first hash function, the first fingerprint information, the second hash function, the second fingerprint information, the role supported by the first terminal device, and the role supported by the second terminal device perform authentication processing.
  • the receiving unit is further configured to receive a first port number sent by the first terminal device and a second port number sent by the second terminal device, where the first port number is used by the first terminal device Establishing a port number of the flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
  • the sending unit is further configured to forward the first port number to the second terminal device, and forward the second port number to the first terminal device, so that the first terminal device and the second terminal device are configured according to the first
  • the port number establishes an SCTP connection with the second port number, and transmits data through the SCTP connection.
  • the apparatus 1100 for transmitting data may correspond to a gateway device in the method of the embodiment of the present invention, and each unit in the apparatus 1100 for transmitting data, that is, a module and the above other operations and/or The functions are respectively implemented in order to implement the corresponding process of the method 300 in FIG. 3, and are not described herein for brevity.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device.
  • the connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
  • the apparatus for transmitting data according to an embodiment of the present invention using the H.323 protocol, the first terminal device, and the second terminal device using the SIP, to negotiate a hash function and fingerprint information via the gateway device, capable of being in the first terminal device Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication.
  • the mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 12 shows a schematic block diagram of an apparatus 1200 for transmitting data in accordance with an embodiment of the present invention.
  • the device 1200 is configured in a communication system including the device 1200, the second terminal device, and the gateway device.
  • the device 1200 communicates with the gateway device through the H.323 protocol, and the gateway device and the second terminal device communicate with each other through the SIP.
  • Communication, the device 1200 includes:
  • the receiving unit 1210 is configured to receive a first hash function list sent by the gateway device, where the first hash function list records at least one first hash function sent by the second terminal device to the gateway device, The first hash function belongs to a hash function supported by the second terminal device;
  • the processing unit 1220 is configured to determine a target first hash function from the first hash function list, and determine first fingerprint information corresponding to the target first hash function, where the target first hash function a hash function supported by the device, the target first hash function and the first fingerprint information being used for authentication of the device;
  • the sending unit 1230 is configured to send the target first hash function and the first fingerprint information to the gateway device, so that the gateway device sends the target first hash function and the first fingerprint information to the second terminal.
  • a device configured to send, to the gateway device, a second hash function list, where the second hash function list includes at least one second hash function supported by the device;
  • the receiving unit 1210 is further configured to receive the target second hash function and the second fingerprint information sent by the gateway device, where the target second hash function is the second hash sent by the second terminal device from the gateway device Determined in part or all of the Greek function, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is related to the target second hash function Corresponding fingerprint information, the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
  • the processing unit 1220 is further configured to perform authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, to establish a data packet transmission.
  • the layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
  • the sending unit is further configured to send, to the gateway device, a first port number, where the first port number is a port number used by the device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, So that the gateway device sends the first port number to the second terminal device;
  • the receiving unit is further configured to receive a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, and the second port number is used by the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection;
  • the processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
  • the sending unit is further configured to send, to the gateway device, first role indication information, where the first role indication information is used to indicate a role supported by the device, where the role is at least one of “active” and “passive” So that the gateway device sends the first role indication information to the second terminal device;
  • the receiving unit is further configured to receive the second role indication information that is sent by the gateway device, where the second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is used to indicate the second The role supported by the terminal device;
  • the processing unit is specifically configured to: according to the target first hash function, the first fingerprint information, the target second hash function, the second fingerprint information, a role supported by the device, and a role supported by the second terminal device
  • the second terminal device performs an authentication process.
  • the apparatus 1200 for transmitting data may correspond to a first terminal device (for example, the above-described terminal device #X) in the method of the embodiment of the present invention, and in the apparatus 1200 for transmitting data
  • a first terminal device for example, the above-described terminal device #X
  • the modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 600 in FIG. 6, and are not described herein again for brevity.
  • a first terminal device and a second terminal The DTLS protocol connection based on the security parameter can be established between the first terminal device and the second terminal device by using the gateway device to negotiate the security parameter, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection. Without the forwarding of the gateway device, the burden on the gateway device can be reduced, the transmission performance of the system can be improved, and the impact on the user experience can be improved.
  • the apparatus for transmitting data according to an embodiment of the present invention using the H.323 protocol, the first terminal device, and the second terminal device using the SIP, to negotiate a hash function and fingerprint information via the gateway device, capable of being in the first terminal device Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication.
  • the mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 13 shows a schematic block diagram of an apparatus 1300 for transmitting data in accordance with an embodiment of the present invention.
  • the device 1300 is configured in a communication system including a first terminal device, a second terminal device, and the device, where the device 1300 communicates with the first terminal device by using an H.323 protocol, and between the device 1300 and the second terminal device.
  • Communicating via SIP the apparatus 1300 includes:
  • the receiving unit 1310 is configured to receive a hash function list sent by the first terminal device, where the hash function list includes at least one hash function supported by the first terminal device;
  • the processing unit 1320 is configured to perform a negotiation process with the second terminal device according to the hash function list, to determine at least one candidate hash function from the hash function list, where the candidate hash function belongs to the first a hash function supported by the second terminal device;
  • the sending unit 1330 is configured to send the candidate hash function to the first terminal device, so that the first terminal device determines the target hash function from the candidate hash function, and determines that the target hash function is Corresponding fingerprint information;
  • the receiving unit 1310 is further configured to receive the target hash function and the fingerprint information sent by the first terminal device;
  • the sending unit 1330 is further configured to send the target hash function and the fingerprint information to the second terminal, so that the first terminal device and the second terminal device perform authentication processing according to the target hash function and the fingerprint information,
  • the data packet transmission layer security protocol DTLS protocol connection is established, and the data is transmitted through the DTLS protocol connection.
  • the sending unit is further configured to send, to the second terminal device, a hash function to be verified, where the to-be-verified hash function is any hash function in the hash function list;
  • the receiving unit is further configured to receive a verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device;
  • the processing unit is specifically configured to determine, according to the verification message, that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and determine the to-be-verified hash function as an alternate hash function.
  • the processing unit is specifically configured to: when determining that the verification message carries the to-be-verified hash function, determine that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and the to-be-verified The Greek function is determined to be an alternate hash function.
  • the receiving unit is further configured to receive a first port number sent by the first terminal device and a second port number sent by the second terminal device, where the first port number is used by the first terminal device Establishing a port number of the flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
  • the sending unit is further configured to forward the first port number to the second terminal device, and forward the second port number to the first terminal device, so that the first terminal device and the second terminal device are configured according to the first
  • the port number establishes an SCTP connection with the second port number, and transmits data through the SCTP connection.
  • the apparatus 1300 for transmitting data may correspond to a gateway device in the method of the embodiment of the present invention, and each unit in the apparatus 1300 for transmitting data, that is, a module and the above other operations and/or The functions are respectively implemented in order to implement the corresponding process of the method 400 in FIG. 4, and are not described herein for brevity.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device.
  • the connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
  • the apparatus for transmitting data according to an embodiment of the present invention using the H.323 protocol, the first terminal device, and the second terminal device using the SIP, to negotiate a hash function and fingerprint information via the gateway device, capable of being in the first terminal device Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication.
  • the mechanism improves the security of the transmitted data, and enables the DTLS protocol to be applied to the terminal device using the H.323 protocol, thereby improving the terminal design. Reliability and usability to improve the user experience.
  • FIG. 14 shows a schematic block diagram of an apparatus 1400 for transmitting data in accordance with an embodiment of the present invention.
  • the device 1400 is configured in a communication system including the device 1400, the second terminal device, and the gateway device.
  • the device 1400 communicates with the gateway device through the H.323 protocol, and the gateway device and the second terminal device communicate with each other through the SIP.
  • Communication, the device 1400 includes:
  • a sending unit 1410 configured to send, to the gateway device, a hash function list, where the hash function list includes at least one hash function supported by the device, so that the gateway device and the second terminal device according to the hash function list Performing a negotiation process to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device;
  • the receiving unit 1420 is configured to receive the candidate hash function sent by the gateway device.
  • the processing unit 1430 is configured to determine a target hash function from the candidate hash function, and determine fingerprint information corresponding to the target hash function;
  • the sending unit 1410 is further configured to send the target hash function and the fingerprint information to the gateway device, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal;
  • the processing unit 1430 is further configured to perform an authentication process with the second terminal device according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and connect and transmit data through the DTLS protocol.
  • the sending unit is further configured to send the first port number to the gateway device, so that the gateway device forwards the first port number to the second terminal device, where the first port number is used by the device.
  • the receiving unit is further configured to receive a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, where the second port number is used by the second terminal device a port number for establishing an SCTP connection based on the DTLS protocol connection;
  • the processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
  • the apparatus 1400 for transmitting data may correspond to a first terminal device (for example, the above-described terminal device #A) in the method of the embodiment of the present invention, and in the apparatus 1400 for transmitting data
  • a first terminal device for example, the above-described terminal device #A
  • the modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 700 in FIG. 7, and are not described herein again for brevity.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can be built between the first terminal device and the second terminal device.
  • the DTLS protocol connection based on the security parameter enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device and improving the transmission of the system. Performance, improvement affects the user experience.
  • the apparatus for transmitting data according to an embodiment of the present invention using the H.323 protocol, the first terminal device, and the second terminal device using the SIP, to negotiate a hash function and fingerprint information via the gateway device, capable of being in the first terminal device Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication.
  • the mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 15 shows a schematic block diagram of an apparatus 1500 for transmitting data in accordance with an embodiment of the present invention.
  • the device 1500 communicates with the second terminal device by using an H.323 protocol, and the device 1500 includes:
  • processor 1520 connected to the bus 1510;
  • a memory 1530 connected to the bus 1510;
  • transceiver 1540 connected to the bus 1510;
  • the processor 1520 by using the bus 1510, invokes a program stored in the memory 1530, for controlling the transceiver to receive a first hash function list sent by the second terminal device, the first hash.
  • the function list includes at least one hash function supported by the second terminal device, and the first hash function is determined from the first hash function list;
  • the transceiver configured to control the transceiver to send the first hash function and the first fingerprint information to the second terminal device, where the first hash function belongs to a hash function supported by the device 1500, and the first hash function and The first fingerprint information is used for authentication of the device 1500;
  • a second hash function list for controlling the transceiver to send to the second terminal device, the second hash function list including at least one hash function supported by the device 1500;
  • the transceiver configured to control the transceiver to receive the second hash function and the second fingerprint sent by the second terminal Information, wherein the second hash function is determined by the second terminal device from the second hash function list, and the second hash function belongs to a hash function supported by the device 1500, and the second fingerprint information is Is the fingerprint information corresponding to the second hash function, where the second hash function and the second fingerprint information are used to authenticate the second terminal device;
  • the processor is further configured to control the transceiver to send a first port number to the second terminal device, where the first port number is used by the device 1500 to establish a flow control transmission based on the DTLS protocol connection.
  • the processor is further configured to control the transceiver to send first role indication information to the second terminal device, where the first role indication information is used to indicate a role supported by the device 1500, and the role is “active” and At least one of "passive";
  • the second terminal device according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, the role supported by the device 1500, and the role supported by the second terminal device Perform authentication processing.
  • device 1500 may be embedded or may itself be a terminal device such as a video conferencing terminal, and may also include a carrier that houses the transmitting circuitry and the receiving circuitry to allow for data transmission and reception between device 1500 and a remote location.
  • bus 1510 In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 1510 in the figure.
  • the processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention.
  • the general purpose processor may be a microprocessor or the processor may be any conventional processing , decoder, etc.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the processor 1520 may be a central processing unit (“CPU"), and the processor 1520 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 1530 can include read only memory and random access memory and provides instructions and data to the processor. A portion of the memory 1530 may also include a non-volatile random access memory. For example, the memory 1530 can also store information of the device type.
  • each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1520 or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 1530, and the processor 1520 reads the information in the memory 1530 and performs the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
  • the apparatus 1500 for transmitting data may correspond to a first terminal device (for example, the above-described terminal device # ⁇ ) in the method of the embodiment of the present invention, and in the device 1500 for transmitting data
  • a first terminal device for example, the above-described terminal device # ⁇
  • the modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 100 in FIG. 1 , and are not described herein again for brevity.
  • An apparatus for transmitting data by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 16 shows a schematic block of an apparatus 1600 for transmitting data in accordance with an embodiment of the present invention.
  • the device 1600 communicates with the second terminal device through the H.323 protocol, and the device 1600 includes:
  • processor 1620 connected to the bus 1610;
  • a memory 1630 connected to the bus 1610;
  • transceiver 1640 connected to the bus 1610;
  • the processor 1620 by using the bus 1610, invokes a program stored in the memory 1630, for controlling the transceiver to receive a first hash function list sent by the second terminal device, the first hash.
  • the function list includes at least one hash function supported by the second terminal device;
  • the processor is further configured to control, by the transceiver, role indication information sent by the second terminal device, where the role indication information is used to indicate a role supported by the second terminal device, where the role is “active” and “ At least one of passive;
  • the target hash function is determined in the list of Greek functions.
  • the processor is specifically configured to determine a target hash function from the first hash function list according to a hash function supported by the processor.
  • the processor is further configured to control the transceiver to send a second hash function list to the second terminal device, where the second hash function list includes at least one hash function supported by the device 1600, so as to facilitate Determining, by the second terminal device, the first hash function list according to the second hash function list, wherein the hash function included in the first hash function list belongs to the second hash function list;
  • the processor is further configured to control the transceiver to send a first port number to the second terminal device, where the first port number is used by the device 1600 to establish a flow control transmission based on the DTLS protocol connection.
  • device 1600 may be embedded or may itself be a terminal device such as a video conferencing terminal, and may also include a carrier that houses the transmitting circuitry and the receiving circuitry to allow for data transmission and reception between device 1600 and a remote location.
  • bus 1610 In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 1610 in the figure.
  • the processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the processor 1620 may be a central processing unit (“CPU"), and the processor 1620 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 1630 can include read only memory and random access memory and provides instructions and data to the processor. A portion of the memory 1630 can also include a non-volatile random access memory. For example, the memory 1630 can also store information of the device type.
  • each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 1620 or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as hardware processor execution, or use hardware and software modules in the processor.
  • the combination execution is completed.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 1630, and the processor 1620 reads the information in the memory 1630 and combines the hardware to perform the steps of the above method. To avoid repetition, it will not be described in detail here.
  • the apparatus 1600 for transmitting data may correspond to a first terminal device (for example, the above-described terminal device #1) in the method of the embodiment of the present invention, and in the device 1600 for transmitting data
  • a first terminal device for example, the above-described terminal device #1
  • the device 1600 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 200 in FIG. 2, and are not described herein again for brevity.
  • An apparatus for transmitting data by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 17 shows a schematic block diagram of an apparatus 1700 for transmitting data in accordance with an embodiment of the present invention.
  • the device 1700 communicates with the first terminal device by using an H.323 protocol, and the device 1700 includes:
  • processor 1720 connected to the bus 1710;
  • a memory 1730 connected to the bus 1710;
  • transceiver 1740 connected to the bus 1710;
  • the processor 1720 by using the bus 1710, invokes a program stored in the memory 1730 for controlling a first hash function list sent by the transceiver to the first terminal device, the first hash.
  • the function list includes at least one hash function supported by the device 1700;
  • the transceiver controlling the transceiver to receive the target hash function sent by the first terminal device and the fingerprint information corresponding to the target hash function, wherein the target hash function is the first terminal device from the first hash Determined in the function list, and the target hash function belongs to a hash function supported by the first terminal device;
  • connection transfers data to and from device 1700.
  • the processor is further configured to control the transceiver to send role indication information to the first terminal device, where the role indication information is used to indicate a role supported by the device 1700, where the role is “active” or “passive”. At least one of the first terminal device determining the target from the first hash function list when determining that the role supported by the first terminal device includes "active” and the role supported by the device 1700 includes "passive" Hash function.
  • the target hash function is determined by the first terminal device from the first hash function list according to a hash function supported by the first terminal device.
  • the processor is further configured to control the transceiver to receive a second hash function list sent by the first terminal device, where the second hash function list includes at least one hash function supported by the first terminal device ;
  • the processor is further configured to control the transceiver to receive the first port number sent by the first terminal device, where the first port number is used by the first terminal device to establish a connection based on the DTLS protocol.
  • the device 1700 may be embedded or may itself be a terminal device such as a video conferencing terminal, and may also include a carrier that houses the transmitting circuit and the receiving circuit to allow data transmission and reception between the device 1700 and the remote location.
  • bus 1710 In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 1710 in the figure.
  • the processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • Soft The module can be located in a conventional storage medium such as a random access memory, a flash memory, a read only memory, a programmable read only memory or an electrically erasable programmable memory, a register, or the like.
  • the processor 1720 may be a central processing unit (“CPU"), and the processor 1720 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 1730 can include read only memory and random access memory and provides instructions and data to the processor 20. A portion of the memory 1730 can also include a non-volatile random access memory. For example, the memory 1030 can also store information of the device type.
  • each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1720 or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 1730, and the processor 1720 reads the information in the memory 1730 and performs the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
  • the apparatus 1700 for transmitting data according to an embodiment of the present invention may correspond to a second terminal device (for example, the above-described terminal device #2) in the method of the embodiment of the present invention, and the device 1700 for transmitting data
  • a second terminal device for example, the above-described terminal device #2
  • the device 1700 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 500 in FIG. 5, and are not described herein again for brevity.
  • An apparatus for transmitting data by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 18 shows a schematic block diagram of an apparatus 1800 for transmitting data in accordance with an embodiment of the present invention.
  • the device 1800 communicates with the first terminal device through the H.323 protocol, and the device 1800 communicates with the second terminal device through the SIP.
  • the device 1800 includes:
  • processor 1820 connected to the bus 1810;
  • a memory 1830 connected to the bus 1810;
  • transceiver 1840 connected to the bus 1810;
  • the processor 1820 by using the bus 1810, invokes a program stored in the memory 1830, for controlling the transceiver to receive at least one first hash function sent by the second terminal device, where the first The hash function belongs to a hash function supported by the second terminal device;
  • the transceiver configured to control the transceiver to receive the target first hash function and the first fingerprint information sent by the second terminal device, where the target first hash function is that the first terminal device is from the first hash function list Determining, and the target first hash function belongs to a hash function supported by the first terminal device, the first fingerprint information is fingerprint information corresponding to the target first hash function, and the target first hash function And the first fingerprint information is used to authenticate the first terminal device;
  • the transceiver configured to control the transceiver to receive the target second hash function and the second fingerprint information sent by the second terminal device, where the target second hash function is a part of the second terminal device from the second hash function Or all determined, and the target second hash function belongs to a hash function supported by the second terminal device, the second fingerprint information is fingerprint information corresponding to the target second hash function, and the target second The hash function and the second fingerprint information are used to authenticate the second terminal device;
  • the transceiver configured to control the transceiver to send the target first hash function and the first fingerprint information to the second terminal device, and send the target second hash function and the second fingerprint information to the first terminal device, so that The first terminal device and the second terminal device perform authentication processing according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information to establish a data packet transport layer.
  • the security protocol DTLS protocol connects and transmits data through the DTLS protocol connection.
  • the processor is further configured to: control, by the transceiver, the first role indication information sent by the first terminal device, and the second role indication information sent by the second terminal device, where the first role indication is The information is used to indicate a role supported by the first terminal device, where the second role indication information is used to indicate a role supported by the second terminal device, and the role is at least one of “active” and “passive”;
  • the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, the role supported by the first terminal device, and the role supported by the second terminal device perform authentication processing.
  • the processor is further configured to control the transceiver to receive the first port number sent by the first terminal device and the second port number sent by the second terminal device, where the first port number is the first terminal device a port number used to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, the second port number being a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection ;
  • the port number establishes an SCTP connection with the second port number, and transmits data through the SCTP connection.
  • device 1800 may be embedded or may itself be a gateway device such as a gateway, and may also include a carrier that houses the transmitting circuitry and the receiving circuitry to allow for data transmission and reception between device 1800 and a remote location.
  • bus 1810 In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 1810 in the figure.
  • the processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the processor 1820 may be a central processing unit (“CPU"), and the processor 1820 may also be another general-purpose processor, a digital signal processor (DSP). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 1830 can include read only memory and random access memory and provides instructions and data to the processor 1820.
  • a portion of memory 1830 may also include a non-volatile random access memory.
  • the memory 1830 can also store information of the device type.
  • each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1820 or an instruction in the form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 1830, and the processor 1820 reads the information in the memory 1830 and, in conjunction with its hardware, performs the steps of the above method. To avoid repetition, it will not be described in detail here.
  • the apparatus 1800 for transmitting data may correspond to a gateway apparatus in the method of the embodiment of the present invention, and each unit in the apparatus 1800 for transmitting data, that is, a module and the above other operations and/or The functions are respectively implemented in order to implement the corresponding process of the method 300 in FIG. 3, and are not described herein for brevity.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device.
  • the connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
  • the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device.
  • the mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 19 shows a schematic block diagram of an apparatus 1900 for transmitting data in accordance with an embodiment of the present invention.
  • the device 1900 communicates with the gateway device through the H.323 protocol, and the gateway device communicates with the second terminal device through the SIP.
  • the device 1900 includes:
  • processor 1920 connected to the bus 1910;
  • a memory 1930 connected to the bus 1910;
  • transceiver 1940 connected to the bus 1910;
  • the processor 1920 by using the bus 1910, invokes a program stored in the memory 1930 for controlling the transceiver to receive a first hash function list sent by the gateway device, where the first hash is
  • the function list records at least one first hash function sent by the second terminal device to the gateway device, where the first hash function belongs to a hash function supported by the second terminal device;
  • the target first hash function Used to determine a target first hash function from the first hash function list and determine first fingerprint information corresponding to the target first hash function, wherein the target first hash function belongs to the device 1900 a supported hash function, the target first hash function and the first fingerprint information are used for authentication of the device 1900;
  • the target second hash function is the second hash sent by the second terminal device from the gateway device Determining part or all of the function, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is fingerprint information corresponding to the target second hash function,
  • the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
  • the processor is further configured to control the transceiver to send a first port number to the gateway device, where the first port number is used by the device 1900 to establish a flow control transmission protocol SCTP based on the DTLS protocol connection. a port number of the connection, so that the gateway device sends the first port number to the second terminal device;
  • the processor is further configured to control the transceiver to send first role indication information to the gateway device, where the first role indication information is used to indicate a role supported by the device 1900, and the role is “active” and “passive”. At least one of the foregoing, so that the gateway device sends the first role indication information to the second terminal device;
  • the second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is used to indicate the second The role supported by the terminal device;
  • a second hash function according to the target, the first fingerprint information, the target second hash function, the second fingerprint information, a role supported by the device 1900, and a role supported by the second terminal device and the second The terminal device performs authentication processing.
  • device 1900 may be embedded or may itself be a terminal device such as a video conferencing terminal, and may also include a carrier that houses the transmitting circuitry and the receiving circuitry to allow for data transmission and reception between device 1900 and a remote location.
  • bus 1910 In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 1910 in the figure.
  • the processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the processor 1920 may be a central processing unit (“CPU"), and the processor 1920 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 1930 can include read only memory and random access memory and provides instructions and data to the processor 1920.
  • a portion of the memory 1930 may also include a non-volatile random access memory.
  • the memory 1930 can also store information of the device type.
  • each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1920 or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in memory 1930, and processor 1920 reads the information in memory 1930 and, in conjunction with its hardware, performs the steps of the above method. To avoid repetition, it will not be described in detail here.
  • the apparatus 1900 for transmitting data may correspond to a first terminal device (for example, the above-described terminal device #A) in the method of the embodiment of the present invention, and in the device 1900 for transmitting data
  • a first terminal device for example, the above-described terminal device #A
  • the modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 600 in FIG. 6, and are not described herein again for brevity.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device.
  • the connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
  • the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device.
  • the mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 20 shows a schematic block diagram of an apparatus 2000 for transmitting data in accordance with an embodiment of the present invention.
  • the device 2000 communicates with the first terminal device through the H.323 protocol, and the device 2000 communicates with the second terminal device through the SIP.
  • the device 2000 includes:
  • processor 2020 connected to the bus 2010
  • a memory 2030 connected to the bus 2010;
  • transceiver 2040 connected to the bus 2010
  • the processor 2020 by using the bus 2010, invokes a program stored in the memory 2030, for controlling the transceiver to receive a hash function list sent by the first terminal device, where the hash function list includes the At least one hash function supported by the first terminal device;
  • the transceiver controlling the transceiver to send the target hash function and the fingerprint information to the second terminal, so that the first terminal device and the second terminal device perform authentication processing according to the target hash function and the fingerprint information, to Establish a packet transport layer security protocol DTLS protocol connection and transmit data through the DTLS protocol connection.
  • the processor is specifically configured to control the transceiver to send a to-be-verified hash function to the second terminal device, where the to-be-verified hash function is any hash function in the hash function list;
  • the processor is specifically configured to: when determining that the verification message carries the to-be-verified hash function, determine that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and the to-be-verified The Greek function is determined to be an alternate hash function.
  • the processor is further configured to receive, by the transceiver, the first role indication information sent by the first terminal device and the second role indication information sent by the second terminal device, where the first role indication information is used to indicate a role supported by the first terminal device, where the second role indication information is used to indicate a role supported by the second terminal device, where the role is at least one of “active” and “passive”;
  • the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, the role supported by the first terminal device, and the role supported by the second terminal device perform authentication processing.
  • the processor is further configured to control the transceiver to receive the first port number sent by the first terminal device and the second port number sent by the second terminal device, where the first port number is the first terminal device a port number used to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, the second port number being a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection ;
  • the port number establishes an SCTP connection with the second port number, and transmits data through the SCTP connection.
  • the device 2000 may be embedded or may itself be a gateway device such as a gateway, and may also include a carrier that houses the transmitting circuit and the receiving circuit to allow data transmission and reception between the device 2000 and the remote location.
  • bus 2010 In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 2010 in the figure.
  • the processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the processor 2020 may be a central processing unit (Central Processing Unit (CPU), and the processor 2020 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 2030 can include read only memory and random access memory and provides instructions and data to the processor 2020.
  • a portion of the memory 2030 may also include non-volatile random access Memory.
  • the memory 2030 can also store information of the device type.
  • each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 2020 or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 2030, and the processor 2020 reads the information in the memory 2030 and performs the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
  • the device 2000 for transmitting data may correspond to a gateway device in the method of the embodiment of the present invention, and each unit in the device 2000 for transmitting data, that is, a module and the above other operations and/or The functions are respectively implemented in order to implement the corresponding process of the method 400 in FIG. 4, and are not described herein for brevity.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device.
  • the connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
  • the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device.
  • the mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 21 shows a schematic block diagram of an apparatus 2100 for transmitting data in accordance with an embodiment of the present invention.
  • the device 2100 communicates with the gateway device through the H.323 protocol, and the gateway device communicates with the second terminal device through the SIP.
  • the device 2100 includes:
  • processor 2120 connected to the bus 2110;
  • a memory 2130 connected to the bus 2110;
  • transceiver 2140 connected to the bus 2110;
  • the processor 2120 calls, by using the bus 2110, a program stored in the memory 2130, for controlling the transceiver to send a hash function list to the gateway device, where the hash function list includes the device 2100 Supporting at least one hash function, so that the gateway device performs a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, wherein the device The hash function is selected to belong to a hash function supported by the second terminal device;
  • the processor is further configured to control the transceiver to send the first port number to the gateway device, so that the gateway device forwards the first port number to the second terminal device, where the first port number is the device
  • the port number used by the 2100 to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection;
  • the second port number is sent by the second terminal device to the gateway device, where the second port number is used by the second terminal device, where the second port number is sent by the second terminal device.
  • the device 2100 may be embedded or may itself be a terminal device such as a video conferencing terminal, and may further include a carrier that houses the transmitting circuit and the receiving circuit to allow data transmission and reception between the device 2100 and the remote location.
  • bus 2110 In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 2110 in the figure.
  • the processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like.
  • the steps of the method disclosed in connection with the embodiments of the present invention may be directly embodied as hardware.
  • the processor execution is complete or is performed by a combination of hardware and software modules in the decoding processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the processor 2120 may be a central processing unit (“CPU"), and the processor 2120 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like.
  • the general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
  • the memory 2130 can include read only memory and random access memory and provides instructions and data to the processor 2120. A portion of the memory 2130 may also include a non-volatile random access memory. For example, the memory 2130 can also store information of the device type.
  • each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 2120 or an instruction in a form of software.
  • the steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
  • the software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
  • the storage medium is located in the memory 2130, and the processor 2120 reads the information in the memory 2130 and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
  • the device 2100 for transmitting data may correspond to a first terminal device (for example, the above-described terminal device #A) in the method of the embodiment of the present invention, and in the device 2100 for transmitting data
  • a first terminal device for example, the above-described terminal device #A
  • the modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 700 in FIG. 7, and are not described herein again for brevity.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device.
  • the connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
  • the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device.
  • the data can effectively utilize the security authentication mechanism of the DTLS protocol to improve the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 22 shows a schematic architectural diagram of a system 2200 for transmitting data in accordance with an embodiment of the present invention.
  • the system 2200 includes a first terminal device 2210, a second terminal device 2220, and a gateway device 2230.
  • the first terminal device 2210 communicates with the gateway device 2230 through an H.323 protocol
  • the second terminal The device 2220 communicates with the gateway device 2230 through a session initiation protocol SIP, where
  • the gateway device 2230 is configured to receive, by the second terminal device, at least one first hash function, where the first hash function belongs to a hash function supported by the second terminal device, and send a record to the first terminal device.
  • a first hash function list having the first hash function, receiving a target first hash function and first fingerprint information sent by the first terminal device, where the target first hash function is the first terminal device Determining from the first hash function list, and the target first hash function belongs to a hash function supported by the first terminal device, and the first fingerprint information is a fingerprint corresponding to the target first hash function.
  • the first hash function and the first fingerprint information are used to authenticate the first terminal device, and are configured to receive a second hash function list sent by the first terminal device, where the second hash function list includes At least one second hash function supported by the first terminal device, sending part or all of the second hash function to the second terminal device, and receiving the target second hash sent by the second terminal device a function and second fingerprint information, wherein the target second hash function is determined by the second terminal device from part or all of the second hash function, and the target second hash function belongs to the second terminal a hash function supported by the device, the second fingerprint information is fingerprint information corresponding to the target second hash function, and the target second hash function and the second fingerprint information are used to authenticate the second terminal device.
  • the terminal device and the second terminal device perform authentication processing according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information to establish a packet transport layer security protocol DTLS. Protocol connection, and transfer data through the DTLS protocol connection;
  • the first terminal device 2210 is configured to receive a first hash function list sent by the gateway device, where the first hash function list records at least one first hash sent by the second terminal device to the gateway device.
  • a function the first hash function belongs to a hash function supported by the second terminal device Number, determining a target first hash function from the first hash function list, and determining first fingerprint information corresponding to the target first hash function, wherein the target first hash function belongs to the first a hash function supported by the terminal device, the target first hash function and the first fingerprint information are used to authenticate the first terminal device, and send the determined target first hash function and the first to the gateway device Fingerprint information, so that the gateway device sends the target first hash function and the first fingerprint information to the second terminal device, and sends a second hash function list to the gateway device, the second hash function
  • the list includes at least one second hash function supported by the first terminal device, and receives a target second hash function and second fingerprint information sent by the gateway device, where
  • the gateway device 2230 may correspond to the gateway device in the method of the embodiment of the present invention, and each unit in the gateway device 2230, that is, the module and the other operations and/or functions described above are respectively implemented in FIG.
  • the corresponding process of the method 300 is not described here for brevity.
  • the first terminal device 2210 may correspond to the first terminal device (for example, the terminal device #X) in the method of the embodiment of the present invention, and each unit in the first terminal device 2210 is a module.
  • the other processes and/or functions described above are respectively implemented in order to implement the corresponding process of the method 600 in FIG. 6. For brevity, no further details are provided herein.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device.
  • the connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
  • the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device.
  • the data can effectively utilize the security authentication mechanism of the DTLS protocol to improve the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • FIG. 23 shows a schematic architectural diagram of a system 2300 for transmitting data in accordance with an embodiment of the present invention.
  • the system 2300 includes a first terminal device 2310, a second terminal device 2320, and a gateway device 2330.
  • the first terminal device 2310 communicates with the gateway device 2330 through an H.323 protocol
  • the second terminal The device 2320 communicates with the gateway device 2330 via a session initiation protocol SIP, where
  • the gateway device 2330 is configured to receive a hash function list sent by the first terminal device, where the hash function list includes at least one hash function supported by the first terminal device, and is configured according to the hash function list
  • the second terminal device performs a negotiation process to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device, and is used for the Transmitting, by the terminal device, the candidate hash function, so that the first terminal device determines a target hash function from the candidate hash function, and determines fingerprint information corresponding to the target hash function, for receiving the The target hash function and the fingerprint information sent by the first terminal device, and sending the target hash function and the fingerprint information to the second terminal, so that the first terminal device and the second terminal device according to the target
  • the Greek function and the fingerprint information are authenticated to establish a data packet transport layer security protocol DTLS protocol connection, and the data is transmitted through the DTLS protocol connection;
  • the first terminal device 2310 is configured to send, to the gateway device, a hash function list, where the hash function list includes at least one hash function supported by the first terminal device, so that the gateway device is configured according to the hash function list.
  • Negotiating with the second terminal device to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device for receiving The candidate hash function sent by the gateway device is used to determine a target hash function from the candidate hash function, and determine fingerprint information corresponding to the target hash function, for sending the gateway device to the gateway device a target hash function and the fingerprint information, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal, and is configured to perform, according to the target hash function and the fingerprint information, with the second terminal device.
  • the authentication process is to establish a packet transport layer security protocol DTLS protocol connection and transmit data through the DTLS protocol connection.
  • the gateway device 2330 may correspond to a gateway device in the method of the embodiment of the present invention, and each unit in the gateway device 2330 is a module and the foregoing other operations and/or The functions are respectively implemented in order to implement the corresponding process of the method 400 in FIG. 4, and are not described herein for brevity.
  • the first terminal device 2310 may correspond to the first terminal device (for example, the terminal device #X) in the method of the embodiment of the present invention, and each unit in the first terminal device 2310 is a module.
  • the other processes and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 700 in FIG. 7, and are not described herein again for brevity.
  • the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device.
  • the connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
  • the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device.
  • the mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
  • the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be taken to the embodiments of the present invention.
  • the implementation process constitutes any limitation.
  • the disclosed systems, devices, and methods may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division, and may be implemented in actual implementation.
  • multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product.
  • the technical solution of the present invention which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including
  • the instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention.
  • the foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .

Abstract

Provided are a method, an apparatus, and a system for data transmission. The method comprises: a first terminal device receives a first hash function list sent by a second terminal device, determines a first hash function from the first hash function list, determines first fingerprint information corresponding to the first hash function, and sends the first hash function and the first fingerprint information to the second terminal device; the first terminal device sends a second hash function list to the second terminal device, and receives a second hash function determined from the second hash function list and second fingerprint information corresponding to the second hash function, the second hash function and the second fingerprint information being sent by the second terminal; and the first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information, to establish a DTLS protocol connection to transmit data, so that a security authentication mechanism in the DTLS protocol can be effectively used to improve security of data transmission, thereby improving transmission reliability and practicability.

Description

用于传输数据的方法、装置和系统Method, device and system for transmitting data 技术领域Technical field
本发明涉及通信领域,并且更具体地,涉及用于传输数据的方法、装置和系统。The present invention relates to the field of communications and, more particularly, to a method, apparatus and system for transmitting data.
背景技术Background technique
目前,已知有一种基于H.323协议的媒体通信技术(例如,视频会议技术等),该媒体通信技术能够通过该H.323协议建立会话连接,进而可以通过该会话连接与其他终端设备进行协商,以建立数据传输连接,从而完成与其他终端设备的媒体通信。At present, there is known a media communication technology (for example, video conferencing technology, etc.) based on the H.323 protocol, which can establish a session connection through the H.323 protocol, and thus can perform connection with other terminal devices through the session connection. Negotiate to establish a data transmission connection to complete media communication with other terminal devices.
随着使用者对通信安全性方面要求的日益提高,如何提高上述媒体通信技术的安全性,成为急需解决的问题。With the increasing requirements of users for communication security, how to improve the security of the above-mentioned media communication technology has become an urgent problem to be solved.
发明内容Summary of the invention
本发明实施例提供一种用于传输数据的方法、装置和系统,能够提高传输数据的安全性。Embodiments of the present invention provide a method, apparatus, and system for transmitting data, which can improve security of transmitted data.
第一方面,提供了一种用于传输数据的方法,应用于包括第一终端设备、第二终端设备的通信系统中,该第一终端设备与该第二终端设备之间通过H.323协议进行通信,该方法包括:该第一终端设备接收该第二终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数,从该第一哈希函数列表中确定第一哈希函数,并确定与该第一哈希函数相对应的第一指纹信息,向该第二终端设备发送该第一哈希函数和该第一指纹信息,其中,该第一哈希函数属于该第一终端设备支持的哈希函数,第一哈希函数和该第一指纹信息用于对该第一终端设备进行认证;该第一终端设备向该第二终端设备发送第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个哈希函数,接收该第二终端发送的第二哈希函数和第二指纹信息,其中,该第二哈希函数是该第二终端设备从该第二哈希函数列表中确定的,且该第二哈希函数属于该第二终端设 备支持的哈希函数,该第二指纹信息是与该第二哈希函数相对应的指纹信息,第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证;该第一终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。A first aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device and a second terminal device, and the first terminal device and the second terminal device pass the H.323 protocol. Communicating, the method includes: the first terminal device receives a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device, Determining a first hash function in the first hash function list, and determining first fingerprint information corresponding to the first hash function, and transmitting the first hash function and the first fingerprint to the second terminal device Information, wherein the first hash function belongs to a hash function supported by the first terminal device, the first hash function and the first fingerprint information are used to authenticate the first terminal device; The second terminal device sends a second hash function list, where the second hash function list includes at least one hash function supported by the first terminal device, and receives the second hash sent by the second terminal. And a second number of fingerprint information, wherein the second hash function to the second terminal device is determined from the second list of the hash function, the hash function and the second terminal belong to the second set a supported hash function, the second fingerprint information is fingerprint information corresponding to the second hash function, and the second hash function and the second fingerprint information are used for authenticating the second terminal device; The terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information to establish a data packet transport layer security protocol DTLS protocol. Connect and transfer data between the second terminal device through the DTLS protocol connection.
结合第一方面,在第一方面的第一种实现方式中,该方法还包括:该第一终端设备向该第二终端设备发送第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;该第一终端设备接收该第二终端设备发送的第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该第一终端设备根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。With reference to the first aspect, in a first implementation manner of the first aspect, the method further includes: the first terminal device sends a first port number to the second terminal device, where the first port number is the first terminal device a port number used to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection; the first terminal device receives a second port number sent by the second terminal device, and the second port number is the second terminal a port number used by the device to establish an SCTP connection based on the DTLS protocol connection; the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, in the DTLS On the protocol connection, data is transmitted between the SCTP connection and the second terminal device.
结合第一方面及其上述实现方式,在第一方面的第二种实现方式中,在该第一终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理之前,该方法还包括:该第一终端设备向该第二终端设备发送第一角色指示信息,该第一角色指示信息用于指示该第一终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;该第一终端设备接收该第二终端设备发送的第二角色指示信息,该第二角色指示信息用于指示该第二终端设备支持的角色;以及该第一终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,包括:该第一终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该第一终端设备支持的角色和该第二终端设备支持的角色与该第二终端设备进行认证处理。With reference to the first aspect and the foregoing implementation manner, in a second implementation manner of the first aspect, the first terminal device, according to the first hash function, the first fingerprint information, the second hash function, and the Before the second fingerprint information and the second terminal device perform the authentication process, the method further includes: the first terminal device sends the first role indication information to the second terminal device, where the first role indication information is used to indicate the first a role supported by the terminal device, the role is at least one of "active" and "passive"; the first terminal device receives the second role indication information sent by the second terminal device, and the second role indication information is used to indicate a role supported by the second terminal device; and the first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information The first terminal device according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, and a corner supported by the first terminal device And the role of the second terminal device performs an authentication process supported by the second terminal device.
第二方面,提供了一种用于传输数据的方法,应用于包括第一终端设备、第二终端设备的通信系统中,该第一终端设备与该第二终端设备之间通过H.323协议进行通信,该方法包括:该第一终端设备接收该第二终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数;该第一终端设备从该第一哈希函数列表中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息,其中,该目标哈希函数 属于该第一终端设备所支持的哈希函数;该第一终端设备向该第二终端设备发送该目标哈希函数和该指纹信息;该第一终端设备根据该目标哈希函数和该指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。A second aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device and a second terminal device, and the first terminal device and the second terminal device pass the H.323 protocol. Communicating, the method includes: the first terminal device receives a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device; The first terminal device determines a target hash function from the first hash function list, and determines fingerprint information corresponding to the target hash function, wherein the target hash function a hash function supported by the first terminal device; the first terminal device sends the target hash function and the fingerprint information to the second terminal device; the first terminal device according to the target hash function and the fingerprint information And performing authentication processing with the second terminal device to establish a data packet transport layer security protocol DTLS protocol connection, and transmitting data between the second terminal device and the second terminal device through the DTLS protocol connection.
结合第二方面,在第二方面的第一种实现方式中,在该第一终端设备从该第一哈希函数列表中确定目标哈希函数之前,该方法还包括:该第一终端设备接收该第二终端设备发送的角色指示信息,该角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;该第一终端设备根据角色指示信息,确定该第二终端设备支持的角色;以及该第一终端设备从该第一哈希函数列表中确定目标哈希函数,包括:该第一终端设备在确定该第一终端设备支持的角色包括“主动”且该第二终端设备支持的角色包括“被动”时,从该第一哈希函数列表中确定目标哈希函数。With reference to the second aspect, in a first implementation manner of the second aspect, before the determining, by the first terminal device, the target hash function from the first hash function list, the method further includes: receiving, by the first terminal device The role indication information sent by the second terminal device, the role indication information is used to indicate a role supported by the second terminal device, the role is at least one of “active” and “passive”; the first terminal device is according to the role Determining information, determining a role supported by the second terminal device; and determining, by the first terminal device, the target hash function from the first hash function list, including: determining, by the first terminal device, that the first terminal device supports When the role includes "active" and the role supported by the second terminal device includes "passive", the target hash function is determined from the first hash function list.
结合第二方面及其上述实现方式,在第二方面的第二种实现方式中,该第一终端设备从该第一哈希函数列表中确定目标哈希函数,包括:该第一终端设备根据自身所支持的哈希函数,从该第一哈希函数列表中确定目标哈希函数。With reference to the second aspect and the foregoing implementation manner, in a second implementation manner of the second aspect, the first terminal device determines the target hash function from the first hash function list, including: the first terminal device is configured according to A hash function supported by itself determines a target hash function from the first hash function list.
结合第二方面及其上述实现方式,在第二方面的第三种实现方式中,在该第一终端设备从该第一哈希函数列表中确定目标哈希函数之前,该方法还包括:该第一终端设备向该第二终端设备发送第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个哈希函数,以便于该第二终端设备根据该第二哈希函数列表,确定该第一哈希函数列表,其中,该第一哈希函数列表所包括的哈希函数属于该第二哈希函数列表;以及该第一终端设备从该第一哈希函数列表中确定目标哈希函数,包括:该第一终端设备确定该第一哈希函数列表中任一哈希函数为目标哈希函数。With reference to the second aspect and the foregoing implementation manner, in a third implementation manner of the second aspect, before the determining, by the first terminal device, the target hash function from the first hash function list, the method further includes: The first terminal device sends a second hash function list to the second terminal device, where the second hash function list includes at least one hash function supported by the first terminal device, so that the second terminal device is configured according to the first a second hash function list, the first hash function list is determined, wherein the hash function included in the first hash function list belongs to the second hash function list; and the first terminal device is from the first Determining the target hash function in the hash function list includes: the first terminal device determines that any of the hash functions in the first hash function list is a target hash function.
结合第二方面及其上述实现方式,在第二方面的第四种实现方式中,该方法还包括:该第一终端设备向该第二终端设备发送第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;该第一终端设备接收该第二终端设备发送的第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该第一终端设备根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通 过该SCTP连接与第二终端设备之间传输数据。With reference to the second aspect and the foregoing implementation manner, in a fourth implementation manner of the second aspect, the method further includes: the first terminal device sends a first port number to the second terminal device, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol (SCTP) connection based on the DTLS protocol connection; the first terminal device receives a second port number sent by the second terminal device, the second port number a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection; the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number To connect to the DTLS protocol Data is transmitted between the SCTP connection and the second terminal device.
第三方面,提供了一种用于传输数据的方法,应用于包括第一终端设备、第二终端设备的通信系统中,该第一终端设备与该第二终端设备之间通过H.323协议进行通信,该方法包括:该第二终端设备向该第一终端设备发送第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数;该第二终端设备接收该第一终端设备发送的目标哈希函数以及与该目标哈希函数相对应的指纹信息,其中,该目标哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标哈希函数属于该第一终端设备所支持的哈希函数;该第二终端设备根据该目标哈希函数和该指纹信息与该第一终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。A third aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device and a second terminal device, and the first terminal device and the second terminal device pass the H.323 protocol. Communicating, the method includes: the second terminal device sends a first hash function list to the first terminal device, where the first hash function list includes at least one hash function supported by the second terminal device; The second terminal device receives the target hash function sent by the first terminal device and the fingerprint information corresponding to the target hash function, where the target hash function is that the first terminal device is from the first hash function list. Determining, and the target hash function belongs to a hash function supported by the first terminal device; the second terminal device performs authentication processing with the first terminal device according to the target hash function and the fingerprint information to establish data The packet transport layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
结合第三方面,在第三方面的第一种实现方式中,在该第二终端设备接收该第一终端设备发送的目标哈希函数以及与该目标哈希函数相对应的指纹信息之前,该方法还包括:该第二终端设备向该第一终端设备发送角色指示信息,该角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”或“被动”中的至少一种,以便于该第一终端设备在确定该第一终端设备支持的角色包括“主动”且该第二终端设备支持的角色包括“被动”时,从该第一哈希函数列表中确定目标哈希函数。With reference to the third aspect, in a first implementation manner of the third aspect, before the second terminal device receives the target hash function sent by the first terminal device and the fingerprint information corresponding to the target hash function, The method further includes: the second terminal device sends the role indication information to the first terminal device, where the role indication information is used to indicate a role supported by the second terminal device, and the role is at least one of “active” or “passive” So that the first terminal device determines the target ha from the first hash function list when determining that the role supported by the first terminal device includes “active” and the role supported by the second terminal device includes “passive” Greek function.
结合第三方面及其上述实现方式,在第三方面的第二种实现方式中,该目标哈希函数是该第一终端设备根据自身所支持的哈希函数从该第一哈希函数列表中确定的。With reference to the third aspect and the foregoing implementation manner, in a second implementation manner of the third aspect, the target hash function is that the first terminal device is configured from the first hash function list according to a hash function supported by the first terminal device definite.
结合第三方面及其上述实现方式,在第三方面的第三种实现方式中,在该第二终端设备接收该第一终端设备发送的目标哈希函数以及与该目标哈希函数相对应的指纹信息之前,该方法还包括:该第二终端设备接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个哈希函数;该第二终端设备根据该第二哈希函数列表,确定该第一哈希函数列表,以使该第一哈希函数列表所包括的哈希函数属于该第二哈希函数列表。With reference to the third aspect and the foregoing implementation manner, in a third implementation manner of the third aspect, the second terminal device receives, at the second terminal device, a target hash function sent by the first terminal device and corresponding to the target hash function. Before the fingerprint information, the method further includes: the second terminal device receiving the second hash function list sent by the first terminal device, where the second hash function list includes at least one hash function supported by the first terminal device The second terminal device determines the first hash function list according to the second hash function list, so that the hash function included in the first hash function list belongs to the second hash function list.
结合第三方面及其上述实现方式,在第三方面的第四种实现方式中,该方法还包括:该第二终端设备接收该第一终端设备发送的第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控 制传输协议SCTP连接的端口号;该第二终端设备向该第一终端设备发送第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该第二终端设备根据该第一端口号和该第二端口号与该第一终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第一终端设备之间传输数据。With reference to the third aspect and the foregoing implementation manner, in a fourth implementation manner of the third aspect, the method further includes: receiving, by the second terminal device, the first port number sent by the first terminal device, the first port number Is the flow control used by the first terminal device to establish a connection based on the DTLS protocol. a port number of the SCTP connection of the transmission protocol; the second terminal device sends a second port number to the first terminal device, where the second port number is used by the second terminal device to establish an SCTP connection based on the DTLS protocol a port number of the connection; the second terminal device establishes an SCTP connection with the first terminal device according to the first port number and the second port number, to connect to the first terminal device through the SCTP connection on the DTLS protocol connection Transfer data between.
第四方面,提供了一种用于传输数据的方法,应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,该第一终端设备与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,该方法包括:该网关设备接收该第二终端设备发送的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数,向该第一终端设备发送记录有该第一哈希函数的第一哈希函数列表,接收该第一终端设备发送的目标第一哈希函数和第一指纹信息,其中,该目标第一哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标第一哈希函数属于该第一终端设备支持的哈希函数,该第一指纹信息是与该目标第一哈希函数相对应的指纹信息,该目标第一哈希函数和第一指纹信息用于对该第一终端设备进行认证;该网关设备接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个第二哈希函数,向该第二终端设备发送该第二哈希函数的部分或全部,接收该第二终端设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和第二指纹信息用于对该第二终端设备进行认证;该网关设备向该第二终端设备发送该目标第一哈希函数和该第一指纹信息,并向该第一终端设备发送该目标第二哈希函数和该第二指纹信息,以便于该第一终端设备和该第二终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。A fourth aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device, a second terminal device, and a gateway device, where the first terminal device and the gateway device pass H.323 The protocol communication, the second terminal device and the gateway device communicate with each other through a session initiation protocol, the method comprising: the gateway device receiving at least one first hash function sent by the second terminal device, the first hash function a hash function supported by the second terminal device, sending, to the first terminal device, a first hash function list recorded with the first hash function, and receiving a target first hash function sent by the first terminal device And the first fingerprint information, wherein the target first hash function is determined by the first terminal device from the first hash function list, and the target first hash function belongs to the first terminal device supported by the first terminal device a first function, the first fingerprint information is fingerprint information corresponding to the target first hash function, and the target first hash function and the first fingerprint information are used to set the first terminal Performing authentication; the gateway device receives a second hash function list sent by the first terminal device, where the second hash function list includes at least one second hash function supported by the first terminal device, to the second terminal The device sends part or all of the second hash function, and receives the target second hash function and the second fingerprint information sent by the second terminal device, where the target second hash function is the second terminal device from the Determined in part or all of the second hash function, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is corresponding to the target second hash function. Fingerprint information, the target second hash function and the second fingerprint information are used to authenticate the second terminal device; the gateway device sends the target first hash function and the first fingerprint information to the second terminal device, And sending the target second hash function and the second fingerprint information to the first terminal device, so that the first terminal device and the second terminal device according to the target first hash function, The first fingerprint information, the target second hash function and the second fingerprint information are subjected to an authentication process to establish a data packet transport layer security protocol DTLS protocol connection, and the data is transmitted through the DTLS protocol connection.
结合第四方面,在第四方面的第一种实现方式中,该方法还包括:该网关设备接收该第一终端设备发送的第一角色指示信息及该第二终端设备发送的第二角色指示信息,该第一角色指示信息用于指示该第一终端设备支持 的角色,该第二角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;该网关设备向该第二终端设备发送该第一角色指示信息,并向该第一终端设备发送该第二角色指示信息,以便于该第一终端设备和该第二终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该第一终端设备支持的角色和该第二终端设备支持的角色进行认证处理。With reference to the fourth aspect, in a first implementation manner of the fourth aspect, the method further includes: the gateway device receiving the first role indication information sent by the first terminal device, and the second role indication sent by the second terminal device Information, the first role indication information is used to indicate that the first terminal device supports a role, the second role indication information is used to indicate a role supported by the second terminal device, the role is at least one of “active” and “passive”; the gateway device sends the first to the second terminal device The role indicates information, and sends the second role indication information to the first terminal device, so that the first terminal device and the second terminal device according to the first hash function, the first fingerprint information, and the second The function, the second fingerprint information, the role supported by the first terminal device, and the role supported by the second terminal device perform authentication processing.
结合第四方面及其上述实现方式,在第四方面的第二种实现方式中,该方法还包括:该网关设备接收该第一终端设备发送的第一端口号及该第二终端设备发送的第二端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该网关设备向该第二终端设备转发该第一端口号,并向该第一终端设备转发该第二端口号,以便于该第一终端设备和该第二终端设备根据该第一端口号和该第二端口号建立SCTP连接,并通过该SCTP连接传输数据。With reference to the fourth aspect and the foregoing implementation manner, in a second implementation manner of the fourth aspect, the method further includes: receiving, by the gateway device, the first port number sent by the first terminal device and the second terminal device a second port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection; the gateway device forwards the first port number to the second terminal device, and forwards the second port number to the first terminal device, to facilitate the The first terminal device and the second terminal device establish an SCTP connection according to the first port number and the second port number, and transmit data through the SCTP connection.
第五方面,提供了一种用于传输数据的方法,应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,该第一终端设备与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,该方法包括:该第一终端设备接收该网关设备发送的第一哈希函数列表,其中,该第一哈希函数列表中记录有该第二终端设备发送给该网关设备的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数,从该第一哈希函数列表中确定目标第一哈希函数,并确定与该目标第一哈希函数相对应的第一指纹信息,其中,该目标第一哈希函数属于该第一终端设备支持的哈希函数,该目标第一哈希函数和该第一指纹信息用于对该第一终端设备进行认证,向该网关设备发送该目标第一哈希函数和该第一指纹信息,以便于该网关设备将该目标第一哈希函数和该第一指纹信息发送给该第二终端设备;该第一终端设备向该网关设备发送第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个第二哈希函数,接收该网关设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该网关设备发送的该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的 哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证;该第一终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。A fifth aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device, a second terminal device, and a gateway device, where the first terminal device and the gateway device pass H.323 In the protocol communication, the second terminal device communicates with the gateway device through the session initiation protocol SIP, the method includes: the first terminal device receiving the first hash function list sent by the gateway device, where the first hash is Recording, in the function list, at least one first hash function sent by the second terminal device to the gateway device, the first hash function belonging to a hash function supported by the second terminal device, from the first hash function Determining a target first hash function in the list, and determining first fingerprint information corresponding to the target first hash function, wherein the target first hash function belongs to a hash function supported by the first terminal device, The target first hash function and the first fingerprint information are used to authenticate the first terminal device, and send the target first hash function and the first fingerprint letter to the gateway device. So that the gateway device sends the target first hash function and the first fingerprint information to the second terminal device; the first terminal device sends a second hash function list to the gateway device, the second hash The function list includes at least one second hash function supported by the first terminal device, and receives a target second hash function and second fingerprint information sent by the gateway device, where the target second hash function is the second Determining, by the terminal device, part or all of the second hash function sent by the gateway device, and the target second hash function belongs to the second terminal device a hash function, the second fingerprint information is fingerprint information corresponding to the target second hash function, and the target second hash function and the second fingerprint information are used for authenticating the second terminal device; a terminal device performs authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information to establish a data packet transport layer security protocol. The DTLS protocol is connected, and data is transmitted between the second terminal device through the DTLS protocol connection.
结合第五方面,在第五方面的第一种实现方式中,该方法还包括:该第一终端设备向该网关设备发送第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,以便于该网关设备将该第一端口号发送给该第二终端设备;该第一终端设备接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,且该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该第一终端设备根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。With reference to the fifth aspect, in a first implementation manner of the fifth aspect, the method further includes: the first terminal device sends a first port number to the gateway device, where the first port number is used by the first terminal device a port number for establishing a flow control transport protocol SCTP connection based on the DTLS protocol connection, so that the gateway device sends the first port number to the second terminal device; the first terminal device receives the sent by the gateway device a second port number, the second port number is sent by the second terminal device to the gateway device, and the second port number is used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection. a port number; the first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit between the SCTP connection and the second terminal device on the DTLS protocol connection. data.
结合第五方面及其上述实现方式,在第五方面的第二种实现方式中,在该第一终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理之前,该方法还包括:该第一终端设备向该网关设备发送第一角色指示信息,该第一角色指示信息用于指示该第一终端设备支持的角色,该角色为“主动”和“被动”中的至少一种,以便于该网关设备将该第一角色指示信息发送给该第二终端设备;该第一终端设备接收该网关设备发送的第二角色指示信息,该第二角色指示信息是该第二终端设备发送给该网关设备的,且该第二角色指示信息用于指示该第二终端设备支持的角色;以及该第一终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,包括:该第一终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数、该第二指纹信息、该第一终端设备支持的角色和该第二终端设备支持的角色与该第二终端设备进行认证处理。With reference to the fifth aspect and the foregoing implementation manner, in a second implementation manner of the fifth aspect, the first terminal device, the first fingerprint information, the first fingerprint information, the target second hash function, Before the second fingerprint information and the second terminal device perform the authentication process, the method further includes: the first terminal device sends the first role indication information to the gateway device, where the first role indication information is used to indicate the first a role supported by the terminal device, the role is at least one of "active" and "passive", so that the gateway device sends the first role indication information to the second terminal device; the first terminal device receives the gateway a second role indication information sent by the device, where the second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is used to indicate a role supported by the second terminal device; a terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information and the second terminal device The authentication process includes: the first terminal device according to the target first hash function, the first fingerprint information, the target second hash function, the second fingerprint information, a role supported by the first terminal device, and the first The role supported by the second terminal device performs authentication processing with the second terminal device.
第六方面,提供了一种用于传输数据的方法,应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,该第一终端设备与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协 议SIP通信,该方法包括:该网关设备接收该第一终端设备发送的哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数;该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数;该网关设备向该第一终端设备发送该备选哈希函数,以便于该第一终端设备从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息;该网关设备接收该第一终端设备发送的该目标哈希函数和该指纹信息,并向该第二终端发送该目标哈希函数和该指纹信息,以便于该第一终端设备和该第二终端设备根据该目标哈希函数和该指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。A sixth aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device, a second terminal device, and a gateway device, where the first terminal device and the gateway device pass H.323 Protocol communication, the second terminal device and the gateway device pass the session initialization protocol The SIP communication, the method includes: the gateway device receiving a hash function list sent by the first terminal device, the hash function list including at least one hash function supported by the first terminal device; the gateway device according to the The hash function list is negotiated with the second terminal device to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device; The gateway device sends the candidate hash function to the first terminal device, so that the first terminal device determines a target hash function from the candidate hash function, and determines a fingerprint corresponding to the target hash function. The gateway device receives the target hash function and the fingerprint information sent by the first terminal device, and sends the target hash function and the fingerprint information to the second terminal, so as to facilitate the first terminal device and the first The second terminal device performs authentication processing according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and passes the DTL The S protocol connection transmits data.
结合第六方面,在第六方面的第一种实现方式中,该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,包括:该网关设备向该第二终端设备发送待验证哈希函数,该待验证哈希函数是该哈希函数列表中的任一哈希函数;该网关设备接收该第二终端设备发送的验证消息,该验证消息用于指示该待验证哈希函数是否属于该第二终端设备支持的哈希函数;该网关设备在根据该验证消息,确定该待验证哈希函数属于该第二终端设备支持的哈希函数时,将该待验证哈希函数确定为备选哈希函数。With reference to the sixth aspect, in a first implementation manner of the sixth aspect, the gateway device performs a negotiation process with the second terminal device according to the hash function list, to determine at least one candidate from the hash function list. The hash function includes: the gateway device sends a to-be-verified hash function to the second terminal device, where the to-be-verified hash function is any hash function in the hash function list; the gateway device receives the second terminal device a verification message, the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device; and the gateway device determines, according to the verification message, that the to-be-verified hash function belongs to the second When the hash function supported by the terminal device is used, the hash function to be verified is determined as an alternative hash function.
结合第六方面及其上述实现方式,在第六方面的第二种实现方式中,该网关设备在根据该验证消息,确定该待验证哈希函数属于该第二终端设备支持的哈希函数时,将该待验证哈希函数确定为备选哈希函数,包括:该网关设备在确定该验证消息携带有该待验证哈希函数时,确定该待验证哈希函数属于该第二终端设备支持的哈希函数,并将该待验证哈希函数确定为备选哈希函数。With reference to the sixth aspect and the foregoing implementation manner, in a second implementation manner of the sixth aspect, the gateway device determines, according to the verification message, that the to-be-verified hash function belongs to a hash function supported by the second terminal device Determining the to-be-verified hash function as an alternative hash function includes: determining, by the gateway device, that the verification message carries the to-be-verified hash function, determining that the to-be-verified hash function belongs to the second terminal device support a hash function and determine the hash function to be verified as an alternate hash function.
结合第六方面及其上述实现方式,在第六方面的第三种实现方式中,该方法还包括:该网关设备接收该第一终端设备发送的第一端口号及该第二终端设备发送的第二端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该网关设备向该第二终端设备转发该第一端口号,并向该第一 终端设备转发该第二端口号,以便于该第一终端设备和该第二终端设备根据该第一端口号和该第二端口号建立SCTP连接,并通过该SCTP连接传输数据。With the sixth aspect and the foregoing implementation manner, in a third implementation manner of the sixth aspect, the method further includes: receiving, by the gateway device, the first port number sent by the first terminal device and the second terminal device a second port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection; the gateway device forwards the first port number to the second terminal device, and to the first The terminal device forwards the second port number, so that the first terminal device and the second terminal device establish an SCTP connection according to the first port number and the second port number, and transmit data through the SCTP connection.
第七方面,提供了一种用于传输数据的方法,应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,该第一终端设备与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,该方法包括:该第一终端设备向该网关设备发送哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数,以便于该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数;该第一终端设备接收该网关设备发送的该备选哈希函数;该第一终端设备从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息;该第一终端设备向该网关设备发送该目标哈希函数和该指纹信息,以便于该网关设备向该第二终端转发该目标哈希函数和该指纹信息;该第一终端设备根据该目标哈希函数和该指纹信息,与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。A seventh aspect provides a method for transmitting data, which is applied to a communication system including a first terminal device, a second terminal device, and a gateway device, where the first terminal device and the gateway device pass H.323 Protocol communication, the second terminal device communicates with the gateway device through a session initiation protocol SIP, the method includes: the first terminal device sends a hash function list to the gateway device, the hash function list including the first terminal At least one hash function supported by the device, so that the gateway device performs a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, where The candidate hash function belongs to the hash function supported by the second terminal device; the first terminal device receives the candidate hash function sent by the gateway device; the first terminal device determines from the candidate hash function a target hash function, and determining fingerprint information corresponding to the target hash function; the first terminal device sends the target hash function to the gateway device The fingerprint information, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal; the first terminal device performs authentication processing with the second terminal device according to the target hash function and the fingerprint information. To establish a packet transport layer security protocol DTLS protocol connection, and transmit data through the DTLS protocol connection.
结合第七方面,在第七方面的第一种实现方式中,该方法还包括:该第一终端设备向该网关设备发送第一端口号,以便于该网关设备向该第二终端设备转发该第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;该第一终端设备接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该第一终端设备根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以通过该SCTP连接传输数据。With reference to the seventh aspect, in a first implementation manner of the seventh aspect, the method further includes: the first terminal device sends a first port number to the gateway device, so that the gateway device forwards the first port device to the second terminal device a first port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol (SCTP) connection based on the DTLS protocol connection; the first terminal device receives the first a second port number sent by the second terminal device to the gateway device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
第八方面,提供了一种用于传输数据的装置,配置于包括该装置和第二终端设备的通信系统中,该装置与该第二终端设备之间通过H.323协议进行通信,该装置包括:接收单元,用于接收该第二终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数;处理单元,用于从该第一哈希函数列表中确定第一哈希函数,并确定与 该第一哈希函数相对应的第一指纹信息;发送单元,用于向该第二终端设备发送该第一哈希函数和该第一指纹信息,其中,该第一哈希函数属于该装置支持的哈希函数,第一哈希函数和该第一指纹信息用于针对该装置的认证;该发送单元还用于向该第二终端设备发送第二哈希函数列表,该第二哈希函数列表包括该装置所支持的至少一个哈希函数;该接收单元还用于接收该第二终端发送的第二哈希函数和第二指纹信息,其中,该第二哈希函数是该第二终端设备从该第二哈希函数列表中确定的,且该第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该第二哈希函数相对应的指纹信息,第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证;该处理单元还用于根据该第一哈希函数、该第一指纹信息、该第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。According to an eighth aspect, there is provided an apparatus for transmitting data, configured in a communication system including the apparatus and the second terminal device, wherein the apparatus communicates with the second terminal device by using an H.323 protocol, the apparatus The receiving unit is configured to receive a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device, and a processing unit, configured to Determining the first hash function in the first hash function list, and determining a first fingerprint information corresponding to the first hash function; a sending unit, configured to send the first hash function and the first fingerprint information to the second terminal device, where the first hash function belongs to the device a supported hash function, the first hash function and the first fingerprint information are used for authentication of the device; the sending unit is further configured to send a second hash function list to the second terminal device, the second hash The function list includes at least one hash function supported by the device; the receiving unit is further configured to receive the second hash function and the second fingerprint information sent by the second terminal, where the second hash function is the second The terminal device is determined from the second hash function list, and the second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is a fingerprint corresponding to the second hash function. The second hash function and the second fingerprint information are used to authenticate the second terminal device; the processing unit is further configured to: according to the first hash function, the first fingerprint information, the second hash function And the first Fingerprint information of the second terminal device performs an authentication process, to establish a data packet transport layer security protocol DTLS protocol connection, and connected to transfer data between the second terminal device via the DTLS protocol.
结合第八方面,在第八方面的第一种实现方式中,该发送单元还用与向该第二终端设备发送第一端口号,该第一端口号是该装置所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;该接收单元还用与接收该第二终端设备发送的第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该处理单元还用于根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。With reference to the eighth aspect, in a first implementation manner of the eighth aspect, the sending unit is further configured to send, by the second terminal device, a first port number, where the first port number is used by the device for establishing a port number of the SCTP connection of the flow control transmission protocol connected to the DTLS protocol; the receiving unit further receives and receives a second port number sent by the second terminal device, where the second port number is used by the second terminal device Establishing a port number of the SCTP connection connected according to the DTLS protocol; the processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to pass the DTLS protocol connection The SCTP connection transmits data between the second terminal device.
结合第八方面及其上述实现方式,在第八方面的第二种实现方式中,该发送单元还用于向该第二终端设备发送第一角色指示信息,该第一角色指示信息用于指示该装置支持的角色,该角色为“主动”和“被动”中的至少一种;该接收单元还用于接收该第二终端设备发送的第二角色指示信息,该第二角色指示信息用于指示该第二终端设备支持的角色;以及该处理单元具体用于根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该装置支持的角色和该第二终端设备支持的角色与该第二终端设备进行认证处理。With the eighth aspect and the foregoing implementation manner, in a second implementation manner of the eighth aspect, the sending unit is further configured to send, to the second terminal device, first role indication information, where the first role indication information is used to indicate The role supported by the device, the role is at least one of "active" and "passive"; the receiving unit is further configured to receive second role indication information sent by the second terminal device, where the second role indication information is used Determining a role supported by the second terminal device; and the processing unit is specifically configured to: according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role and a role supported by the device The role supported by the second terminal device performs authentication processing with the second terminal device.
第九方面,提供了一种用于传输数据的装置,配置于包括该装置和第二终端设备的通信系统中,该装置与该第二终端设备之间通过H.323协议进行 通信,该装置包括:接收单元,用于接收该第二终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数;处理单元,用于从该第一哈希函数列表中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息,其中,该目标哈希函数属于该装置所支持的哈希函数;发送单元,用于向该第二终端设备发送该目标哈希函数和该指纹信息;该处理单元还用于根据该目标哈希函数和该指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。A ninth aspect provides an apparatus for transmitting data, configured in a communication system including the apparatus and the second terminal device, where the apparatus and the second terminal apparatus are performed by using an H.323 protocol Communication, the device includes: a receiving unit, configured to receive a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device; And determining a target hash function from the first hash function list, and determining fingerprint information corresponding to the target hash function, wherein the target hash function belongs to a hash function supported by the device; sending a unit, configured to send the target hash function and the fingerprint information to the second terminal device; the processing unit is further configured to perform authentication processing with the second terminal device according to the target hash function and the fingerprint information to establish data The packet transport layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
结合第九方面,在第九方面的第一种实现方式中,该接收单元还用于接收该第二终端设备发送的角色指示信息,该角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;该处理单元还用于根据角色指示信息,确定该第二终端设备支持的角色,并在确定该装置支持的角色包括“主动”且该第二终端设备支持的角色包括“被动”时,从该第一哈希函数列表中确定目标哈希函数。With reference to the ninth aspect, in a first implementation manner of the ninth aspect, the receiving unit is further configured to receive role indication information that is sent by the second terminal device, where the role indication information is used to indicate a role supported by the second terminal device. The role is at least one of "active" and "passive"; the processing unit is further configured to determine a role supported by the second terminal device according to the role indication information, and determine that the role supported by the device includes "active" And when the role supported by the second terminal device includes "passive", the target hash function is determined from the first hash function list.
结合第九方面及其上述实现方式,在第九方面的第二种实现方式中,该处理单元具体用于根据自身所支持的哈希函数,从该第一哈希函数列表中确定目标哈希函数。With reference to the ninth aspect and the foregoing implementation manner, in a second implementation manner of the ninth aspect, the processing unit is specifically configured to determine a target hash from the first hash function list according to a hash function supported by the processing unit. function.
结合第九方面及其上述实现方式,在第九方面的第三种实现方式中,该发送单元还用于向该第二终端设备发送第二哈希函数列表,该第二哈希函数列表包括该装置所支持的至少一个哈希函数,以便于该第二终端设备根据该第二哈希函数列表,确定该第一哈希函数列表,其中,该第一哈希函数列表所包括的哈希函数属于该第二哈希函数列表;以及该处理单元具体用于确定该第一哈希函数列表中任一哈希函数为目标哈希函数。In conjunction with the ninth aspect and the foregoing implementation manner, in a third implementation manner of the ninth aspect, the sending unit is further configured to send, to the second terminal device, a second hash function list, where the second hash function list includes At least one hash function supported by the device, so that the second terminal device determines the first hash function list according to the second hash function list, wherein the hash included in the first hash function list The function belongs to the second hash function list; and the processing unit is specifically configured to determine that any of the hash functions in the first hash function list is a target hash function.
结合第九方面及其上述实现方式,在第九方面的第四种实现方式中,该发送单元还用于向该第二终端设备发送第一端口号,该第一端口号是该装置所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;该接收单元还用于接收该第二终端设备发送的第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该处理单元还用与根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。 In conjunction with the ninth aspect and the foregoing implementation manner, in a fourth implementation manner of the ninth aspect, the sending unit is further configured to send, to the second terminal device, a first port number, where the first port number is used by the device a port number for establishing a flow control transport protocol SCTP connection based on the DTLS protocol connection; the receiving unit is further configured to receive a second port number sent by the second terminal device, where the second port number is the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection; the processing unit further establishes an SCTP connection with the second terminal device according to the first port number and the second port number, in the DTLS On the protocol connection, data is transmitted between the SCTP connection and the second terminal device.
第十方面,提供了一种用于传输数据的装置,配置于包括第一终端设备和该装置的通信系统中,该第一终端设备与该装置之间通过H.323协议进行通信,该装置包括:发送单元,用于向该第一终端设备发送第一哈希函数列表,该第一哈希函数列表包括该装置所支持的至少一个哈希函数;接收单元,用于接收该第一终端设备发送的目标哈希函数以及与该目标哈希函数相对应的指纹信息,其中,该目标哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标哈希函数属于该第一终端设备所支持的哈希函数;处理单元,用于根据该目标哈希函数和该指纹信息与该第一终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与装置之间传输数据。According to a tenth aspect, there is provided an apparatus for transmitting data, configured in a communication system including a first terminal device and the device, wherein the first terminal device communicates with the device by using an H.323 protocol, the device The sending unit is configured to send, to the first terminal device, a first hash function list, where the first hash function list includes at least one hash function supported by the device, and a receiving unit, configured to receive the first terminal a target hash function sent by the device and fingerprint information corresponding to the target hash function, wherein the target hash function is determined by the first terminal device from the first hash function list, and the target hash is The function belongs to the hash function supported by the first terminal device; the processing unit is configured to perform authentication processing with the first terminal device according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol. Connect and transfer data between the device through the DTLS protocol connection.
结合第十方面,在第十方面的第一种实现方式中,该发送单元还用于向该第一终端设备发送角色指示信息,该角色指示信息用于指示该装置支持的角色,该角色为“主动”或“被动”中的至少一种,以便于该第一终端设备在确定该第一终端设备支持的角色包括“主动”且该装置支持的角色包括“被动”时,从该第一哈希函数列表中确定目标哈希函数。With the tenth aspect, in a first implementation manner of the tenth aspect, the sending unit is further configured to send role indication information to the first terminal device, where the role indication information is used to indicate a role supported by the device, where the role is At least one of "active" or "passive", so that the first terminal device is from the first when determining that the role supported by the first terminal device includes "active" and the role supported by the device includes "passive" The target hash function is determined in the list of hash functions.
结合第十方面及其上述实现方式,在第十方面的第二种实现方式中,该目标哈希函数是该第一终端设备根据自身所支持的哈希函数从该第一哈希函数列表中确定的。With reference to the tenth aspect and the foregoing implementation manner, in a second implementation manner of the tenth aspect, the target hash function is that the first terminal device is configured from the first hash function list according to a hash function supported by the first terminal device definite.
结合第十方面及其上述实现方式,在第十方面的第三种实现方式中,该接收单元还用于接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个哈希函数;该处理单元还用于根据该第二哈希函数列表,确定该第一哈希函数列表,以使该第一哈希函数列表所包括的哈希函数属于该第二哈希函数列表。With reference to the tenth aspect and the foregoing implementation manner, in a third implementation manner of the tenth aspect, the receiving unit is further configured to receive a second hash function list sent by the first terminal device, where the second hash function list is Include at least one hash function supported by the first terminal device; the processing unit is further configured to determine the first hash function list according to the second hash function list, so that the first hash function list is included The hash function belongs to the second hash function list.
结合第十方面及其上述实现方式,在第十方面的第四种实现方式中,该接收单元还用于接收该第一终端设备发送的第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;该发送单元还用于向该第一终端设备发送第二端口号,该第二端口号是该装置所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该处理单元还用于根据该第一端口号和该第二端口号与该第一终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第一终端设备之间传输数据。 With the tenth aspect and the foregoing implementation manner, in a fourth implementation manner of the tenth aspect, the receiving unit is further configured to receive a first port number that is sent by the first terminal device, where the first port number is the first a port number used by the terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection; the sending unit is further configured to send a second port number to the first terminal device, where the second port number is the device a port number used to establish an SCTP connection based on the DTLS protocol connection; the processing unit is further configured to establish an SCTP connection with the first terminal device according to the first port number and the second port number, in the DTLS On the protocol connection, data is transmitted between the SCTP connection and the first terminal device.
第十一方面,提供了一种用于传输数据的装置,其特征在于,配置于包括第一终端设备、第二终端设备和该装置的通信系统中,该第一终端设备与该装置之间通过H.323协议通信,该第二终端设备与该装置之间通过会话初始化协议SIP通信,该装置包括:接收单元,用于接收该第二终端设备发送的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数,并接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个第二哈希函数;发送单元,用于向该第一终端设备发送记录有该第一哈希函数的第一哈希函数列表,并向该第二终端设备发送该第二哈希函数的部分或全部;该接收单元还用于接收该第一终端设备发送的目标第一哈希函数和第一指纹信息,并接收该第二终端设备发送的目标第二哈希函数和第二指纹信息其中,该目标第一哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标第一哈希函数属于该第一终端设备支持的哈希函数,该第一指纹信息是与该目标第一哈希函数相对应的指纹信息,该目标第一哈希函数和第一指纹信息用于对该第一终端设备进行认证,该目标第二哈希函数是该第二终端设备从该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和第二指纹信息用于对该第二终端设备进行认证;该发送单元还用于向该第二终端设备发送该目标第一哈希函数和该第一指纹信息,并向该第一终端设备发送该目标第二哈希函数和该第二指纹信息,以便于该第一终端设备和该第二终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。In an eleventh aspect, an apparatus for transmitting data is provided, configured in a communication system including a first terminal device, a second terminal device, and the device, between the first terminal device and the device Communicating by the H.323 protocol, the second terminal device communicates with the device through a session initiation protocol SIP, the device includes: a receiving unit, configured to receive at least one first hash function sent by the second terminal device, where The first hash function belongs to the hash function supported by the second terminal device, and receives the second hash function list sent by the first terminal device, where the second hash function list includes the first terminal device supported by the first terminal device. At least one second hash function; a sending unit, configured to send, to the first terminal device, a first hash function list recorded with the first hash function, and send the second hash function to the second terminal device Part or all of the receiving unit, the receiving unit is further configured to receive the target first hash function and the first fingerprint information sent by the first terminal device, and receive the target sent by the second terminal device a second hash function and the second fingerprint information, wherein the target first hash function is determined by the first terminal device from the first hash function list, and the target first hash function belongs to the first terminal device a supported hash function, the first fingerprint information is fingerprint information corresponding to the target first hash function, and the target first hash function and the first fingerprint information are used to authenticate the first terminal device, where The target second hash function is determined by the second terminal device from part or all of the second hash function, and the target second hash function belongs to a hash function supported by the second terminal device, the second The fingerprint information is fingerprint information corresponding to the second hash function of the target, the target second hash function and the second fingerprint information are used for authenticating the second terminal device; the sending unit is further configured to use the second The terminal device sends the target first hash function and the first fingerprint information, and sends the target second hash function and the second fingerprint information to the first terminal device, so as to facilitate the first terminal device and the second end End device performs authentication processing according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, to establish a packet transport layer security protocol DTLS protocol connection, and The DTLS protocol connection transmits data.
结合第十一方面,在第十一方面的第一种实现方式中,该接收单元还用于接收该第一终端设备发送的第一角色指示信息及该第二终端设备发送的第二角色指示信息,该第一角色指示信息用于指示该第一终端设备支持的角色,该第二角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;该发送单元还用于向该第二终端设备发送该第一角色指示信息,并向该第一终端设备发送该第二角色指示信息,以便于该第一终端设备和该第二终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该第一终端设备支持的角色和该第二终 端设备支持的角色进行认证处理。In conjunction with the eleventh aspect, in a first implementation manner of the eleventh aspect, the receiving unit is further configured to receive the first role indication information sent by the first terminal device and the second role indication sent by the second terminal device Information, the first role indication information is used to indicate a role supported by the first terminal device, and the second role indication information is used to indicate a role supported by the second terminal device, where the role is “active” and “passive” At least one type; the sending unit is further configured to send the first role indication information to the second terminal device, and send the second role indication information to the first terminal device, so as to facilitate the first terminal device and the second The terminal device according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role supported by the first terminal device, and the second terminal The role supported by the end device is authenticated.
结合第十一方面及其上述实现方式,在第十一方面的第二种实现方式中,该接收单元还用于接收该第一终端设备发送的第一端口号及该第二终端设备发送的第二端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该发送单元还用于向该第二终端设备转发该第一端口号,并向该第一终端设备转发该第二端口号,以便于该第一终端设备和该第二终端设备根据该第一端口号和该第二端口号建立SCTP连接,并通过该SCTP连接传输数据。In combination with the eleventh aspect and the foregoing implementation manner, in a second implementation manner of the eleventh aspect, the receiving unit is further configured to receive, by the first terminal device, the first port number and the second terminal device a second port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection; the sending unit is further configured to forward the first port number to the second terminal device, and forward the second port number to the first terminal device, So that the first terminal device and the second terminal device establish an SCTP connection according to the first port number and the second port number, and transmit data through the SCTP connection.
第十二方面,提供了一种用于传输数据的装置,配置于包括该装置、第二终端设备和网关设备的通信系统中,该装置与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,该装置包括:接收单元,用于接收该网关设备发送的第一哈希函数列表,其中,该第一哈希函数列表中记录有该第二终端设备发送给该网关设备的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数;处理单元,用于从该第一哈希函数列表中确定目标第一哈希函数,并确定与该目标第一哈希函数相对应的第一指纹信息,其中,该目标第一哈希函数属于该装置支持的哈希函数,该目标第一哈希函数和该第一指纹信息用于针对该装置的认证;发送单元,用于向该网关设备发送该目标第一哈希函数和该第一指纹信息,以便于该网关设备将该目标第一哈希函数和该第一指纹信息发送给该第二终端设备,用于向该网关设备发送第二哈希函数列表,该第二哈希函数列表包括该装置所支持的至少一个第二哈希函数;该接收单元还用于接收该网关设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该网关设备发送的该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证;该处理单元还用于根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之 间传输数据。A twelfth aspect, an apparatus for transmitting data, configured in a communication system including the apparatus, a second terminal device, and a gateway device, where the device communicates with the gateway device by using an H.323 protocol, The second terminal device communicates with the gateway device through the session initiation protocol SIP, the device includes: a receiving unit, configured to receive a first hash function list sent by the gateway device, where the first hash function list records Having at least one first hash function sent by the second terminal device to the gateway device, the first hash function belongs to a hash function supported by the second terminal device; and the processing unit is configured to use the first hash Determining a target first hash function in the function list, and determining first fingerprint information corresponding to the target first hash function, wherein the target first hash function belongs to a hash function supported by the device, the target a hash function and the first fingerprint information are used for authentication of the device; and a sending unit, configured to send the target first hash function and the first fingerprint letter to the gateway device So that the gateway device sends the target first hash function and the first fingerprint information to the second terminal device, and sends a second hash function list to the gateway device, where the second hash function list includes At least one second hash function supported by the device; the receiving unit is further configured to receive the target second hash function and the second fingerprint information sent by the gateway device, where the target second hash function is the second Determining, by the terminal device, part or all of the second hash function sent by the gateway device, and the target second hash function belongs to a hash function supported by the second terminal device, where the second fingerprint information is Fingerprint information corresponding to the target second hash function, the target second hash function and the second fingerprint information are used for authenticating the second terminal device; the processing unit is further configured to use the target first hash function according to the target The first fingerprint information, the target second hash function, and the second fingerprint information are authenticated with the second terminal device to establish a data packet transport layer security protocol DTLS protocol connection. And a second terminal connected to the equipment through the protocol DTLS Transfer data between.
结合第十二方面,在第十二方面的第一种实现方式中,该发送单元还用于向该网关设备发送第一端口号,该第一端口号是该装置所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,以便于该网关设备将该第一端口号发送给该第二终端设备;该接收单元还用于接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,且该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该处理单元还用于根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。In conjunction with the twelfth aspect, in a first implementation of the twelfth aspect, the sending unit is further configured to send, to the gateway device, a first port number, where the first port number is used by the device for establishing The flow control connection protocol of the DTLS protocol is connected to the port number of the SCTP connection, so that the gateway device sends the first port number to the second terminal device; the receiving unit is further configured to receive the second port number sent by the gateway device. The second port number is sent by the second terminal device to the gateway device, and the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection; The processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
结合第十二方面及其上述实现方式,在第十二方面的第二种实现方式中,该发送单元还用于向该网关设备发送第一角色指示信息,该第一角色指示信息用于指示该装置支持的角色,该角色为“主动”和“被动”中的至少一种,以便于该网关设备将该第一角色指示信息发送给该第二终端设备;该接收单元还用于接收该网关设备发送的第二角色指示信息,该第二角色指示信息是该第二终端设备发送给该网关设备的,且该第二角色指示信息用于指示该第二终端设备支持的角色;以及该处理单元具体用于根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数、该第二指纹信息、该装置支持的角色和该第二终端设备支持的角色与该第二终端设备进行认证处理。With the twelfth aspect and the foregoing implementation manner, in a second implementation manner of the twelfth aspect, the sending unit is further configured to send, to the gateway device, first role indication information, where the first role indication information is used to indicate a role supported by the device, the role is at least one of "active" and "passive", so that the gateway device sends the first role indication information to the second terminal device; the receiving unit is further configured to receive the a second role indication information sent by the gateway device, where the second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is used to indicate a role supported by the second terminal device; The processing unit is specifically configured to: according to the target first hash function, the first fingerprint information, the target second hash function, the second fingerprint information, a role supported by the device, and a role supported by the second terminal device The second terminal device performs an authentication process.
第十三方面,提供了一种用于传输数据的装置,配置于包括第一终端设备、第二终端设备和该装置的通信系统中,该第一终端设备与该装置之间通过H.323协议通信,该第二终端设备与该装置之间通过会话初始化协议SIP通信,该装置包括:接收单元,用于接收该第一终端设备发送的哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数;处理单元,用于根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数;发送单元,用于向该第一终端设备发送该备选哈希函数,以便于该第一终端设备从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息;该接收单元还用于接收该第一终端设备发送的该目标哈希函数和该指纹信息;该发送单元还用于向该第二终端发送该目标哈希函数和该指纹信息,以便于该第一终端设备和该第二终 端设备根据该目标哈希函数和该指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。A thirteenth aspect, an apparatus for transmitting data, configured in a communication system including a first terminal device, a second terminal device, and the device, the first terminal device and the device passing the H.323 Protocol communication, the second terminal device communicates with the device through a session initiation protocol SIP, the device includes: a receiving unit, configured to receive a hash function list sent by the first terminal device, where the hash function list includes the first At least one hash function supported by a terminal device; a processing unit, configured to perform a negotiation process with the second terminal device according to the hash function list, to determine at least one candidate hash function from the hash function list, The candidate hash function belongs to the hash function supported by the second terminal device, and the sending unit is configured to send the candidate hash function to the first terminal device, so that the first terminal device obtains the candidate Determining a target hash function in the hash function, and determining fingerprint information corresponding to the target hash function; the receiving unit is further configured to receive the first terminal device to send Certain hash function and the fingerprint information; the sending unit is further configured to send the target hash function and the fingerprint information to the second terminal, the first terminal device so that the second and final The end device performs authentication processing according to the target hash function and the fingerprint information to establish a packet transport layer security protocol DTLS protocol connection, and transmits data through the DTLS protocol connection.
结合第十三方面,在第十三方面的第一种实现方式中,该发送单元还用于向该第二终端设备发送待验证哈希函数,该待验证哈希函数是该哈希函数列表中的任一哈希函数;该接收单元还用于接收该第二终端设备发送的验证消息,该验证消息用于指示该待验证哈希函数是否属于该第二终端设备支持的哈希函数;该处理单元具体用于在根据该验证消息,确定该待验证哈希函数属于该第二终端设备支持的哈希函数时,将该待验证哈希函数确定为备选哈希函数。In conjunction with the thirteenth aspect, in a first implementation manner of the thirteenth aspect, the sending unit is further configured to send a to-be-verified hash function to the second terminal device, where the to-be-verified hash function is the hash function list Any one of the hash functions; the receiving unit is further configured to receive the verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device; The processing unit is specifically configured to determine, according to the verification message, that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and determine the to-be-verified hash function as an alternate hash function.
结合第十三方面及其上述实现方式,在第十三方面的第二种实现方式中,该处理单元具体用于在确定该验证消息携带有该待验证哈希函数时,确定该待验证哈希函数属于该第二终端设备支持的哈希函数,并将该待验证哈希函数确定为备选哈希函数。With reference to the thirteenth aspect and the foregoing implementation manner, in a second implementation manner of the thirteenth aspect, the processing unit is specifically configured to: when determining that the verification message carries the to-be-verified hash function, determine the to-be-verified The hash function belongs to a hash function supported by the second terminal device, and the hash function to be verified is determined as an alternate hash function.
结合第十三方面及其上述实现方式,在第十三方面的第三种实现方式中,该接收单元还用于接收该第一终端设备发送的第一端口号及该第二终端设备发送的第二端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该发送单元还用于向该第二终端设备转发该第一端口号,并向该第一终端设备转发该第二端口号,以便于该第一终端设备和该第二终端设备根据该第一端口号和该第二端口号建立SCTP连接,并通过该SCTP连接传输数据。In combination with the thirteenth aspect and the foregoing implementation manner, in a third implementation manner of the thirteenth aspect, the receiving unit is further configured to receive, by the first terminal device, the first port number and the second terminal device a second port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection; the sending unit is further configured to forward the first port number to the second terminal device, and forward the second port number to the first terminal device, So that the first terminal device and the second terminal device establish an SCTP connection according to the first port number and the second port number, and transmit data through the SCTP connection.
第十四方面,提供了一种用于传输数据的装置,配置于包括该装置、第二终端设备和网关设备的通信系统中,该装置与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,该装置包括:发送单元,用于向该网关设备发送哈希函数列表,该哈希函数列表包括该装置所支持的至少一个哈希函数,以便于该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数;接收单元,用于接收该网关设备发送的该备选哈希函数;处理单元,用于从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对 应的指纹信息;该发送单元还用于向该网关设备发送该目标哈希函数和该指纹信息,以便于该网关设备向该第二终端转发该目标哈希函数和该指纹信息;该处理单元还用于根据该目标哈希函数和该指纹信息,与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。a fourteenth aspect, an apparatus for transmitting data, configured in a communication system including the apparatus, a second terminal device, and a gateway device, where the device communicates with the gateway device by using an H.323 protocol, The second terminal device communicates with the gateway device through a session initiation protocol SIP. The device includes: a sending unit, configured to send a hash function list to the gateway device, where the hash function list includes at least one supported by the device. a function, so that the gateway device performs a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device; a receiving unit, configured to receive the candidate hash function sent by the gateway device; and a processing unit, configured to determine a target hash function from the candidate hash function, and determine Relative to the target hash function The sending unit is further configured to send the target hash function and the fingerprint information to the gateway device, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal; the processing unit The method is further configured to perform an authentication process with the second terminal device according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and connect and transmit data through the DTLS protocol.
结合第十四方面,在第十四方面的第一种实现方式中,该发送单元还用于向该网关设备发送第一端口号,以便于该网关设备向该第二终端设备转发该第一端口号,该第一端口号是该装置所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;该接收单元还用于接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;该处理单元还用于根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以通过该SCTP连接传输数据。In conjunction with the fourteenth aspect, in a first implementation of the fourteenth aspect, the sending unit is further configured to send the first port number to the gateway device, so that the gateway device forwards the first to the second terminal device a port number, where the first port number is a port number used by the device to establish a flow control transport protocol (SCTP) connection based on the DTLS protocol connection; the receiving unit is further configured to receive a second port number sent by the gateway device, The second port number is sent by the second terminal device to the gateway device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection; the processing unit The method is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
第十五方面,提供了一种用于传输数据的系统,包括第一终端设备、第二终端设备和网关设备,该第一终端设备与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,其中,该网关设备用于接收该第二终端设备发送的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数,向该第一终端设备发送记录有该第一哈希函数的第一哈希函数列表,接收该第一终端设备发送的目标第一哈希函数和第一指纹信息,其中,该目标第一哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标第一哈希函数属于该第一终端设备支持的哈希函数,该第一指纹信息是与该目标第一哈希函数相对应的指纹信息,该目标第一哈希函数和第一指纹信息用于对该第一终端设备进行认证,用于接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个第二哈希函数,向该第二终端设备发送该第二哈希函数的部分或全部,接收该第二终端设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和第二指纹信息用于对该第二终端设备进行认证,用于向该第二终端设备发送该目标第一哈希函数和该第一指纹信 息,并向该第一终端设备发送该目标第二哈希函数和该第二指纹信息,以便于该第一终端设备和该第二终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据;该第一终端设备用于接收该网关设备发送的第一哈希函数列表,其中,该第一哈希函数列表中记录有该第二终端设备发送给该网关设备的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数,从该第一哈希函数列表中确定目标第一哈希函数,并确定与该目标第一哈希函数相对应的第一指纹信息,其中,该目标第一哈希函数属于该第一终端设备支持的哈希函数,该目标第一哈希函数和该第一指纹信息用于对该第一终端设备进行认证,向该网关设备发送确定的该目标第一哈希函数和该第一指纹信息,以便于该网关设备将该目标第一哈希函数和该第一指纹信息发送给该第二终端设备,用于向该网关设备发送第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个第二哈希函数,接收该网关设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该网关设备发送的该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证,用于根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。A fifteenth aspect, a system for transmitting data, including a first terminal device, a second terminal device, and a gateway device, where the first terminal device communicates with the gateway device by using an H.323 protocol, where the The second terminal device communicates with the gateway device through a session initiation protocol SIP, wherein the gateway device is configured to receive at least one first hash function sent by the second terminal device, where the first hash function belongs to the second terminal a hash function supported by the device, sending, to the first terminal device, a first hash function list recorded with the first hash function, and receiving the target first hash function and the first fingerprint information sent by the first terminal device The target first hash function is determined by the first terminal device from the first hash function list, and the target first hash function belongs to a hash function supported by the first terminal device, where the The fingerprint information is fingerprint information corresponding to the target first hash function, and the target first hash function and the first fingerprint information are used for authenticating the first terminal device, and are used for a second hash function list sent by the first terminal device, the second hash function list including at least one second hash function supported by the first terminal device, and sending the second hash to the second terminal device Part or all of the function, receiving the target second hash function and the second fingerprint information sent by the second terminal device, wherein the target second hash function is a part of the second terminal device from the second hash function Or all determined, and the target second hash function belongs to a hash function supported by the second terminal device, the second fingerprint information is fingerprint information corresponding to the target second hash function, and the target second The hash function and the second fingerprint information are used to authenticate the second terminal device, and configured to send the target first hash function and the first fingerprint message to the second terminal device Transmitting the target second hash function and the second fingerprint information to the first terminal device, so that the first terminal device and the second terminal device according to the target first hash function, the first fingerprint The information, the second hash function of the target, and the second fingerprint information are authenticated to establish a data packet transport layer security protocol DTLS protocol connection, and the data is transmitted through the DTLS protocol connection; the first terminal device is configured to receive the a first hash function list sent by the gateway device, where the first hash function list records at least one first hash function sent by the second terminal device to the gateway device, where the first hash function belongs to the a hash function supported by the second terminal device, determining a target first hash function from the first hash function list, and determining first fingerprint information corresponding to the target first hash function, wherein the target The first hash function belongs to the hash function supported by the first terminal device, and the target first hash function and the first fingerprint information are used to authenticate the first terminal device, to the The off device sends the determined first hash function and the first fingerprint information, so that the gateway device sends the target first hash function and the first fingerprint information to the second terminal device, for The gateway device sends a second hash function list, where the second hash function list includes at least one second hash function supported by the first terminal device, and receives the target second hash function and the second fingerprint sent by the gateway device. Information, wherein the target second hash function is determined by the second terminal device from part or all of the second hash function sent by the gateway device, and the target second hash function belongs to the second terminal a hash function supported by the device, the second fingerprint information is fingerprint information corresponding to the target second hash function, and the target second hash function and the second fingerprint information are used to authenticate the second terminal device And performing authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, to establish data. The packet transport layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
第十六方面,提供了一种用于传输数据的系统,包括第一终端设备、第二终端设备和网关设备,该第一终端设备与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,其中,该网关设备用于接收该第一终端设备发送的哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数,用于根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数,用于向该第一终端设备发送该备选哈希函数,以便于该第一终端设备从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信 息,用于接收该第一终端设备发送的该目标哈希函数和该指纹信息,并向该第二终端发送该目标哈希函数和该指纹信息,以便于该第一终端设备和该第二终端设备根据该目标哈希函数和该指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据;该第一终端设备用于向该网关设备发送哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数,以便于该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数,用于接收该网关设备发送的该备选哈希函数,用于从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息,用于向该网关设备发送该目标哈希函数和该指纹信息,以便于该网关设备向该第二终端转发该目标哈希函数和该指纹信息,用于根据该目标哈希函数和该指纹信息,与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。According to a sixteenth aspect, a system for transmitting data includes: a first terminal device, a second terminal device, and a gateway device, where the first terminal device communicates with the gateway device by using an H.323 protocol, where the The second terminal device communicates with the gateway device through a session initiation protocol SIP, wherein the gateway device is configured to receive a hash function list sent by the first terminal device, where the hash function list includes the first terminal device supported by the first terminal device At least one hash function for performing a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device, configured to send the candidate hash function to the first terminal device, so that the first terminal device determines a target hash function from the candidate hash function, and determines a fingerprint letter corresponding to the target hash function And receiving the target hash function and the fingerprint information sent by the first terminal device, and sending the target hash function and the fingerprint information to the second terminal, so as to facilitate the first terminal device and the second The terminal device performs authentication processing according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and transmits data through the DTLS protocol connection; the first terminal device is configured to send the data to the gateway device a hash function list, the hash function list including at least one hash function supported by the first terminal device, so that the gateway device performs a negotiation process with the second terminal device according to the hash function list, to Determining at least one candidate hash function in the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device, and is configured to receive the candidate hash function sent by the gateway device, where Determining a target hash function from the candidate hash function, and determining fingerprint information corresponding to the target hash function for transmitting to the gateway device a target hash function and the fingerprint information, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal, and is configured to perform, according to the target hash function and the fingerprint information, with the second terminal device. The authentication process is to establish a packet transport layer security protocol DTLS protocol connection and transmit data through the DTLS protocol connection.
根据本发明实施例的用于传输数据的方法、装置和系统,通过使第一终端设备基于H.323协议来与第二终端设备协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间基于该哈希函数和指纹信息进行认证处理并建立DTLS协议连接,从而使第一终端设备和第二终端设备之间能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。A method, apparatus, and system for transmitting data according to an embodiment of the present invention, by enabling a first terminal device to negotiate a hash function and fingerprint information with a second terminal device based on an H.323 protocol, capable of being in the first terminal device and The second terminal device performs authentication processing based on the hash function and the fingerprint information and establishes a DTLS protocol connection, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol. The security authentication mechanism improves the security of the transmitted data, and enables the DTLS protocol to be applied to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
附图说明DRAWINGS
为了更清楚地说明本发明实施例的技术方案,下面将对本发明实施例中所需要使用的附图作简单地介绍,显而易见地,下面所描述的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings to be used in the embodiments of the present invention will be briefly described below. It is obvious that the drawings described below are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without paying any creative work.
图1是根据本发明一实施例的传输数据的方法的示意性流程图。FIG. 1 is a schematic flowchart of a method of transmitting data according to an embodiment of the present invention.
图2是根据本发明另一实施例的传输数据的方法的示意性流程图。2 is a schematic flow chart of a method of transmitting data according to another embodiment of the present invention.
图3是根据本发明再一实施例的传输数据的方法的示意性流程图。FIG. 3 is a schematic flowchart of a method of transmitting data according to still another embodiment of the present invention.
图4是根据本发明再一实施例的传输数据的方法的示意性流程图。 4 is a schematic flow chart of a method of transmitting data according to still another embodiment of the present invention.
图5是根据本发明再一实施例的传输数据的方法的示意性流程图。FIG. 5 is a schematic flowchart of a method of transmitting data according to still another embodiment of the present invention.
图6是根据本发明再一实施例的传输数据的方法的示意性流程图。FIG. 6 is a schematic flowchart of a method of transmitting data according to still another embodiment of the present invention.
图7是根据本发明再一实施例的传输数据的方法的示意性流程图。FIG. 7 is a schematic flowchart of a method of transmitting data according to still another embodiment of the present invention.
图8是根据本发明一实施例的传输数据的装置的示意性框图。FIG. 8 is a schematic block diagram of an apparatus for transmitting data according to an embodiment of the present invention.
图9是根据本发明另一实施例的传输数据的装置的示意性框图。9 is a schematic block diagram of an apparatus for transmitting data according to another embodiment of the present invention.
图10是根据本发明再一实施例的传输数据的装置的示意性框图。FIG. 10 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
图11是根据本发明再一实施例的传输数据的装置的示意性框图。11 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
图12是根据本发明再一实施例的传输数据的装置的示意性框图。FIG. 12 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
图13是根据本发明再一实施例的传输数据的装置的示意性框图。FIG. 13 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
图14是根据本发明再一实施例的传输数据的装置的示意性框图。FIG. 14 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
图15是根据本发明一实施例的传输数据的设备的示意性框图。Figure 15 is a schematic block diagram of an apparatus for transmitting data in accordance with an embodiment of the present invention.
图16是根据本发明另一实施例的传输数据的设备的示意性框图。16 is a schematic block diagram of an apparatus for transmitting data according to another embodiment of the present invention.
图17是根据本发明再一实施例的传输数据的设备的示意性框图。FIG. 17 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
图18是根据本发明再一实施例的传输数据的设备的示意性框图。FIG. 18 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
图19是根据本发明再一实施例的传输数据的设备的示意性框图。FIG. 19 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
图20是根据本发明再一实施例的传输数据的设备的示意性框图。20 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
图21是根据本发明再一实施例的传输数据的设备的示意性框图。21 is a schematic block diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
图22是根据本发明再一实施例的传输数据的系统的示意性架构图。FIG. 22 is a schematic architectural diagram of a system for transmitting data according to still another embodiment of the present invention.
图23是根据本发明再一实施例的传输数据的设备的示意性架构图。23 is a schematic architectural diagram of an apparatus for transmitting data according to still another embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明的技术方案可以应用于各种实现媒体通信的通信系统,例如:视频会议系统。在该通信系统中的该终端设备可以配置有视频编解码模块、音频编解码模块,信令模块、控制模块、配置模块、其他功能模块等组成,主要功能是接收和发起对远端会场终端的呼叫,把本地摄像机、MIC采集的视频和音频码流编码后发送给远端,同时把远端的视频和音频码流进行解码并输出到本端的显示器和喇叭上,从而,两个或两个以上的终端设备在上述硬 件设备的支撑下,可以基于该通信系统提供的各种标准协议进行视频通信。The technical solution of the present invention can be applied to various communication systems that implement media communication, such as a video conference system. The terminal device in the communication system may be configured with a video codec module, an audio codec module, a signaling module, a control module, a configuration module, and other functional modules, and the main function is to receive and initiate a remote conference terminal. The call encodes the video and audio streams collected by the local camera and the MIC to the remote end, and simultaneously decodes the video and audio streams of the far end and outputs them to the display and the speaker of the local end, thereby, two or two The above terminal equipment is in the above hard Under the support of the device, video communication can be performed based on various standard protocols provided by the communication system.
其中,终端设备(Endpoint)可以是用户设备(UE,User Equipment)等,如智能移动终端或计算机等,它们经由互联网或数据传输线缆等交换语音和/或数据,还可以是网络侧设备,如多点控制单元(MCU,Multi-point Control Unit)或选择性转发单元(Selective Forwarding Unit)。The terminal device (UE) may be a user equipment (UE, User Equipment), etc., such as a smart mobile terminal or a computer, etc., which exchange voice and/or data via the Internet or a data transmission cable, and may also be a network side device. Such as a Multi-point Control Unit (MCU) or a Selective Forwarding Unit.
另外,作为上述标准协议的会话建立协议,可以列举H.323协议和会话初始化协议(SIP,Session Initiation Protocol),即,在本发明实施例中,两个需要进行数据(如视频会议的数据)传输的终端设备中,两个终端设备均可以为使用H.323协议建立会话连接的设备(即,情况1),或者,一个终端设备可以为使用H.323协议建立会话连接的设备,另一个设备可以为使用SIP建立会话连接的设备,(即,情况2)。In addition, as the session establishment protocol of the above-mentioned standard protocol, the H.323 protocol and the Session Initiation Protocol (SIP) can be cited, that is, in the embodiment of the present invention, two data (such as video conference data) are required. Among the transmitted terminal devices, both terminal devices may be devices that establish a session connection using the H.323 protocol (ie, Case 1), or one terminal device may be a device that establishes a session connection using the H.323 protocol, and another device. The device can be a device that establishes a session connection using SIP (ie, Case 2).
下面,分别对以上两种情况下,本发明的用于传输数据的方法的处理流程进行详细说明。Next, the processing flow of the method for transmitting data of the present invention will be described in detail in the above two cases.
情况1Situation 1
在本发明实施例中,两个使用H.323协议建立会话连接的设备可以通过以下方式A或方式B协商用于进行安全认证的哈希函数和指纹信息,以建立DTLS连接。应注意,该DTLS连接可以是基于用户数据报协议(UDP,User Datagram Protocol)的,也可以是基于传输控制协议(TCP,Transmission Control Protocol)的。In the embodiment of the present invention, two devices that establish a session connection by using the H.323 protocol may negotiate a hash function and fingerprint information for performing security authentication in the following manner A or mode B to establish a DTLS connection. It should be noted that the DTLS connection may be based on a User Datagram Protocol (UDP) or may be based on a Transmission Control Protocol (TCP).
方式AMode A
图1示出了根据本发明一实施例的传输数据的方法100的示意性流程图。应用于包括第一终端设备、第二终端设备的通信系统中,该第一终端设备与该第二终端设备之间通过H.323协议进行通信,如图1所示,该方法100包括:FIG. 1 shows a schematic flow diagram of a method 100 of transmitting data in accordance with an embodiment of the present invention. In the communication system including the first terminal device and the second terminal device, the first terminal device communicates with the second terminal device by using the H.323 protocol. As shown in FIG. 1, the method 100 includes:
S110,该第一终端设备根据该H.323协议,接收该第二终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数,从该第一哈希函数列表中确定第一哈希函数,并确定与该第一哈希函数相对应的第一指纹信息,向该第二终端设备发送该第一哈希函数和该第一指纹信息,其中,该第一哈希函数属于该第一终端设备支持的哈希函数,第一哈希函数和该第一指纹信息用于对该第一终端设备进行认证;S110. The first terminal device receives, according to the H.323 protocol, a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device. Determining a first hash function from the first hash function list, and determining first fingerprint information corresponding to the first hash function, and transmitting the first hash function and the first terminal device to the second terminal device a fingerprint information, wherein the first hash function belongs to a hash function supported by the first terminal device, and the first hash function and the first fingerprint information are used to authenticate the first terminal device;
S120,该第一终端设备根据该H.323协议,向该第二终端设备发送第二 哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个哈希函数,接收该第二终端发送的第二哈希函数和第二指纹信息,其中,该第二哈希函数是该第二终端设备从该第二哈希函数列表中确定的,且该第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该第二哈希函数相对应的指纹信息,第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证;S120. The first terminal device sends the second terminal device to the second terminal device according to the H.323 protocol. a hash function list, the second hash function list includes at least one hash function supported by the first terminal device, and receives a second hash function and second fingerprint information sent by the second terminal, where the second The hash function is determined by the second terminal device from the second hash function list, and the second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is the second The fingerprint information corresponding to the hash function, the second hash function and the second fingerprint information are used to authenticate the second terminal device;
S130,该第一终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。S130. The first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information to establish a data packet transport layer security. The protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
具体地说,在本发明实施例中,第一终端设备(以下,为了便于理解和区分,记做:终端设备#α)与第二终端设备(以下,为了便于理解和区分,记做:终端设备#β)可以配置于使用H.323协议(具体地说,是使用H.323协议建立会话连接)的通信系统,从而,终端设备#α与终端设备#β之间能够基于该H.323协议进行通信,例如,传输信令。Specifically, in the embodiment of the present invention, the first terminal device (hereinafter, for convenience of understanding and distinction, recorded as: terminal device #α) and the second terminal device (hereinafter, in order to facilitate understanding and distinction, note: terminal The device #β) may be configured in a communication system using the H.323 protocol (specifically, establishing a session connection using the H.323 protocol), whereby the terminal device #α and the terminal device #β can be based on the H.323 The protocol communicates, for example, signaling.
终端设备#β可以将其能够支持的哈希函数记录在哈希函数列表#β(即,第一哈希函数列表的一例)中,根据H.323协议将该哈希函数列表#β表封装入通信系统所提供的能够在终端设备#α与终端设备#β之间传输的消息内,并将该消息传输至终端设备#α。The terminal device #β may record a hash function that it can support in the hash function list #β (ie, an example of the first hash function list), and encapsulate the hash function list #β table according to the H.323 protocol. The message provided by the communication system can be transmitted between the terminal device #α and the terminal device #β, and the message is transmitted to the terminal device #α.
类似的,终端设备#α可以将其能够支持的哈希函数记录在哈希函数列表#α(即,第二哈希函数列表的一例)中,根据H.323协议将该哈希函数列表#α表封装入通信系统所提供的能够在终端设备#α与终端设备#β之间传输的消息内,并将该消息传输至终端设备#β。Similarly, the terminal device #α can record the hash function that it can support in the hash function list #α (ie, an example of the second hash function list), and list the hash function according to the H.323 protocol. The alpha table is encapsulated into a message provided by the communication system that can be transmitted between the terminal device #α and the terminal device #β, and the message is transmitted to the terminal device #β.
可选地,该第一哈希函数列表承载于第一终端设备发送给第二终端设备的终端能力集(Terminal Capability Set)消息,该第二哈希函数列表承载于第二终端设备发送给第一终端设备的终端能力集消息。Optionally, the first hash function list is carried by a terminal capability set (Terminal Capability Set) message sent by the first terminal device to the second terminal device, where the second hash function list is sent to the second terminal device and sent to the second A terminal capability set message of a terminal device.
从而,能够利用现有协议中提供的消息承载上述哈希函数列表#α和哈希函数列表#β,提高了本发明的通用性和实用性。Thereby, the above-described hash function list #α and hash function list #β can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
应理解,以上列举的终端能力集消息,仅为承载上述哈希函数列表#α和哈希函数列表#β的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#α与终端设备#β之间传输的消息,或者说,终端设备#α与终 端设备#β能够基于H.323协议收发的消息,均落入本发明的保护范围内。It should be understood that the terminal capability set message enumerated above is only an exemplary description of the message carrying the above hash function list #α and hash function list #β, and the present invention is also limited thereto, and other can be in the terminal device #α Message transmitted between terminal device #β, or terminal device #α and terminal The end device #β can send and receive messages based on the H.323 protocol, and all fall within the protection scope of the present invention.
需要说明的是,在本发明实施例中,终端设备#β记录在哈希函数列表#β中的哈希函数可以是终端设备#β所支持的全部哈希函数,也可以是终端设备#β所支持的部分哈希函数,本发明并未特别限定,例如,该哈希函数列表所记录的哈希函数的数量可以根据系统(或标准)规定或该哈希函数列表所承载于的消息的容量(或者说,该消息所能够承载的信息量)任意变更。It should be noted that, in the embodiment of the present invention, the hash function recorded by the terminal device #β in the hash function list #β may be all the hash functions supported by the terminal device #β, or may be the terminal device #β. The supported partial hash function is not particularly limited in the present invention. For example, the number of hash functions recorded by the hash function list may be determined according to a system (or standard) or a message carried by the hash function list. The capacity (or the amount of information that the message can carry) is arbitrarily changed.
类似的,终端设备#α记录在哈希函数列表#α中的哈希函数可以是终端设备#α所支持的全部哈希函数,也可以是终端设备#α所支持的部分哈希函数,本发明并未特别限定,例如,该哈希函数列表所记录的哈希函数的数量可以根据系统(或标准)规定或该哈希函数列表所承载于的消息的容量(或者说,该消息所能够承载的信息量)任意变更。Similarly, the hash function recorded by the terminal device #α in the hash function list #α may be all the hash functions supported by the terminal device #α, or may be a partial hash function supported by the terminal device #α, The invention is not particularly limited. For example, the number of hash functions recorded by the hash function list may be determined according to a system (or standard) or a capacity of a message carried by the hash function list (or, the message can The amount of information carried is arbitrarily changed.
从而,终端设备#α能够接收到上述携带哈希函数列表#β的消息,并基于H.323协议对该消息解封装从而获取哈希函数列表#β。Thereby, the terminal device #α can receive the above-described message carrying the hash function list #β, and decapsulate the message based on the H.323 protocol to acquire the hash function list #β.
并且,终端设备#β能够接收到上述携带哈希函数列表#α的消息,并基于H.323协议对该消息解封装从而获取哈希函数列表#α。And, the terminal device #β can receive the above message carrying the hash function list #α, and decapsulate the message based on the H.323 protocol to acquire the hash function list #α.
其后,该终端设备#α可以将该哈希函数列表#β中的哈希函数与其自身支持的哈希函数进行对照处理,从而确定该哈希函数列表#β中,属于该终端设备#α能够支持的哈希函数,作为用于终端设备#β所进行的针对该终端设备#α的认证的哈希函数#α(即,第一哈希函数)。Thereafter, the terminal device #α may compare the hash function in the hash function list #β with the hash function supported by itself, thereby determining that the hash function list #β belongs to the terminal device #α. The hash function that can be supported is used as the hash function #α (i.e., the first hash function) for authentication of the terminal device #α by the terminal device #β.
例如,作为示例而非限定,该终端设备#α可以按规定的顺序(例如,从该哈希函数列表#β中的第一个哈希函数)开始,执行上述对照处理,当确定一个既属于该哈希函数列表#β又属于终端设备#α能够支持的哈希函数时,将该哈希函数作为哈希函数#α,并结束上述对照处理。For example, by way of example and not limitation, the terminal device #α may perform the above-described collation processing in a prescribed order (eg, from the first hash function in the hash function list #β), when determining that one belongs to When the hash function list #β belongs to a hash function that can be supported by the terminal device #α, the hash function is used as the hash function #α, and the above-described collation processing is ended.
或者,该终端设备#α可以在确定哈希函数列表#β中所有属于该终端设备#α能够支持的哈希函数之后,从所确定的哈希函数中选择任一哈希函数,作为该哈希函数#α。Alternatively, the terminal device #α may select any hash function from the determined hash function after determining all the hash functions in the hash function list #β that are supported by the terminal device #α, as the Greek function #α.
在如上所述确定了哈希函数#α之后,终端设备#α可以确定与该哈希函数#α相对应的指纹信息(即,第一指纹信息,以下,为了便于区分,记做指纹信息#α),并且,该过程可以与现有技术中确定一个哈希函数相对应的指纹信息的过程相似,这里,为了避免赘述,省略其详细说明。After determining the hash function #α as described above, the terminal device #α may determine the fingerprint information corresponding to the hash function #α (ie, the first fingerprint information, hereinafter, for the sake of distinction, the fingerprint information # α), and the process can be similar to the process of determining the fingerprint information corresponding to a hash function in the prior art, and a detailed description thereof will be omitted herein to avoid redundancy.
类似的,该终端设备#β可以将该哈希函数列表#α中的哈希函数与其自 身支持的哈希函数进行对照处理,从而确定该哈希函数列表#α中,属于该终端设备#β能够支持的哈希函数,作为用于终端设备#α所进行的针对该终端设备#β的认证的哈希函数#β(即,第二哈希函数),并且,终端设备#β可以确定与该哈希函数#β相对应的指纹信息(即,第二指纹信息,以下,为了便于区分,记做指纹信息#β)。Similarly, the terminal device #β can use the hash function in the hash function list #α and its self. The body-supported hash function performs a collation process to determine a hash function that the terminal device ## can support in the hash function list #α, as the terminal device #α performs for the terminal device #β The authenticated hash function #β (ie, the second hash function), and the terminal device #β can determine the fingerprint information corresponding to the hash function #β (ie, the second fingerprint information, hereinafter, for convenience) Distinguish, record as fingerprint information #β).
其后,终端设备#α可以根据H.323协议,将其确定的该哈希函数#α及指纹信息#α封装入通信系统所提供的能够在终端设备#α与终端设备#β之间传输的消息内,并将该消息传输至终端设备#β。Thereafter, the terminal device #α can encapsulate the hash function #α and the fingerprint information #α determined by the communication device to be able to transmit between the terminal device #α and the terminal device #β according to the H.323 protocol. Within the message, and the message is transmitted to the terminal device #β.
并且,终端设备#β可以根据H.323协议,将其确定的该哈希函数#β及指纹信息#β封装入通信系统所提供的能够在终端设备#α与终端设备#β之间传输的消息内,并将该消息传输至终端设备#α。Moreover, the terminal device #β can encapsulate the hash function #β and the fingerprint information #β determined by the terminal device into a communication system capable of being transmitted between the terminal device #α and the terminal device #β according to the H.323 protocol. Within the message, and transmit the message to terminal device #α.
可选地,该第一哈希函数和该第一指纹信息承载于开启逻辑信道(Open Logical Channel)消息,该第二哈希函数和该第二指纹信息承载于开启逻辑信道确认(Open Logical Channel Ack)消息;或Optionally, the first hash function and the first fingerprint information are carried in an Open Logical Channel message, and the second hash function and the second fingerprint information are carried in an Open Logical Channel (Open Logical Channel) Ack) message; or
该第二哈希函数和该第二指纹信息承载于开启逻辑信道消息,该第一哈希函数和该第一指纹信息承载于开启逻辑信道确认消息。从而,能够利用现有协议中提供的消息承载该目标哈希函数和指纹信息,提高了本发明的通用性和实用性。The second hash function and the second fingerprint information are carried in an open logical channel message, and the first hash function and the first fingerprint information are carried in an open logical channel acknowledgement message. Thereby, the target hash function and the fingerprint information can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
应理解,以上列举的开启逻辑信道消息和开启逻辑信道确认消息,仅为示例性说明,本发明并为限定于此,其他能够在终端设备#α与终端设备#β之间传输的消息,或者说,终端设备#α与终端设备#β能够基于H.323协议收发的消息,均落入本发明的保护范围内。It should be understood that the above-listed open logical channel message and open logical channel acknowledgement message are merely exemplary descriptions, and the present invention is also limited thereto, and other messages that can be transmitted between the terminal device #α and the terminal device #β, or It is said that the terminal device #α and the terminal device #β can transmit and receive messages based on the H.323 protocol, and all fall within the protection scope of the present invention.
由此,终端设备#α和终端设备#β双方能够获知目标哈希函数和指纹信息,从而,终端设备#α与终端设备#β可以根据如上所述确定的哈希函数#α、指纹信息#α、哈希函数#β和指纹信息#β进行安全认证处理,并且,该安全认证处理可以在DTLS握手阶段进行。Thereby, both the terminal device #α and the terminal device #β can know the target hash function and the fingerprint information, and thus, the terminal device #α and the terminal device #β can be determined according to the hash function #α, the fingerprint information # determined as described above. The α, the hash function #β, and the fingerprint information #β perform secure authentication processing, and the secure authentication processing can be performed in the DTLS handshake phase.
即,终端设备#α可以根据哈希函数#α和指纹信息#α生成验证信息#α1(例如,终端设备#α可以根据哈希函数#α和指纹信息#α生成一个代码),并将该验证信息通过DTLS信令发送给终端设备#β。That is, the terminal device #α can generate the verification information #α 1 according to the hash function #α and the fingerprint information #α (for example, the terminal device #α can generate a code according to the hash function #α and the fingerprint information #α), and The verification information is sent to the terminal device #β through DTLS signaling.
并且,终端设备#β根据哈希函数#α和指纹信息#α生成验证信息#α2(例如,终端设备#β可以根据哈希函数#α和指纹信息#α生成一个代码)。 And, the terminal device #β generates the verification information #α 2 based on the hash function #α and the fingerprint information #α (for example, the terminal device #β can generate a code based on the hash function #α and the fingerprint information #α).
从而,当终端设备#β确定终端设备#α通过DTLS所发送的上述验证信息#α1与其生成的验证信息#α2一致时,终端设备#β可以确定终端设备#α通过安全验证,可以与该终端设备#α建立DTLS连接。Therefore, when the terminal device #β determines that the above-described verification information #α 1 transmitted by the terminal device #α by DTLS coincides with the verification information #α 2 generated by the terminal device #β, the terminal device #β can determine that the terminal device #α passes the security verification, and can The terminal device #α establishes a DTLS connection.
类似的,终端设备#β可以根据哈希函数#β和指纹信息#β生成验证信息#β1(例如,终端设备#β可以根据哈希函数#β对指纹信息#β进行加密而生成一个代码),并将该验证信息发送给终端设备#α。Similarly, the terminal device #β can generate the verification information #β 1 according to the hash function #β and the fingerprint information #β (for example, the terminal device #β can encrypt the fingerprint information #β according to the hash function #β to generate a code. And send the verification information to the terminal device #α.
并且,终端设备#α根据哈希函数#β和指纹信息#β生成验证信息#β2(例如,终端设备#α可以根据哈希函数#β对指纹信息#β进行加密而生成一个代码)。Further, the terminal device #α generates the authentication information #β 2 based on the hash function #β and the fingerprint information #β (for example, the terminal device #α can encrypt the fingerprint information #β according to the hash function #β to generate a code).
从而,当终端设备#α确定终端设备#β所发送的上述验证信息#β1与其生成的验证信息#β2一致时,终端设备#α可以确定终端设备#β通过安全验证,可以与该终端设备#β建立DTLS连接。Therefore, when the terminal device #α determines that the above-described verification information #β 1 transmitted by the terminal device #β coincides with the verification information #β 2 generated by the terminal device #α, the terminal device #α can determine that the terminal device #β passes the security verification and can communicate with the terminal. Device #β establishes a DTLS connection.
可选地,在该第一终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理之前,该方法还包括:Optionally, before the first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information, the method further include:
该第一终端设备根据该H.323协议,接收该第二终端设备发送的第二角色指示信息,该第二角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;Receiving, by the first terminal device, the second role indication information that is sent by the second terminal device according to the H.323 protocol, where the second role indication information is used to indicate a role supported by the second terminal device, where the role is “active” And at least one of "passive";
该第一终端设备根据该H.323协议,向该第二终端设备发送的第一角色指示信息,该第一角色指示信息用于指示该第一终端设备支持的角色;以及The first role indication information sent by the first terminal device to the second terminal device according to the H.323 protocol, where the first role indication information is used to indicate a role supported by the first terminal device;
该第一终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,包括:The first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information, including:
该第一终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该第一终端设备支持的角色和该第二终端设备支持的角色与该第二终端设备进行认证处理。The first terminal device according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role supported by the first terminal device, and a role supported by the second terminal device The second terminal device performs an authentication process.
具体地说,在本发明实施例中,系统可以提供三种角色,即,“主动”、“被动”以及“主动被动皆可”(以下,为了便于理解和说明,简称为:“皆可”),终端设备#α和终端设备#β可以通知对方彼此的角色,从而根据该角色,确定上述DTLS握手的发起方。Specifically, in the embodiment of the present invention, the system can provide three roles, namely, “active”, “passive”, and “active passive” (hereinafter, for ease of understanding and explanation, simply referred to as “all can be”) The terminal device #α and the terminal device #β can notify each other of the roles of each other, thereby determining the originator of the above DTLS handshake based on the role.
例如,如果终端设备#α的角色为“主动”,终端设备#β的角色为“被动”或“皆可”(即,终端设备#β支持的角色包括“被动”),则终端设备# α可以作为上述DTLS握手的发起方。For example, if the role of the terminal device #α is "active" and the role of the terminal device #β is "passive" or "all" (ie, the role supported by the terminal device #β includes "passive"), the terminal device# α can be used as the initiator of the above DTLS handshake.
再例如,如果终端设备#α的角色为“主动”或“皆可”(即,终端设备#α支持的角色包括“主动”),终端设备#β的角色为“被动”,则终端设备#α可以作为上述DTLS握手的发起方。For another example, if the role of the terminal device #α is "active" or "all" (ie, the role supported by the terminal device #α includes "active"), and the role of the terminal device #β is "passive", the terminal device # α can be used as the initiator of the above DTLS handshake.
应理解,以上列举的终端设备的角色与DTLS握手的发起方之间的关系仅为示例性说明,本发明并未限定于此。It should be understood that the relationship between the roles of the terminal devices enumerated above and the initiator of the DTLS handshake is merely exemplary, and the present invention is not limited thereto.
可选地,该第二角色指示信息与该第一哈希函数列表承载于同一消息,该第一角色指示信息与该第二哈希函数列表承载于同一消息。Optionally, the second role indication information is carried in the same message as the first hash function list, and the first role indication information and the second hash function list are carried in the same message.
具体地说,在本发明实施例中,终端设备#β可以将上述哈希函数列表#β与上述第二角色指示信息通过同一消息,同时发送给终端设备#α,并且,终端设备#α可以将上述哈希函数列表#α与上述第一角色指示信息通过同一消息,同时发送给终端设备#β从而,缩减信息交互流程,能够减少在终端设备#α与终端设备#β之间交互的消息的数量,提高处理效率。Specifically, in the embodiment of the present invention, the terminal device #β may send the hash function list #β and the second role indication information to the terminal device #α at the same time, and the terminal device #α may The hash function list #α and the first role indication information are transmitted to the terminal device #β at the same time, thereby reducing the information interaction process, and the message exchanged between the terminal device #α and the terminal device #β can be reduced. The amount of processing increases processing efficiency.
在完成上述DTLS握手之后,终端设备#α和终端设备#β可以建立DTLS协议连接。在本发明实施例中,终端设备#α与终端设备#β建立DTLS协议连接的方法和过程可以与现有技术相似,这里为了避免赘述,省略其详细说明。After completing the above DTLS handshake, the terminal device #α and the terminal device #β can establish a DTLS protocol connection. In the embodiment of the present invention, the method and the process for establishing the DTLS protocol connection between the terminal device #α and the terminal device #β may be similar to the prior art, and a detailed description thereof is omitted herein to avoid redundancy.
在如上述所述,建立了DTLS协议连接之后,终端设备#α与终端设备#β可以通过该DTLS协议连接传输视频会议的相关数据。例如,终端设备#α与终端设备#β可以根据RFC 6347规定的流程进行鉴权认证交换,并在鉴权认证成功后,开启逻辑信道,进行数据传输。After the DTLS protocol connection is established as described above, the terminal device #α and the terminal device #β can connect and transmit the related data of the video conference through the DTLS protocol. For example, the terminal device #α and the terminal device #β can perform authentication authentication exchange according to the procedure specified in RFC 6347, and after the authentication authentication is successful, the logical channel is turned on to perform data transmission.
另外,终端设备#α与终端设备#β可以在该DTLS协议连接的基础上,建立应用层协议连接,例如,流控制传输协议(SCTP,Stream Control Transmission Protocol)连接,并通过该SCTP连接传输数据。In addition, the terminal device #α and the terminal device #β can establish an application layer protocol connection, for example, a Stream Control Transmission Protocol (SCTP) connection, and transmit data through the SCTP connection, based on the connection of the DTLS protocol. .
应理解,以上列举的SCTP仅为传输层协议的示例性说明,本发明并未限定于此,其他用于传输数据的等各种传输层协议均落入本发明的保护范围内。以下,为了便于理解和说明,以基于DTLS协议连接建立SCTP连接的过程为例,进行说明。It should be understood that the above-mentioned SCTP is only an exemplary description of the transport layer protocol, and the present invention is not limited thereto, and various other transport layer protocols for transmitting data are all within the scope of the present invention. Hereinafter, in order to facilitate understanding and explanation, a process of establishing an SCTP connection by using a DTLS protocol connection will be described as an example.
可选地,该方法还包括:Optionally, the method further includes:
该第一终端设备向该第二终端设备发送第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议 SCTP连接的端口号;The first terminal device sends a first port number to the second terminal device, where the first port number is used by the first terminal device to establish a flow control transmission protocol based on the DTLS protocol connection. The port number of the SCTP connection;
该第一终端设备接收该第二终端设备发送的第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Receiving, by the first terminal device, a second port number sent by the second terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
该第一终端设备根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, so as to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
具体地说,终端设备#α能够确定基于该DTLS协议连接的端口号,进而,可以从中选择用于与终端设备#β建立SCTP连接的端口号(以下,为了便于理解和区分,记做:端口号#α),并且,终端设备#α可以根据H.323协议,将该端口号#α发送给终端设备#β。Specifically, the terminal device #α can determine the port number to be connected based on the DTLS protocol, and further, can select a port number for establishing an SCTP connection with the terminal device #β (hereinafter, for ease of understanding and distinction, note: port No. #α), and the terminal device #α can transmit the port number #α to the terminal device #β according to the H.323 protocol.
类似地,终端设备#β能够确定基于该DTLS协议连接的端口号,进而,可以从中选择用于与终端设备#α建立SCTP连接的端口号(以下,为了便于理解和区分,记做:端口号#β),并且,终端设备#β可以根据H.323协议,将该端口号#β发送给终端设备#α。Similarly, the terminal device #β can determine the port number to be connected based on the DTLS protocol, and further, the port number for establishing an SCTP connection with the terminal device #α can be selected therefrom (hereinafter, for ease of understanding and distinction, it is noted as: port number #β), and the terminal device #β can transmit the port number #β to the terminal device #α according to the H.323 protocol.
可选地,该第一端口号承载于终端能力集消息或开启逻辑信道消息,该第二端口号承载于终端能力集消息或开启逻辑信道消息。Optionally, the first port number is carried in a terminal capability set message or a logical channel message, and the second port number is carried in a terminal capability set message or a logical channel message.
具体地说,在终端设备#α和终端设备#β已经能够确认即将建立DTLS协议连接的情况下,它们能够在建立DTLS协议连接之前,将所选择用于建立SCTP连接的端口号发送给对方。Specifically, in the case where the terminal device #α and the terminal device #β have been able to confirm that the DTLS protocol connection is to be established, they can transmit the port number selected for establishing the SCTP connection to the other party before establishing the DTLS protocol connection.
因此,在本发明实施例中,终端设备#α可以通过上述Open Logical Channel消息,将其选择的端口号(即,端口号#α)发送给终端设备#β。终端设备#β可以通过上述Open Logical Channel消息,将其选择的端口号(即,端口号#β)发送给终端设备#α。Therefore, in the embodiment of the present invention, the terminal device #α can transmit the selected port number (ie, port number #α) to the terminal device #β through the above Open Logical Channel message. The terminal device #β can transmit its selected port number (ie, port number #β) to the terminal device #α through the above Open Logical Channel message.
另外,终端设备#α和终端设备#β还可以通过终端能力集消息,将所选择用于建立SCTP连接的端口号发送给对方。In addition, the terminal device #α and the terminal device #β may also transmit the port number selected for establishing the SCTP connection to the other party through the terminal capability set message.
因此,在本发明实施例中,终端设备#α可以通过上述Terminal Capability Set消息,或通过更新Terminal Capability Set消息,将其选择的端口号(即,端口号#α)发送给终端设备#β。终端设备#β可以通过上述Terminal Capability Set消息,或通过更新Terminal Capability Set消息,将其选择的端口号(即,端口号#β)发送给终端设备#α。 Therefore, in the embodiment of the present invention, the terminal device #α may transmit the selected port number (ie, port number #α) to the terminal device #β through the above-mentioned Terminal Capability Set message or by updating the Terminal Capability Set message. The terminal device #β may transmit its selected port number (ie, port number #β) to the terminal device #α through the above-described Terminal Capability Set message or by updating the Terminal Capability Set message.
可选地,该第一端口号与该第一哈希函数及该第一指纹信息承载于同一类消息,该第二端口号与该第二哈希函数及该第二指纹信息承载于同一消息。Optionally, the first port number and the first hash function and the first fingerprint information are carried in the same type of message, and the second port number and the second hash function and the second fingerprint information are carried in the same message. .
可选地,该第一端口号与该第二哈希函数列表承载于同一类消息,该第二端口号与该第一哈希函数列表承载于同一消息。Optionally, the first port number and the second hash function list are carried in the same type of message, and the second port number is carried in the same message as the first hash function list.
通过上述交互流程,终端设备#α与终端设备#β能够获知彼此所使用的端口号,从而能够根据该端口号,建立SCTP连接,并进行数据传输,并且,根据该端口号建立SCTP连接以及通过该SCTP连接传输数据的方法和过程可以与现有技术相似,这里,为了避免赘述,省略其详细说明。Through the above interaction process, the terminal device #α and the terminal device #β can know the port number used by each other, thereby establishing an SCTP connection according to the port number, and performing data transmission, and establishing an SCTP connection according to the port number and passing The method and process for transmitting data by the SCTP connection may be similar to the prior art. Here, in order to avoid redundancy, detailed description thereof is omitted.
需要说明的是,以上列举的终端设备#α与终端设备#β之间协商哈希函数,以建立DTLS连接的过程,但本发明并不限定于此,其他用于建立DTLS连接的参数均可以通过终端设备#α与终端设备#β之间的协商过程确定,并且,该协商过程与上述方法100中过列举的协商过程相似。It should be noted that the hash function is negotiated between the terminal device #α and the terminal device #β listed above to establish a DTLS connection process, but the present invention is not limited thereto, and other parameters for establishing a DTLS connection may be used. It is determined by a negotiation process between the terminal device #α and the terminal device #β, and the negotiation process is similar to the negotiation process enumerated in the above method 100.
另外,在本发明实施例中,如上所述确定的哈希函数#α及哈希函数#β可以是相同的,也可以是不同的,本发明并未特别限定。In addition, in the embodiment of the present invention, the hash function #α and the hash function #β determined as described above may be the same or different, and the present invention is not particularly limited.
根据本发明实施例的用于传输数据的方法,通过使第一终端设备和第二终端设备基于H.323协议来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the method for transmitting data according to an embodiment of the present invention, the first terminal device and the second terminal device can negotiate the hash function and the fingerprint information based on the H.323 protocol, and can be in the first terminal device and the second terminal device. A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
方式BMode B
图2示出了从第一终端设备(即,后述决策设备)角度描述的,根据本发明一实施例的传输数据的方法200的示意性流程图。该应用于包括第一终端设备、第二终端设备的通信系统中,该第一终端设备与该第二终端设备之间通过H.323协议进行通信,如图2所示,该方法200包括:FIG. 2 shows a schematic flow chart of a method 200 of transmitting data according to an embodiment of the present invention, as described from the perspective of a first terminal device (ie, a decision device described later). In the communication system including the first terminal device and the second terminal device, the first terminal device and the second terminal device communicate through the H.323 protocol. As shown in FIG. 2, the method 200 includes:
S210,该第一终端设备根据该H.323协议,接收该第二终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数;S210, the first terminal device receives, according to the H.323 protocol, a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device ;
S220,该第一终端设备从该第一哈希函数列表中确定目标哈希函数,并 确定与该目标哈希函数相对应的指纹信息,其中,该目标哈希函数属于该第一终端设备所支持的哈希函数;S220. The first terminal device determines a target hash function from the first hash function list, and Determining fingerprint information corresponding to the target hash function, wherein the target hash function belongs to a hash function supported by the first terminal device;
S230,该第一终端设备根据该H.323协议,向该第二终端设备发送该目标哈希函数和该指纹信息;S230. The first terminal device sends the target hash function and the fingerprint information to the second terminal device according to the H.323 protocol.
S240,该第一终端设备根据该目标哈希函数和该指纹信息与该第二终端设备建立数据包传输层安全性协议DTLS协议连接,以通过该DTLS协议连接与第二终端设备之间传输数据。S240, the first terminal device establishes a data packet transport layer security protocol DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information, to transmit data between the second terminal device and the second terminal device through the DTLS protocol connection. .
具体地说,在本发明实施例中,第一终端设备(以下,为了便于理解和区分,记做:终端设备#1)与第二终端设备(以下,为了便于理解和区分,记做:终端设备#2)可以配置于使用H.323协议(具体地说,是使用H.323协议建立会话连接)的通信系统,从而,终端设备#1与终端设备#2之间能够基于该H.323协议进行通信,例如,传输信令。Specifically, in the embodiment of the present invention, the first terminal device (hereinafter, for ease of understanding and distinction, recorded as: terminal device #1) and the second terminal device (hereinafter, for ease of understanding and distinction, note: terminal Device #2) may be configured in a communication system using the H.323 protocol (specifically, establishing a session connection using the H.323 protocol), whereby terminal device #1 and terminal device #2 can be based on the H.323 The protocol communicates, for example, signaling.
在本发明实施例中,终端设备#1与终端设备#2可以通过协商确定哈希函数和指纹信息(也可以称为:安全参数),从而,可以基于该哈希函数和指纹信息建立数据包传输层安全性(DTLS,Datagram Transport Layer Security)协议,以通过该DTLS协议进行数据传输,从而,能够有效利用DTLS协议的安全认证机制(即,基于哈希函数和指纹信息的加密和认证)提高数据传输的安全性。In the embodiment of the present invention, the terminal device #1 and the terminal device #2 may determine a hash function and fingerprint information (also referred to as a security parameter) through negotiation, so that a data packet may be established based on the hash function and the fingerprint information. The Datagram Transport Layer Security (DTLS) protocol is used to transmit data through the DTLS protocol, thereby effectively utilizing the DTLS protocol security authentication mechanism (ie, encryption and authentication based on hash functions and fingerprint information). The security of data transmission.
另外,终端设备#1与终端设备#2协商确定哈希函数和指纹信息的过程可以是:二者中的一个进行决策的终端设备(即,决策设备)从双方支持的哈希函数中确定一个最终用于上述加密和认证的目标哈希函数,将该目标哈希函数和指纹信息发送给另一个设备,并基于该目标哈希函数和其对应的指纹信息发起DTLS连接建立过程,即DTLS握手以下,为了便于理解,作为示例而非限定,以该终端设备#1作为该决策设备为例,对该传输数据的方法100进行详细说明。In addition, the process in which the terminal device #1 negotiates with the terminal device #2 to determine the hash function and the fingerprint information may be: the terminal device (ie, the decision device) that makes the decision is determined from one of the supported hash functions. The target hash function finally used for the above encryption and authentication, the target hash function and the fingerprint information are sent to another device, and a DTLS connection establishment process, that is, a DTLS handshake, is initiated based on the target hash function and its corresponding fingerprint information. Hereinafter, for ease of understanding, the method 100 for transmitting data will be described in detail by taking the terminal device #1 as the decision device as an example and not limitation.
首先,终端设备#2可以将其能够支持的哈希函数记录在哈希函数列表(以下,为了便于理解和区分,记做:第一哈希函数列表)中,根据H.323协议将该第一哈希函数列表封装入通信系统所提供的能够在终端设备#1与终端设备#2之间传输的消息内,并将该消息传输至终端设备#1。First, the terminal device #2 can record the hash function that it can support in the hash function list (hereinafter, for ease of understanding and differentiation, as follows: the first hash function list), according to the H.323 protocol. A hash function list is encapsulated into a message provided by the communication system that can be transmitted between the terminal device #1 and the terminal device #2, and the message is transmitted to the terminal device #1.
可选地,该第一哈希函数列表承载于终端能力集消息。Optionally, the first hash function list is carried in a terminal capability set message.
具体地说,作为承载上述第一哈希函数列表的消息,可以列举终端设备 能力集(Terminal Capability Set)消息。从而,能够利用现有协议中提供的消息承载该第一哈希函数列表,提高了本发明的通用性和实用性。Specifically, as a message carrying the first hash function list, a terminal device may be mentioned. Terminal Capability Set message. Thereby, the first hash function list can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
应理解,以上列举的终端能力集消息,仅为承载上述第一哈希函数列表的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#1与终端设备#2之间传输的消息,或者说,终端设备#1与终端设备#2能够基于H.323协议收发的消息,均落入本发明的保护范围内。It should be understood that the terminal capability set message enumerated above is only an exemplary description of the message carrying the first hash function list, and the present invention is limited thereto, and the other can be between the terminal device #1 and the terminal device #2. The transmitted message, or the message that the terminal device #1 and the terminal device #2 can transmit and receive based on the H.323 protocol, fall within the scope of the present invention.
需要说明的是,在本发明实施例中,终端设备#2记录在第一哈希函数列表中的哈希函数可以是终端设备#2所支持的全部哈希函数,也可以是终端设备#2所支持的部分哈希函数,本发明并未特别限定,例如,该哈希函数列表所记录的哈希函数的数量可以根据系统(或标准)规定或该哈希函数列表所承载于的消息的容量(或者说,该消息所能够承载的信息量)任意变更。It should be noted that, in the embodiment of the present invention, the hash function recorded by the terminal device #2 in the first hash function list may be all the hash functions supported by the terminal device #2, or may be the terminal device #2. The supported partial hash function is not particularly limited in the present invention. For example, the number of hash functions recorded by the hash function list may be determined according to a system (or standard) or a message carried by the hash function list. The capacity (or the amount of information that the message can carry) is arbitrarily changed.
从而,在S210中,终端设备#1能够接收到上述携带第一哈希函数列表的消息,并基于H.323协议对该消息解封装从而获取上述第一哈希函数列表。Thus, in S210, the terminal device #1 can receive the message carrying the first hash function list and decapsulate the message based on the H.323 protocol to obtain the first hash function list.
可选地,在该第一终端设备从该第一哈希函数列表中确定目标哈希函数之前,该方法还包括:Optionally, before the determining, by the first terminal device, the target hash function from the first hash function list, the method further includes:
该第一终端设备根据该H.323协议,接收该第二终端设备发送的角色指示信息,该角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;The first terminal device receives, according to the H.323 protocol, role indication information sent by the second terminal device, where the role indication information is used to indicate a role supported by the second terminal device, and the role is “active” and “passive”. At least one of them;
该第一终端设备根据角色指示信息,确定该第二终端设备支持的角色;以及Determining, by the first terminal device, a role supported by the second terminal device according to the role indication information;
该第一终端设备从该第一哈希函数列表中确定目标哈希函数,包括:Determining, by the first terminal device, the target hash function from the first hash function list, including:
该第一终端设备在确定该第一终端设备支持的角色包括“主动”且该第二终端设备支持的角色包括“被动”时,从该第一哈希函数列表中确定目标哈希函数。The first terminal device determines a target hash function from the first hash function list when determining that the role supported by the first terminal device includes "active" and the role supported by the second terminal device includes "passive".
具体地说,在本发明实施例中,系统可以提供三种角色,即,上述“主动”、“被动”和“皆可”。Specifically, in the embodiment of the present invention, the system can provide three roles, namely, "active", "passive", and "all".
角色为“主动”的终端设备可以作为上述决策设备,并且,将角色为”“被动”或“皆可”的终端设备确认为活动终端,即,视频会议的参与者,需要与其建立后述DTLS连接,并传输视频会议的相关数据(例如,视频数据及音频数据等)。The terminal device whose role is "active" can be used as the above-mentioned decision device, and the terminal device whose role is "passive" or "all" can be confirmed as the active terminal, that is, the participant of the video conference needs to establish the DTLS described later. Connect and transmit data related to video conferencing (for example, video data and audio data, etc.).
因此,终端设备#2在可以将用于指示其支持的角色的信息(即,角色指 示信息)发送给终端设备#1,需要说明的是,由于本说明书是以终端设备#1作为决策终端为例进行说明,因此,需要使终端设备#2的角色为“被动”或“皆可”,或者说,该角色指示信息所指示的角色需要包括“被动”,即,该终端设备#2的角色为“被动”或“皆可”。Therefore, the terminal device #2 is in the information that can be used to indicate the role it supports (ie, the role refers to The information is sent to the terminal device #1. It should be noted that since the present specification is described by using the terminal device #1 as a decision terminal, it is necessary to make the role of the terminal device #2 "passive" or "all". Or, the role indicated by the role indication information needs to include "passive", that is, the role of the terminal device #2 is "passive" or "all".
从而,终端设备#1在确定自身能够支持“主动”角色(或者说,能够作为上述决策设备),并且,根据上述角色支持信息确定终端设备#2能够支持“被动”(或者说,终端设备#2的角色为“被动”或“皆可”)角色之后,在S220,从该第一哈希函数列表确定一个终端设备#1与终端设备#2均能够支持的哈希函数,作为用于建立后述DTLS连接的目标哈希函数。Thereby, the terminal device #1 determines that it can support the "active" role (or can be used as the above-described decision device), and determines that the terminal device #2 can support "passive" according to the above-described role support information (or, say, the terminal device # After the role of 2 is "passive" or "all", at S220, a hash function that both terminal device #1 and terminal device #2 can support is determined from the first hash function list as used for establishing The target hash function of the DTLS connection described later.
可选地,该角色指示信息与该第一哈希函数列表承载于同一消息。Optionally, the role indication information is carried in the same message as the first hash function list.
具体地说,在本发明实施例中,终端设备#2可以将上述第一哈希函数列表与角色指示信息通过同一消息,同时发送给终端设备#1,从而,缩减信息交互流程,能够减少在终端设备#1与终端设备#2之间交互的消息的数量,提高处理效率。Specifically, in the embodiment of the present invention, the terminal device #2 may send the first hash function list and the role indication information to the terminal device #1 through the same message, thereby reducing the information interaction process, thereby reducing The number of messages exchanged between the terminal device #1 and the terminal device #2 improves the processing efficiency.
在S220中,终端设备#1可以通过以下方式1和方式2中的任一方式,确定目标哈希函数的方式。In S220, the terminal device #1 can determine the manner of the target hash function by any of the following modes 1 and 2.
方式1Mode 1
可选地,该第一终端设备从该第一哈希函数列表中确定目标哈希函数,包括:Optionally, the first terminal device determines the target hash function from the first hash function list, including:
该第一终端设备根据自身所支持的哈希函数,从该第一哈希函数列表中确定目标哈希函数Determining, by the first terminal device, a target hash function from the first hash function list according to a hash function supported by the first terminal device
具体地说,在本发明实施例中,该终端设备#1可以将该第一哈希函数列表中的哈希函数与其自身支持的哈希函数进行对照处理,从而确定该第一哈希函数列表中,属于该终端设备#1能够支持的哈希函数,作为目标哈希函数。Specifically, in the embodiment of the present invention, the terminal device #1 may compare the hash function in the first hash function list with the hash function supported by itself, thereby determining the first hash function list. Among them, the hash function that the terminal device #1 can support is used as the target hash function.
例如,作为示例而非限定,该终端设备#1可以按规定的顺序(例如,从该第一哈希函数列表中的第一个哈希函数)开始,执行上述对照处理,当确定一个即属于该第一哈希函数列表又属于终端设备#1能够支持的哈希函数时,将该哈希函数作为目标哈希函数,并结束上述对照处理。For example, by way of example and not limitation, the terminal device #1 may perform the above-described collation processing in a prescribed order (eg, from the first hash function in the first hash function list), when determining one belongs to When the first hash function list belongs to the hash function that can be supported by the terminal device #1, the hash function is used as the target hash function, and the above-mentioned comparison processing is ended.
或者,该终端设备#1可以在确定第一哈希函数列表中所有属于该终端设备#1能够支持的哈希函数之后,从所确定的哈希函数中选择任一哈希函数,作为该目标哈希函数。 Alternatively, the terminal device #1 may select any hash function from the determined hash function as the target after determining all the hash functions in the first hash function list that are supported by the terminal device #1. Hash function.
根据该方式1提供的流程,终端设备#2仅根据其自身能够支持的哈希函数,便能够确定该第一哈希函数列表,或者,上述第一哈希函数列表可以是预先(例如,出厂时)配置在该终端设备#2中的,从而,能够减少终端设备#2的处理负担,降低对终端设备#2的性能要求。According to the flow provided by the mode 1, the terminal device #2 can determine the first hash function list only according to a hash function that can be supported by itself, or the first hash function list can be in advance (for example, the factory When it is configured in the terminal device #2, the processing load of the terminal device #2 can be reduced, and the performance requirement for the terminal device #2 can be reduced.
方式2Mode 2
可选地,在该第一终端设备从该第一哈希函数列表中确定目标哈希函数之前,该方法还包括:Optionally, before the determining, by the first terminal device, the target hash function from the first hash function list, the method further includes:
该第一终端设备根据该H.323协议,向该第二终端设备发送第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个哈希函数,以便于该第二终端设备根据该第二哈希函数列表,确定该第一哈希函数列表,其中,该第一哈希函数列表所包括的哈希函数属于该第二哈希函数列表;以及The first terminal device sends a second hash function list to the second terminal device according to the H.323 protocol, where the second hash function list includes at least one hash function supported by the first terminal device, so as to facilitate Determining, by the second terminal device, the first hash function list according to the second hash function list, wherein the hash function included in the first hash function list belongs to the second hash function list;
该第一终端设备从该第一哈希函数列表中确定目标哈希函数,包括:Determining, by the first terminal device, the target hash function from the first hash function list, including:
该第一终端设备确定该第一哈希函数列表中任一哈希函数为目标哈希函数。The first terminal device determines that any of the hash functions in the first hash function list is a target hash function.
具体地说,在S210之前,终端设备#1可以将其能够支持的哈希函数记录在哈希函数列表(以下,为了便于理解和区分,记做:第二哈希函数列表)中,根据H.323协议将该第二哈希函数列表封装入通信系统所提供的能够在终端设备#1与终端设备#2之间传输的消息内,并将该消息传输至终端设备#1。Specifically, before S210, the terminal device #1 can record the hash function that it can support in the hash function list (hereinafter, for ease of understanding and differentiation, as follows: the second hash function list), according to H The .323 protocol encapsulates the second hash function list into a message provided by the communication system that can be transmitted between the terminal device #1 and the terminal device #2, and transmits the message to the terminal device #1.
可选地,该第二哈希函数列表承载于终端能力集消息。Optionally, the second hash function list is carried in a terminal capability set message.
具体地说,作为承载上述第二哈希函数列表的消息,可以列举终端能力集消息,从而,能够利用现有协议中提供的消息承载该第二哈希函数列表,提高了本发明的通用性和实用性。Specifically, as the message carrying the second hash function list, a terminal capability set message may be listed, so that the second hash function list can be carried by using the message provided in the existing protocol, thereby improving the versatility of the present invention. And practicality.
应理解,以上列举的终端能力集消息,仅为承载上述第二哈希函数列表的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#1与终端设备#2之间传输的消息,或者说,终端设备#1与终端设备#2能够基于H.323协议收发的消息,均落入本发明的保护范围内。It should be understood that the terminal capability set message enumerated above is only an exemplary description of the message carrying the second hash function list, and the present invention is limited thereto, and the other can be between the terminal device #1 and the terminal device #2. The transmitted message, or the message that the terminal device #1 and the terminal device #2 can transmit and receive based on the H.323 protocol, fall within the scope of the present invention.
需要说明的是,在本发明实施例中,终端设备#1记录在第二哈希函数列表中的哈希函数可以是终端设备#1所支持的全部哈希函数,也可以是终端设备#1所支持的部分哈希函数,本发明并未特别限定,例如,该哈希函数列表 所记录的哈希函数的数量可以根据系统(或标准)规定或该哈希函数列表所承载于的消息的容量(或者说,该消息所能够承载的信息量)任意变更。It should be noted that, in the embodiment of the present invention, the hash function recorded by the terminal device #1 in the second hash function list may be all the hash functions supported by the terminal device #1, or may be the terminal device #1. The supported partial hash function is not particularly limited in the present invention, for example, the hash function list The number of recorded hash functions may be arbitrarily changed according to the system (or standard) specification or the capacity of the message carried by the hash function list (or the amount of information that the message can carry).
终端设备#2能够接收到上述携带第二哈希函数列表的消息,并基于H.323协议对该消息解封装从而获取上述第二哈希函数列表。The terminal device #2 can receive the above message carrying the second hash function list, and decapsulate the message based on the H.323 protocol to obtain the second hash function list.
从而,该终端设备#2可以将该第二哈希函数列表中的哈希函数与其自身支持的哈希函数进行对照处理,从而确定该第一哈希函数列表中,属于该终端设备#2能够支持的哈希函数,并将该哈希函数记录在第二哈希函数列表中。例如,作为示例而非限定,该终端设备#2可以按规定的顺序(例如,从该第二哈希函数列表中的第一个哈希函数)开始,执行上述对照处理,当确定一个即属于该第二哈希函数列表又属于终端设备#2能够支持的哈希函数时,将该哈希函数记录在第一哈希函数列表中。并且,此情况下,终端设备#2可以根据第二哈希函数列表需要记录的哈希函数的数量适当调整上述对照处理的次数。Therefore, the terminal device #2 can compare the hash function in the second hash function list with the hash function supported by itself, thereby determining that the first hash function list belongs to the terminal device #2. A supported hash function and record the hash function in the second hash function list. For example, by way of example and not limitation, the terminal device #2 may perform the above-described collation processing in a prescribed order (eg, from the first hash function in the second hash function list), when determining one belongs to When the second hash function list belongs to a hash function that can be supported by the terminal device #2, the hash function is recorded in the first hash function list. Also, in this case, the terminal device #2 can appropriately adjust the number of times of the above-described collation processing according to the number of hash functions that the second hash function list needs to record.
从而,终端设备#1在S210中所接收到的第一哈希函数列表中所记录的哈希函数均为终端设备#1和终端设备#2双方均能够支持的哈希函数,因此,在S220中,终端设备#1可以从所确定的哈希函数中选择任一哈希函数,作为目标哈希函数。Therefore, the hash function recorded in the first hash function list received by the terminal device #1 in S210 is a hash function that both the terminal device #1 and the terminal device #2 can support, and therefore, at S220 In the terminal device #1, any hash function may be selected from the determined hash functions as the target hash function.
根据该方式2提供的流程,终端设备#1只需执行简单的选择动作,便能够确认目标哈希函数,并且,上述第二哈希函数列表可以是预先(例如,出厂时)配置在该终端设备#1中的,从而,能够减少终端设备#1的处理负担,降低对终端设备#1的性能要求。According to the flow provided by the mode 2, the terminal device #1 can confirm the target hash function by performing a simple selection action, and the second hash function list can be configured in advance (for example, at the time of shipment) at the terminal. In the device #1, the processing load of the terminal device #1 can be reduced, and the performance requirement for the terminal device #1 can be reduced.
在如上所述确定了目标哈希函数之后,终端设备#1可以确定与该目标哈希函数相对应的指纹信息,并且,该过程可以与现有技术中,确定一个哈希函数相对应的指纹信息的过程相似,这里,为了避免赘述,省略其详细说明。After determining the target hash function as described above, the terminal device #1 may determine the fingerprint information corresponding to the target hash function, and the process may be related to determining a fingerprint corresponding to the hash function in the prior art. The process of the information is similar, and the detailed description thereof is omitted here to avoid redundancy.
从而,在S230,终端设备#1可以根据H.323协议,将目标哈希函数与该指纹信息封装入通信系统所提供的能够在终端设备#1与终端设备#2之间传输的消息内,并将该消息传输至终端设备#2。Therefore, in S230, the terminal device #1 may encapsulate the target hash function and the fingerprint information into a message that can be transmitted between the terminal device #1 and the terminal device #2 according to the H.323 protocol. And the message is transmitted to terminal device #2.
可选地,该目标哈希函数和该指纹信息承载于开启逻辑信道消息。Optionally, the target hash function and the fingerprint information are carried in the open logical channel message.
具体地说,作为承载上述目标哈希函数和指纹信息的消息,可以列举开启逻辑信道(Open Logical Channel)消息,从而,能够利用现有协议中提供的消息承载该目标哈希函数和指纹信息,提高了本发明的通用性和实用性。 Specifically, as the message carrying the target hash function and the fingerprint information, an Open Logical Channel message may be enumerated, so that the target hash function and the fingerprint information can be carried by using the message provided in the existing protocol. The versatility and utility of the present invention are enhanced.
应理解,以上列举的开启逻辑信道消息,仅为承载上述目标哈希函数和指纹信息的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#1与终端设备#2之间传输的消息,或者说,终端设备#1与终端设备#2能够基于H.323协议收发的消息,均落入本发明的保护范围内。It should be understood that the above-listed open logical channel message is only an exemplary description of the message carrying the above-mentioned target hash function and fingerprint information, and the present invention is also limited thereto, and other can be in the terminal device #1 and the terminal device #2. The message transmitted between them, or the message that the terminal device #1 and the terminal device #2 can transmit and receive based on the H.323 protocol, fall within the protection scope of the present invention.
从而,终端设备#2能够接收到上述携带目标哈希函数和指纹信息的消息,并基于H.323协议对该消息解封装从而获取上述目标哈希函数和指纹信息。Thereby, the terminal device #2 can receive the above message carrying the target hash function and the fingerprint information, and decapsulate the message based on the H.323 protocol to acquire the target hash function and the fingerprint information.
由此,终端设备#1和终端设备#2双方能够获知目标哈希函数和指纹信息,从而,在S240,终端设备#1和终端设备#2可以根据该目标哈希函数和指纹信息建立DTLS连接,例如,终端设备#1可以根据目标哈希函数和指纹信息与终端设备#2进行安全认证(也可以称为:DTLS握手)。Thereby, both the terminal device #1 and the terminal device #2 can know the target hash function and the fingerprint information, and thus, at S240, the terminal device #1 and the terminal device #2 can establish a DTLS connection according to the target hash function and the fingerprint information. For example, the terminal device #1 can perform security authentication (also referred to as a DTLS handshake) with the terminal device #2 according to the target hash function and the fingerprint information.
即,终端设备#1可以根据目标哈希函数和指纹信息生成验证信息#1(例如,终端设备#1可以根据目标哈希函数对指纹信息进行加密而生成一个代码),并将该验证信息#1发送给终端设备#2。That is, the terminal device #1 can generate the verification information #1 according to the target hash function and the fingerprint information (for example, the terminal device #1 can encrypt the fingerprint information according to the target hash function to generate a code), and the verification information # 1 is sent to terminal device #2.
并且,终端设备#2可以根据目标哈希函数和指纹信息生成验证信息#2(例如,终端设备#2可以根据目标哈希函数对指纹信息进行加密而生成一个代码),并将该验证信息#2发送给终端设备#1。And, the terminal device #2 can generate the verification information #2 according to the target hash function and the fingerprint information (for example, the terminal device #2 can encrypt the fingerprint information according to the target hash function to generate a code), and the verification information # 2 is sent to terminal device #1.
从而,当终端设备#2确定终端设备#1所发送的上述验证信息#1与其生成的验证信息#2一致时,终端设备#2可以确定终端设备#1通过安全验证,可以与该终端设备#1建立DTLS连接。Therefore, when the terminal device #2 determines that the above-described verification information #1 transmitted by the terminal device #1 coincides with the verification information #2 generated by it, the terminal device #2 can determine that the terminal device #1 passes the security verification, and can be associated with the terminal device # 1 Establish a DTLS connection.
类似的,当终端设备#1确定终端设备#2所发送的上述验证信息#2与其生成的验证信息#1一致时,终端设备#1可以确定终端设备#2通过安全验证,可以与该终端设备#2建立DTLS连接。Similarly, when the terminal device #1 determines that the above-mentioned verification information #2 transmitted by the terminal device #2 coincides with the verification information #1 generated by it, the terminal device #1 can determine that the terminal device #2 passes the security verification, and can be associated with the terminal device. #2 Establish a DTLS connection.
在本发明实施例中,终端设备#1与终端设备#2建立DTLS协议连接的方法和过程可以与现有技术相似,这里,为了避免赘述,省略其详细说明。In the embodiment of the present invention, the method and process for establishing the DTLS protocol connection between the terminal device #1 and the terminal device #2 may be similar to the prior art. Here, in order to avoid redundancy, detailed description thereof is omitted.
可选地,在该第二终端设备根据该目标哈希函数和该指纹信息与该第一终端设备建立DTLS协议连接之前,该方法还包括:Optionally, before the second terminal device establishes a DTLS protocol connection with the first terminal device according to the target hash function and the fingerprint information, the method further includes:
该第二终端设备根据该H.323协议,向该第二终端设备发送的确认信息,该确认信息用于指示该第二终端设备接收到了该目标哈希函数和该指纹信息。The confirmation information sent by the second terminal device to the second terminal device according to the H.323 protocol, the confirmation information is used to indicate that the second terminal device receives the target hash function and the fingerprint information.
具体地说,终端设备#2在获取上述目标哈希函数和指纹信息之后,可以 根据H.323协议,将用于指示终端设备#2已接收到该目标哈希函数的确认信息封装入通信系统所提供的能够在终端设备#1与终端设备#2之间传输的消息内,并将该消息传输至终端设备#1。Specifically, after acquiring the target hash function and the fingerprint information, the terminal device #2 may According to the H.323 protocol, the confirmation information for indicating that the terminal device #2 has received the target hash function is encapsulated into a message provided by the communication system that can be transmitted between the terminal device #1 and the terminal device #2, And the message is transmitted to terminal device #1.
可选地,该确认信息承载于开启逻辑信道确认消息。Optionally, the acknowledgement information is carried in an open logical channel acknowledgement message.
具体地说,作为承载上述确认信息的消息,可以列举开启逻辑信道确认(Open Logical Channel Ack)消息,从而,能够利用现有协议中提供的消息承载该确认信息,提高了本发明的通用性和实用性。Specifically, as the message carrying the acknowledgement information, an Open Logical Channel Ack message may be listed, so that the acknowledgement information can be carried by using the message provided in the existing protocol, thereby improving the versatility of the present invention and Practicality.
应理解,以上列举的开启逻辑信道确认消息,仅为承载上述确认信息的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#1与终端设备#2之间传输的消息,或者说,终端设备#1与终端设备#2能够基于H.323协议收发的消息,均落入本发明的保护范围内。It should be understood that the above-mentioned open logical channel acknowledgement message is only an exemplary description of the message carrying the above acknowledgement information, and the present invention is also limited thereto, and other messages that can be transmitted between the terminal device #1 and the terminal device #2. In other words, the terminal device #1 and the terminal device #2 can transmit and receive messages based on the H.323 protocol, and all fall within the protection scope of the present invention.
从而,终端设备#1能够接收到上述携带确认信息的消息,并基于H.323协议对该消息解封装从而获取上述确认信息,进而确定终端设备#2已接收到目标哈希函数,并可以执行上述S240中的动作。Therefore, the terminal device #1 can receive the message carrying the confirmation information, and decapsulate the message based on the H.323 protocol to obtain the confirmation information, thereby determining that the terminal device #2 has received the target hash function, and can execute The operation in the above S240.
通过使终端设备#2在接收到目标哈希函数和指纹信息之后,向终端设备#1返回确认信息,终端设备#1可以根据该确认信息确定终端设备#2已做好执行建立DTLS的准备,从而,能够进一步提高本发明实施例的用于传输数据的方法的可靠性。After the terminal device #2 returns the confirmation information to the terminal device #1 after receiving the target hash function and the fingerprint information, the terminal device #1 can determine, according to the confirmation information, that the terminal device #2 is ready to perform DTLS establishment. Thereby, the reliability of the method for transmitting data of the embodiment of the present invention can be further improved.
在如上述所述,建立了DTLS协议连接之后,终端设备#1与终端设备#2可以通过该DTLS协议连接传输视频会议的相关数据。例如,终端设备#1与终端设备#2可以根据RFC 6347规定的流程进行鉴权认证交换,并在鉴权认证成功后,开启逻辑信道,进行数据传输。After the DTLS protocol connection is established as described above, the terminal device #1 and the terminal device #2 can connect and transmit related data of the video conference through the DTLS protocol. For example, the terminal device #1 and the terminal device #2 can perform authentication authentication exchange according to the procedure specified in RFC 6347, and after the authentication authentication is successful, the logical channel is turned on for data transmission.
另外,终端设备#1与终端设备#2可以在该DTLS协议连接的基础上,建立应用层协议连接,例如,流控制传输协议(SCTP,Stream Control Transmission Protocol)连接,并通过该SCTP连接传输数据。In addition, the terminal device #1 and the terminal device #2 may establish an application layer protocol connection, for example, a Stream Control Transmission Protocol (SCTP) connection, and transmit data through the SCTP connection, based on the DTLS protocol connection. .
应理解,以上列举的SCTP仅为应用层协议的示例性说明,本发明并未限定于此,其他用于传输数据的等各种应用层协议均落入本发明的保护范围内。以下,为了便于理解和说明,以基于DTLS协议连接建立SCTP连接的过程为例,进行说明。It should be understood that the above-mentioned SCTP is only an exemplary description of the application layer protocol, and the present invention is not limited thereto, and various other application layer protocols for transmitting data are all within the scope of the present invention. Hereinafter, in order to facilitate understanding and explanation, a process of establishing an SCTP connection by using a DTLS protocol connection will be described as an example.
可选地,该方法还包括:Optionally, the method further includes:
该第一终端设备向该第二终端设备发送第一端口号,该第一端口号是该 第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;The first terminal device sends a first port number to the second terminal device, where the first port number is the a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection;
该第一终端设备接收该第二终端设备发送的第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Receiving, by the first terminal device, a second port number sent by the second terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
该第一终端设备根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, so as to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
具体地说,在如上所述建立了DTLS协议连接后,终端设备#1能够确定基于DTLS协议连接的端口号,进而,可以从中选择用于与终端设备#2建立SCTP连接的端口号(以下,为了便于理解和区分,记做:端口号#1),并且,终端设备#1可以根据H.323协议,将该端口号#1发送给终端设备#2。Specifically, after the DTLS protocol connection is established as described above, the terminal device #1 can determine the port number based on the DTLS protocol connection, and further, can select a port number for establishing an SCTP connection with the terminal device #2 (hereinafter, In order to facilitate understanding and differentiation, it is recorded as: port number #1), and the terminal device #1 can transmit the port number #1 to the terminal device #2 according to the H.323 protocol.
类似地,终端设备#2能够确定基于DTLS协议连接的端口号,进而,可以从中选择用于与终端设备#1建立SCTP连接的端口号(以下,为了便于理解和区分,记做:端口号#2),并且,终端设备#2可以根据H.323协议,将该端口号#2发送给终端设备#1。Similarly, the terminal device #2 can determine the port number based on the DTLS protocol connection, and further, can select a port number for establishing an SCTP connection with the terminal device #1 (hereinafter, for ease of understanding and distinction, note: port number # 2), and the terminal device #2 can transmit the port number #2 to the terminal device #1 according to the H.323 protocol.
可选地,该第一端口号承载于终端能力集消息或开启逻辑信道消息,以及Optionally, the first port number is carried in a terminal capability set message or a logical channel message is started, and
该第二端口号承载于终端能力集消息或开启逻辑信道消息。The second port number is carried in a terminal capability set message or a logical channel open message.
具体地说,在如上所述确定了目标哈希函数和指纹信息之后,终端设备#1和终端设备#2已经能够确认即将建立的DTLS协议连接,从而,能够在建立DTLS协议连接之前,将所选择用于建立SCTP连接的端口号发送给对方。Specifically, after determining the target hash function and the fingerprint information as described above, the terminal device #1 and the terminal device #2 have been able to confirm the DTLS protocol connection to be established, and thus, before establishing the DTLS protocol connection, Select the port number used to establish the SCTP connection and send it to the other party.
因此,在本发明实施例中,终端设备#1可以通过上述Open Logical Channel消息,将其选择的端口号(即,端口号#1)发送给终端设备#2。终端设备#2可以通过上述Open Logical Channel消息,将其选择的端口号(即,端口号#2)发送给终端设备#1。Therefore, in the embodiment of the present invention, the terminal device #1 can transmit the selected port number (ie, port number #1) to the terminal device #2 through the above Open Logical Channel message. The terminal device #2 can transmit its selected port number (ie, port number #2) to the terminal device #1 through the above Open Logical Channel message.
另外,终端设备#1和终端设备#2还可以通过终端能力集消息,将所选择用于建立SCTP连接的端口号发送给对方。例如,终端设备#1可以通过上述Terminal Capability Set消息,或通过更新Terminal Capability Set消息,将其选择的端口号(即,端口号#1)发送给终端设备#2。终端设备#2可以通过 上述Terminal Capability Set消息,或通过更新Terminal Capability Set消息,将其选择的端口号(即,端口号#2)发送给终端设备#1。In addition, the terminal device #1 and the terminal device #2 may also send the port number selected for establishing the SCTP connection to the other party through the terminal capability set message. For example, the terminal device #1 may transmit its selected port number (ie, port number #1) to the terminal device #2 through the above-described Terminal Capability Set message or by updating the Terminal Capability Set message. Terminal device #2 can pass The above Terminal Capability Set message, or by updating the Terminal Capability Set message, sends its selected port number (ie, port number #2) to the terminal device #1.
可选地,该第一端口号与该第二哈希函数列表承载于同一类消息。Optionally, the first port number and the second hash function list are carried in the same type of message.
具体地说,终端设备#1可以将端口号#1、第二哈希函数列表和角色信息承载于同一类消息中。类似地,终端设备#2可以将端口号#2和第一哈希函数列表承载于同一类消息中。Specifically, the terminal device #1 can carry the port number #1, the second hash function list, and the role information in the same type of message. Similarly, terminal device #2 can host port number #2 and the first hash function list in the same type of message.
可选地,该第一端口号与该目标哈希函数及该指纹信息承载于同一消息。Optionally, the first port number is carried in the same message as the target hash function and the fingerprint information.
具体地说,终端设备#1可以将端口号#1、目标哈希函数和指纹信息承载于同一消息中。Specifically, the terminal device #1 can carry the port number #1, the target hash function, and the fingerprint information in the same message.
类似地,终端设备#2可以将端口号#2和确认信息承载于同一消息中。Similarly, terminal device #2 can carry port number #2 and acknowledgment information in the same message.
从而,能够减少终端设备#1与终端设备#2之间信令交互,提高通信效率。Thereby, signaling interaction between the terminal device #1 and the terminal device #2 can be reduced, and communication efficiency can be improved.
通过上述交互流程,终端设备#1与终端设备#2能够获知彼此所使用的端口号,从而能够根据该端口号,建立SCTP连接,并进行数据传输,并且,根据该端口号建立SCTP连接以及通过该SCTP连接传输数据的方法和过程可以与现有技术相似,这里,为了避免赘述,省略其详细说明。Through the above interaction process, the terminal device #1 and the terminal device #2 can know the port number used by each other, thereby establishing an SCTP connection according to the port number, and performing data transmission, and establishing an SCTP connection according to the port number and passing The method and process for transmitting data by the SCTP connection may be similar to the prior art. Here, in order to avoid redundancy, detailed description thereof is omitted.
需要说明的是,以上列举的终端设备#1与终端设备#2之间协商哈希函数,以建立DTLS连接的过程,但本发明并不限定于此,其他用于建立DTLS连接的参数均可以通过终端设备#1与终端设备#2之间的协商过程确定,并且,该协商过程与上述方法200中过列举的协商过程相似。It should be noted that the hash function is negotiated between the terminal device #1 and the terminal device #2 listed above to establish a DTLS connection process, but the present invention is not limited thereto, and other parameters for establishing a DTLS connection may be used. It is determined by a negotiation process between the terminal device #1 and the terminal device #2, and the negotiation process is similar to the negotiation process enumerated in the above method 200.
另外,以上说明中“该第一终端设备与该第二终端设备之间通过H.323协议进行通信”是指在进行认证处理之前的交互哈希函数列表、哈希函数和指纹信息时通过H.323协议进行通信,在如上所述确定了用于进行认证的第一哈希函数、第一指纹信息、第二哈希函数和第二指纹信息之后,可以根据DTLS协议提供的信令或消息进行上述认证处理,即,该第一终端设备与该第二终端设备之间在进行认证处理时可以不通过H.323协议进行通信。In addition, in the above description, "the communication between the first terminal device and the second terminal device by the H.323 protocol" refers to passing the H through the hash function list, the hash function, and the fingerprint information before performing the authentication process. The .323 protocol communicates, after determining the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information for performing authentication as described above, the signaling or message that can be provided according to the DTLS protocol The authentication process is performed, that is, the first terminal device and the second terminal device may perform communication without using the H.323 protocol when performing authentication processing.
根据本发明实施例的用于传输数据的方法,通过使第一终端设备和第二终端设备基于H.323协议来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进 而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the method for transmitting data according to an embodiment of the present invention, the first terminal device and the second terminal device can negotiate the hash function and the fingerprint information based on the H.323 protocol, and can be in the first terminal device and the second terminal device. Establishing a DTLS protocol connection based on the hash function and the fingerprint information, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection. The security authentication mechanism of the DTLS protocol can be effectively utilized to improve the security of the transmitted data, and the DTLS protocol can be applied to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
情况2Situation 2
在本发明实施例中,使用H.323协议建立会话连接的设备和使用SIP建立会话连接的设备可以经由网关设备通过以下方式C或方式D协商用于进行安全认证的哈希函数和指纹信息,以建立DTLS连接。应注意,该DTLS连接可以是基于UDP的,也可以是基于TCP的。In the embodiment of the present invention, the device that establishes the session connection by using the H.323 protocol and the device that establishes the session connection by using the SIP may negotiate the hash function and the fingerprint information for performing security authentication through the gateway device in the following manner C or manner D. To establish a DTLS connection. It should be noted that the DTLS connection may be UDP based or TCP based.
方式CMode C
图3示出了从网关设备角度描述的,根据本发明另一实施例的传输数据的方法300的示意性流程图。该应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,该第一终端设备与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,如图3所示,该方法300包括:FIG. 3 shows a schematic flow diagram of a method 300 of transmitting data in accordance with another embodiment of the present invention, as described from the perspective of a gateway device. In the communication system including the first terminal device, the second terminal device, and the gateway device, the first terminal device communicates with the gateway device through an H.323 protocol, and the second terminal device and the gateway device Through session initiation protocol SIP communication, as shown in FIG. 3, the method 300 includes:
S310,该网关设备接收该第二终端设备发送的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数,向该第一终端设备发送记录有该第一哈希函数的第一哈希函数列表,接收该第一终端设备发送的目标第一哈希函数和第一指纹信息,其中,该目标第一哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标第一哈希函数属于该第一终端设备支持的哈希函数,该第一指纹信息是与该目标第一哈希函数相对应的指纹信息,该目标第一哈希函数和第一指纹信息用于对该第一终端设备进行认证;S310, the gateway device receives at least one first hash function sent by the second terminal device, where the first hash function belongs to a hash function supported by the second terminal device, and sends the record to the first terminal device. a first hash function list of the first hash function, receiving the target first hash function and the first fingerprint information sent by the first terminal device, where the target first hash function is the first terminal device from the Determining in the first hash function list, and the target first hash function belongs to a hash function supported by the first terminal device, and the first fingerprint information is fingerprint information corresponding to the target first hash function, The target first hash function and the first fingerprint information are used to authenticate the first terminal device;
S320,该网关设备接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个第二哈希函数,向该第二终端设备发送该第二哈希函数的部分或全部,接收该第二终端设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和第二指纹信息用于对该第二终端设备进行认证;S320, the gateway device receives the second hash function list sent by the first terminal device, where the second hash function list includes at least one second hash function supported by the first terminal device, to the second terminal device Sending part or all of the second hash function, receiving the target second hash function and the second fingerprint information sent by the second terminal device, where the target second hash function is the second terminal device from the first Determined in part or all of the two hash functions, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is a fingerprint corresponding to the target second hash function. Information, the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
S330,该网关设备向该第二终端设备发送该目标第一哈希函数和该第一 指纹信息,并向该第一终端设备发送该目标第二哈希函数和该第二指纹信息,以便于该第一终端设备和该第二终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。S330. The gateway device sends the target first hash function and the first to the second terminal device. Fingerprint information, and sending the target second hash function and the second fingerprint information to the first terminal device, so that the first terminal device and the second terminal device according to the target first hash function, the first The fingerprint information, the target second hash function and the second fingerprint information are subjected to an authentication process to establish a packet transport layer security protocol DTLS protocol connection, and the data is transmitted through the DTLS protocol connection.
目前,随着视频会议技术等媒体通信技术的发展和普及,并且,该媒体通信技术能够提供多种会话(也可以称为“呼叫”)建立协议,从而,终端设备能够根据自身能力(例如,所支持的会话建立协议),选择相应的会话建立协议建立会话连接,进而可以通过该会话连接与其他终端设备进行协商,以建立数据传输连接,从而完成与其他终端设备的媒体通信。At present, with the development and popularization of media communication technologies such as video conferencing technology, and the media communication technology can provide a variety of sessions (also referred to as "calls") to establish protocols, thereby, the terminal device can be based on its own capabilities (for example, The supported session establishment protocol selects a corresponding session establishment protocol to establish a session connection, and then can negotiate with other terminal devices through the session connection to establish a data transmission connection, thereby completing media communication with other terminal devices.
作为上述会话建立协议,可以列举H.323协议和会话初始化协议(SIP,Session Initiation Protocol)。并且,不同的会话协议对应不同的数据传输连接,例如,H.323协议对应基于H.235协议的数据传输连接,SIP对应基于数据包传输层安全性(DTLS,Datagram Transport Layer Security)协议的数据传输连接。As the above session establishment protocol, an H.323 protocol and a Session Initiation Protocol (SIP) can be cited. Moreover, different session protocols correspond to different data transmission connections. For example, the H.323 protocol corresponds to a data transmission connection based on the H.235 protocol, and the SIP corresponds to data based on a Datagram Transport Layer Security (DTLS) protocol. Transfer connection.
由于不同的数据传输连接无法兼容(例如,无法识别对方的编码格式等),如果两个终端设备分别使用H.323协议和SIP建立会话,则该会话(或者说,数据传输连接)将在网关设备处终结,由网关设备对在两个终端设备之间传输的数据进行转发(例如,对编码格式进行转换等),因此,增大的网关设备的负担,降低了系统的传输性能,严重影响用户体验。Since different data transmission connections are not compatible (for example, the other party's encoding format cannot be recognized), if two terminal devices establish a session using the H.323 protocol and SIP respectively, the session (or data transmission connection) will be at the gateway. The device terminates, and the gateway device forwards the data transmitted between the two terminal devices (for example, converting the encoding format, etc.), thereby increasing the burden on the gateway device, reducing the transmission performance of the system, and seriously affecting user experience.
与此相对,根据本发明实施例的用于传输数据的方法300,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。In contrast, according to the method 300 for transmitting data according to an embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a relationship between the first terminal device and the second terminal device. The DTLS protocol of the security parameter is connected, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving Affect the user experience.
具体地说,在本发明实施例中,第一终端设备(以下,为了便于理解和区分,记做:终端设备#X)与可以配置于使用H.323协议(具体地说,是使用H.323协议建立会话连接)的子通信系统,第二终端设备(以下,为了便于理解和区分,记做:终端设备#Y)可以配置于使用SIP协议(具体地说,是使用SIP协议建立会话连接)的子通信系统,从而,终端设备#X与网关 设备之间能够基于该H.323协议进行通信,例如,传输信令,终端设备#Y与网关设备之间能够基于该SIP协议进行通信,例如,传输信令。Specifically, in the embodiment of the present invention, the first terminal device (hereinafter, for ease of understanding and distinction, recorded as: terminal device #X) and can be configured to use the H.323 protocol (specifically, using H. The sub-communication system in which the 323 protocol establishes a session connection), the second terminal device (hereinafter, for ease of understanding and distinction, recorded as: terminal device #Y) can be configured to use the SIP protocol (specifically, establishing a session connection using the SIP protocol) Sub-communication system, thus, terminal device #X and gateway The devices can communicate based on the H.323 protocol, for example, transmitting signaling, and the terminal device #Y and the gateway device can communicate based on the SIP protocol, for example, transmitting signaling.
在本发明实施例中,终端设备#X与终端设备#Y可以经由网关设备协商确定哈希函数和指纹信息(也可以称为:安全参数)从而,可以基于该哈希函数和指纹信息建立数据包传输层安全性协议(DTLS,Datagram Transport Layer Security),以通过该DTLS协议进行数据传输,从而,能够有效利用DTLS协议的安全认证机制(即,基于哈希函数和指纹信息的加密和认证)提高数据传输的安全性。In the embodiment of the present invention, the terminal device #X and the terminal device #Y may negotiate to determine a hash function and fingerprint information (also referred to as a security parameter) via the gateway device, so that data may be established based on the hash function and the fingerprint information. The Datagram Transport Layer Security (DTLS) is used to transmit data through the DTLS protocol, thereby effectively utilizing the security authentication mechanism of the DTLS protocol (ie, encryption and authentication based on hash functions and fingerprint information). Improve the security of data transmission.
终端设备#X可以将其能够支持的哈希函数(即,第二哈希函数)记录在第二哈希函数列表中,根据H.323协议将该第二哈希函数列表封装入通信系统所提供的能够在终端设备#X与网关设备之间传输的消息内,并将该消息传输至网关设备。可选地,该第一终端设备发送给该网关设备的第二哈希函数列表承载于该第一终端设备发送给该网关设备的终端能力集消息中。具体地说,作为承载上述哈希函数列表的消息,可以列举终端设备能力集(Terminal Capability Set)消息,从而,能够利用现有协议中提供的消息承载该哈希函数列表,提高了本发明的通用性和实用性。应理解,以上列举的终端能力集消息,仅为承载上述第二哈希函数列表的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#X与网关设备之间传输的消息,或者说,终端设备#X与网关设备能够基于H.323协议收发的消息,均落入本发明的保护范围内。需要说明的是,在本发明实施例中,终端设备#X记录在第二哈希函数列表中的第二哈希函数可以是终端设备#X所支持的全部哈希函数,也可以是终端设备#X所支持的部分哈希函数,本发明并未特别限定,例如,该第二哈希函数列表所记录的第二哈希函数的数量可以根据系统(或标准)规定或该哈希函数列表所承载于的消息的容量(或者说,该消息所能够承载的信息量)任意变更。以下,为了避免赘述,省略在对终端设备#X与网关设备之间通信时出现的相同过相似情况的说明。The terminal device #X may record a hash function (ie, a second hash function) that it can support in the second hash function list, and encapsulate the second hash function list into the communication system according to the H.323 protocol. Provided within the message transmitted between the terminal device #X and the gateway device, and transmitting the message to the gateway device. Optionally, the second hash function list sent by the first terminal device to the gateway device is carried in a terminal capability set message sent by the first terminal device to the gateway device. Specifically, as the message carrying the hash function list, a terminal capability set (Terminal Capability Set) message may be listed, so that the hash function list can be carried by using the message provided in the existing protocol, thereby improving the present invention. Versatility and practicality. It should be understood that the terminal capability set message enumerated above is only an exemplary description of the message carrying the second hash function list, and the present invention is limited thereto, and the other can be transmitted between the terminal device #X and the gateway device. The message, or the message that the terminal device #X and the gateway device can transmit and receive based on the H.323 protocol, fall within the scope of the present invention. It should be noted that, in the embodiment of the present invention, the second hash function recorded by the terminal device #X in the second hash function list may be all the hash functions supported by the terminal device #X, or may be the terminal device. The partial hash function supported by #X is not specifically limited. For example, the number of second hash functions recorded by the second hash function list may be specified according to a system (or standard) or the hash function list. The capacity of the message carried (or the amount of information that the message can carry) is arbitrarily changed. Hereinafter, in order to avoid redundancy, the description of the same over-same situation that occurs when communication between the terminal device #X and the gateway device is omitted.
并且,终端设备#Y可以根据SIP规定的传输方式,将其能够支持的第一哈希函数封装入通信系统所提供的能够在终端设备#Y与网关设备之间传输的消息内,并将该消息传输至网关设备。Moreover, the terminal device #Y may encapsulate the first hash function that it can support according to the transmission mode specified by the SIP into the message that can be transmitted between the terminal device #Y and the gateway device provided by the communication system, and The message is transmitted to the gateway device.
可选地,该第二终端设备发送给该网关设备的第一哈希函数承载于该第二终端设备发送给该网关设备的SIP消息的会话描述协议(SDP,Session  Descrption Protocol)消息体中。Optionally, the first hash function sent by the second terminal device to the gateway device is carried by the session description protocol (SDP, Session) of the SIP message sent by the second terminal device to the gateway device. Descrption Protocol) in the message body.
具体地说,作为承载第一哈希函数的消息,可以列举包含SDP消息体的SIP消息,从而,能够利用现有协议中提供的消息承载该哈希函数列,提高了本发明的通用性和实用性。Specifically, as the message carrying the first hash function, a SIP message including an SDP message body may be enumerated, so that the hash function column can be carried by using the message provided in the existing protocol, thereby improving the versatility of the present invention and Practicality.
应理解,以上列举的SDP消息,仅为承载上述第一哈希函数的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#Y与网关设备之间传输的消息,或者说,终端设备#Y与网关设备能够基于SIP规定的方式收发的消息,均落入本发明的保护范围内。需要说明的是,在本发明实施例中,终端设备#Y发送给网关设备的第一哈希函数可以是终端设备#Y所支持的全部哈希函数,也可以是终端设备#Y所支持的部分哈希函数,本发明并未特别限定。并且,当第一哈希函数为多个的情况下,第二终端设备可以通过多条SDP消息(即,每条SDP消息承载一个第一哈希函数)将该多个第一哈希函数分别传输给网关设备。以下,为了避免赘述,省略在对终端设备#Y与网关设备之间通信时出现的相同或相似情况的说明。It should be understood that the SDP message enumerated above is only an exemplary description of the message carrying the first hash function, and the present invention is also limited thereto, and other messages that can be transmitted between the terminal device #Y and the gateway device, or It is said that the message that the terminal device #Y and the gateway device can transmit and receive based on the SIP-defined manner falls within the protection scope of the present invention. It should be noted that, in the embodiment of the present invention, the first hash function sent by the terminal device #Y to the gateway device may be all the hash functions supported by the terminal device #Y, or may be supported by the terminal device #Y. The partial hash function is not particularly limited in the present invention. Moreover, when the first hash function is multiple, the second terminal device may separately separate the plurality of first hash functions by using multiple SDP messages (ie, each SDP message carries a first hash function) Transfer to the gateway device. Hereinafter, in order to avoid redundancy, the description of the same or similar cases occurring when communication between the terminal device #Y and the gateway device is omitted.
由此,网关设备能够接收到上述携带第二哈希函数列表的消息,并基于H.323协议对该消息解封装从而获取上述第二哈希函数列表,并获取记录在该第二哈希函数列表中的第二哈希函数。其后,网关设备可以基于SIP将上述第二哈希函数的部分或全部传输至终端设备#Y,例如,网关设备可以首先从该第二哈希函数列表中选择任一(例如,第二哈希函数列表中的首个)哈希函数,并根据SIP将该哈希函数封装入通信系统所提供的能够在网关设备与终端设备#Y之间传输的消息内,并将该消息传输至终端设备#Y,并且,网关设备还可以通过类似的方法,将第二哈希函数列表中剩余的哈希函数传输至#Y。Thereby, the gateway device can receive the message carrying the second hash function list, and decapsulate the message according to the H.323 protocol to obtain the second hash function list, and obtain the record in the second hash function. The second hash function in the list. Thereafter, the gateway device may transmit part or all of the second hash function to the terminal device #Y based on SIP. For example, the gateway device may first select any one of the second hash function lists (for example, the second The first hash function in the list of function functions, and encapsulates the hash function into a message provided by the communication system between the gateway device and the terminal device #Y according to SIP, and transmits the message to the terminal. Device #Y, and the gateway device can also transfer the remaining hash function in the second hash function list to #Y by a similar method.
从而,终端设备#Y能够接收到(一条或多条)携带上述第二哈希函数的消息,并基于SIP对该消息解封装从而获取上述第二哈希函数的部分或全部。并且,终端设备#Y可以将第二哈希函数的部分或全部与其自身支持的哈希函数进行对照处理,从而,从该第二哈希函数的部分或全部中,确定一个或多个属于终端设备#Y能够支持的哈希函数(即,目标第二哈希函数)。并且,终端设备#Y可以确定与该目标第二哈希函数相对应的指纹信息(即,第二指纹信息)。其后,终端设备#Y可以通过例如SDP消息等,将如上所述确定的目标第二哈希函数和第二指纹信息发送给网关设备。 Thus, the terminal device #Y can receive (one or more) messages carrying the second hash function described above, and decapsulate the message based on the SIP to obtain part or all of the second hash function. And, the terminal device #Y may compare some or all of the second hash function with a hash function supported by itself, thereby determining one or more belonging to the terminal from part or all of the second hash function. The hash function that device #Y can support (ie, the target second hash function). And, the terminal device #Y can determine the fingerprint information (ie, the second fingerprint information) corresponding to the target second hash function. Thereafter, the terminal device #Y may transmit the target second hash function and the second fingerprint information determined as described above to the gateway device by, for example, an SDP message or the like.
具体过程可以是,网关设备首先从该第二哈希函数列表中选择任一哈希函数,封装在SIP invite(邀请)消息的SDP消息体中发送给终端设备#Y,并且,之后所需要发送的第二哈希函数列表中的其他哈希函数,可以封装在SIP Update(更新)消息的SDP消息体中发送给终端设备#Y。The specific process may be that the gateway device first selects any hash function from the second hash function list, encapsulates it in the SDP message body of the SIP invite message, and sends it to the terminal device #Y, and then needs to send The other hash functions in the second hash function list can be encapsulated in the SDP message body of the SIP Update message and sent to the terminal device #Y.
终端设备#Y在接收到一个哈希函数后,如果确认能够支持该哈希函数,则将该哈希函数封装在SIP响应消息(如SIP 183响应消息,SIP Update响应消息)的SDP消息体中发送给网关设备。并且,终端设备#Y将确认能够支持的其中一个哈希函数作为目标第二哈希函数,并将该目标第二哈希函数及其对应的指纹信息(即所述第二指纹信息)封装在SIP Update(更新)消息的SDP消息体中发送给网关设备。After receiving a hash function, the terminal device #Y encapsulates the hash function in the SDP message body of the SIP response message (such as SIP 183 response message, SIP Update response message) if it is confirmed that the hash function can be supported. Sent to the gateway device. And, the terminal device #Y confirms one of the hash functions that can be supported as the target second hash function, and encapsulates the target second hash function and its corresponding fingerprint information (ie, the second fingerprint information). The SDP message body of the SIP Update message is sent to the gateway device.
其后,网关设备可以根据H.323协议,通过例如开启逻辑信道消息或终端能力集消息等,将该目标第二哈希函数和第二指纹信息发送给终端设备#X。Thereafter, the gateway device may send the target second hash function and the second fingerprint information to the terminal device #X according to the H.323 protocol by, for example, turning on a logical channel message or a terminal capability set message.
由此,终端设备#X能够获知用于针对终端设备#Y的验证的哈希函数和指纹信息,即,上述目标第二哈希函数和第二指纹信息。Thereby, the terminal device #X can know the hash function and the fingerprint information for the verification of the terminal device #Y, that is, the above-described target second hash function and second fingerprint information.
相应地,网关设备能够接收到上述携带终端设备#Y所支持的(一个或多个)第一哈希函数的消息,并根据SIP规定的方式对该消息解封装从而获取上述第一哈希函数。Correspondingly, the gateway device can receive the message carrying the first hash function(s) supported by the terminal device #Y, and decapsulate the message according to the manner specified by the SIP to obtain the first hash function. .
其后,网关设备将该第一哈希函数的部分或全部记录在一个哈希函数列表(即,第一哈希函数列表)中,并且,可以基于H.323协议,通过例如终端能力集消息,将上述第一哈希函数列表发送至终端设备#X。Thereafter, the gateway device records part or all of the first hash function in a hash function list (ie, the first hash function list), and may pass, for example, a terminal capability set message based on the H.323 protocol. Sending the above list of the first hash function to the terminal device #X.
从而,终端设备#X能够接收到携带上述第一哈希函数列表的消息,并基于H.323协议,对该消息解封装从而获取上述第一哈希函数列表,进而能够获知终端设备#Y能够支持的上述第一哈希函数的部分或全部。并且,终端设备#X可以将第一哈希函数的部分或全部与其自身支持的哈希函数进行对照处理,从而,从该第一哈希函数的部分或全部中,确定一个或多个属于终端设备#X能够支持的哈希函数(即,目标第一哈希函数)。并且,终端设备#Y可以确定与该目标第一哈希函数相对应的指纹信息(即,第一指纹信息)。其后,终端设备#X可以通过例如开启逻辑信道消息等,将如上所述确定的目标第一哈希函数和第一指纹信息发送给网关设备。Therefore, the terminal device #X can receive the message carrying the first hash function list, and decapsulate the message based on the H.323 protocol to obtain the first hash function list, thereby being able to know that the terminal device #Y can Support some or all of the above first hash function. And, the terminal device #X may compare some or all of the first hash function with a hash function supported by itself, thereby determining one or more belonging to the terminal from part or all of the first hash function. The hash function that device #X can support (ie, the target first hash function). And, the terminal device #Y can determine the fingerprint information (ie, the first fingerprint information) corresponding to the target first hash function. Thereafter, the terminal device #X may transmit the target first hash function and the first fingerprint information determined as described above to the gateway device by, for example, turning on a logical channel message or the like.
其后,网关设备可以根据SIP,通过例如SDP消息等,将该目标第一哈 希函数和第一指纹信息发送给终端设备#Y。Thereafter, the gateway device may, according to the SIP, pass the target first through, for example, an SDP message. The Greek function and the first fingerprint information are sent to the terminal device #Y.
由此,终端设备#Y能够获知用于针对终端设备#X的验证的哈希函数和指纹信息,即,上述目标第一哈希函数和第一指纹信息。Thereby, the terminal device #Y can know the hash function and the fingerprint information for the verification of the terminal device #X, that is, the above-described target first hash function and the first fingerprint information.
以下,为了便于理解和说明,将目标第一哈希函数记做哈希函数#X,将第一指纹信息记做指纹信息#X,将目标第二哈希函数记做哈希函数#Y,将第二指纹信息记做指纹信息#Y。即,终端设备#X和终端设备#Y双方能够获知用于对彼此进行认证的哈希函数和指纹信息,从而,终端设备#X与终端设备#Y可以根据如上所述确定的哈希函数#X、指纹信息#X、哈希函数#Y和指纹信息#Y进行安全认证(也可以称为:DTLS握手)。Hereinafter, in order to facilitate understanding and explanation, the target first hash function is recorded as the hash function #X, the first fingerprint information is recorded as the fingerprint information #X, and the target second hash function is recorded as the hash function #Y, The second fingerprint information is recorded as fingerprint information #Y. That is, both the terminal device #X and the terminal device #Y can know the hash function and the fingerprint information for authenticating each other, and thus, the terminal device #X and the terminal device #Y can be determined according to the hash function # as described above. X, fingerprint information #X, hash function #Y, and fingerprint information #Y perform security authentication (also referred to as: DTLS handshake).
即,终端设备#X可以根据哈希函数#X和指纹信息#X生成验证信息#X1(例如,终端设备#X可以根据哈希函数#X和指纹信息#X生成一个代码),并将该验证信息通过DTLS信令发送给终端设备#Y。That is, the terminal device #X can generate the authentication information #X 1 according to the hash function #X and the fingerprint information #X (for example, the terminal device #X can generate a code according to the hash function #X and the fingerprint information #X), and The verification information is sent to the terminal device #Y through DTLS signaling.
并且,终端设备#Y根据哈希函数#X和指纹信息#X生成验证信息#X2(例如,终端设备#Y可以根据哈希函数#X和指纹信息#X生成一个代码)。And, the terminal device #Y generates the verification information #X 2 based on the hash function #X and the fingerprint information #X (for example, the terminal device #Y can generate a code based on the hash function #X and the fingerprint information #X).
从而,当终端设备#Y确定终端设备#X通过DTLS所发送的上述验证信息#X1与其生成的验证信息#X2一致时,终端设备#Y可以确定终端设备#X通过安全验证,可以与该终端设备#X建立DTLS连接。Thus, when the same terminal device 2 determines that the terminal device #X #Y transmitted by the verification information DTLS #X. 1 #X thereto generated authentication information, the terminal device may determine the terminal device #X #Y via secure authentication, may be The terminal device #X establishes a DTLS connection.
类似的,终端设备#Y可以根据哈希函数#Y和指纹信息#Y生成验证信息#Y1(例如,终端设备#Y可以根据哈希函数#Y对指纹信息#Y进行加密而生成一个代码),并将该验证信息发送给终端设备#X。Similarly, the terminal device may #Y #Y generate verification hash function #Y #Y. 1 and the fingerprint information (e.g., the terminal device may encrypt #Y fingerprint information #Y hash function to generate a code for #Y ) and send the verification information to the terminal device #X.
并且,终端设备#X根据哈希函数#Y和指纹信息#Y生成验证信息#Y2(例如,终端设备#X可以根据哈希函数#Y对指纹信息#Y进行加密而生成一个代码)。Further, the terminal device #X generates the verification information #Y 2 based on the hash function #Y and the fingerprint information #Y (for example, the terminal device #X can encrypt the fingerprint information #Y according to the hash function #Y to generate a code).
从而,当终端设备#X确定终端设备#Y所发送的上述验证信息#Y1与其生成的验证信息#Y2一致时,终端设备#X可以确定终端设备#Y通过安全验证,可以与该终端设备#Y建立DTLS连接。Therefore, when the terminal device #X determines that the above-described verification information #Y 1 transmitted by the terminal device #Y coincides with the verification information #Y 2 generated by the terminal device #X, the terminal device #X can determine that the terminal device #Y passes the security verification, and can be associated with the terminal Device #Y establishes a DTLS connection.
可选地,该方法还包括:Optionally, the method further includes:
该网关设备接收该第一终端设备发送的第一角色指示信息及该第二终端设备发送的第二角色指示信息,该第一角色指示信息用于指示该第一终端设备支持的角色,该第二角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种; The gateway device receives the first role indication information sent by the first terminal device and the second role indication information sent by the second terminal device, where the first role indication information is used to indicate a role supported by the first terminal device, where the The second role indication information is used to indicate a role supported by the second terminal device, and the role is at least one of “active” and “passive”;
该网关设备向该第二终端设备发送该第一角色指示信息,并向该第一终端设备发送该第二角色指示信息,以便于该第一终端设备和该第二终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该第一终端设备支持的角色和该第二终端设备支持的角色进行认证处理。The gateway device sends the first role indication information to the second terminal device, and sends the second role indication information to the first terminal device, so that the first terminal device and the second terminal device are configured according to the first The function, the first fingerprint information, the second hash function, the second fingerprint information, the role supported by the first terminal device, and the role supported by the second terminal device perform authentication processing.
具体地说,在本发明实施例中,系统可以提供三种角色,即,“主动”、“被动”以及“主动被动皆可”(以下,为了便于理解和说明,简称为:“皆可”),终端设备#X和终端设备#Y可以经由网关设备通知对方彼此的角色。Specifically, in the embodiment of the present invention, the system can provide three roles, namely, “active”, “passive”, and “active passive” (hereinafter, for ease of understanding and explanation, simply referred to as “all can be”) The terminal device #X and the terminal device #Y can notify each other of the roles of each other via the gateway device.
例如,终端设备#X可以通过终端能力集消息或开启逻辑信道消息将用于支持其能够支持的角色的信息(即,第一角色指示信息)发送给网关设备,网关设备通过SDP消息将该第一角色指示信息发送给终端设备#Y。For example, the terminal device #X may send information (ie, first role indication information) for supporting a role that can be supported by the terminal capability set message or the open logical channel message to the gateway device, and the gateway device sends the information through the SDP message. A role indication message is sent to the terminal device #Y.
再例如,终端设备#Y可以通过SDP消息将用于支持其能够支持的角色的信息(即,第二角色指示信息)发送给网关设备,网关设备通过终端能力集消息或开启逻辑信道将该第二角色指示信息发送给终端设备#X。For another example, the terminal device #Y may send, by using an SDP message, information for supporting a role that it can support (ie, second role indication information) to the gateway device, and the gateway device uses the terminal capability set message or the logical channel to open the first The second role indication information is sent to the terminal device #X.
从而根据该角色,确定上述DTLS握手的发起方。Thus, according to the role, the initiator of the above DTLS handshake is determined.
例如,如果终端设备#X的角色为“主动”,终端设备#Y的角色为“被动”或“皆可”(即,终端设备#Y支持的角色包括“被动”),则终端设备#X可以作为上述DTLS握手的发起方。For example, if the role of the terminal device #X is "active" and the role of the terminal device #Y is "passive" or "all" (ie, the role supported by the terminal device #Y includes "passive"), the terminal device #X Can be used as the initiator of the above DTLS handshake.
再例如,如果终端设备#X的角色为“主动”或“皆可”(即,终端设备#X支持的角色包括“主动”),终端设备#Y的角色为“被动”,则终端设备#X可以作为上述DTLS握手的发起方。For another example, if the role of the terminal device #X is "active" or "all" (ie, the role supported by the terminal device #X includes "active"), and the role of the terminal device #Y is "passive", the terminal device# X can be used as the initiator of the above DTLS handshake.
应理解,以上列举的终端设备的角色与DTLS握手的发起方之间的关系仅为示例性说明,本发明并未限定于此。It should be understood that the relationship between the roles of the terminal devices enumerated above and the initiator of the DTLS handshake is merely exemplary, and the present invention is not limited thereto.
在完成上述DTLS握手之后,终端设备#X和终端设备#Y可以建立DTLS协议连接。在本发明实施例中,终端设备#X与终端设备#Y建立DTLS协议连接的方法和过程可以与现有技术相似,这里为了避免赘述,省略其详细说明。After completing the above DTLS handshake, the terminal device #X and the terminal device #Y can establish a DTLS protocol connection. In the embodiment of the present invention, the method and the process for establishing the DTLS protocol connection between the terminal device #X and the terminal device #Y may be similar to the prior art, and a detailed description thereof is omitted herein to avoid redundancy.
在如上述所述,建立了DTLS协议连接之后,终端设备#X与终端设备#Y可以通过该DTLS协议连接传输视频会议的相关数据。例如,终端设备#X与终端设备#Y可以根据RFC 6347规定的流程进行鉴权认证交换,并在鉴权认证成功后,开启逻辑信道,进行数据传输。After the DTLS protocol connection is established as described above, the terminal device #X and the terminal device #Y can connect and transmit related data of the video conference through the DTLS protocol. For example, the terminal device #X and the terminal device #Y can perform authentication authentication exchange according to the procedure specified in RFC 6347, and after the authentication authentication is successful, the logical channel is turned on to perform data transmission.
另外,终端设备#X与终端设备#Y可以在该DTLS协议连接的基础上, 建立应用层协议连接,例如,流控制传输协议(SCTP,Stream Control Transmission Protocol)连接,并通过该SCTP连接传输数据。In addition, the terminal device #X and the terminal device #Y may be based on the connection of the DTLS protocol. Establish an application layer protocol connection, for example, a Stream Control Transmission Protocol (SCTP) connection, and transmit data through the SCTP connection.
应理解,以上列举的SCTP仅为应用层协议的示例性说明,本发明并未限定于此,其他用于传输数据的等各种应用层协议均落入本发明的保护范围内。以下,为了便于理解和说明,以基于DTLS协议连接建立SCTP连接的过程为例,进行说明。It should be understood that the above-mentioned SCTP is only an exemplary description of the application layer protocol, and the present invention is not limited thereto, and various other application layer protocols for transmitting data are all within the scope of the present invention. Hereinafter, in order to facilitate understanding and explanation, a process of establishing an SCTP connection by using a DTLS protocol connection will be described as an example.
可选地,该方法还包括:Optionally, the method further includes:
该方法还包括:The method also includes:
该第一终端设备向该网关设备发送第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,以便于该网关设备将该第一端口号发送给该第二终端设备;The first terminal device sends a first port number to the gateway device, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, so as to facilitate The gateway device sends the first port number to the second terminal device;
该第一终端设备接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,且该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Receiving, by the first terminal device, a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, and the second port number is used by the second terminal device a port number for establishing an SCTP connection based on the DTLS protocol connection;
该第一终端设备根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, so as to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
具体地说,终端设备#X能够确定基于该DTLS协议连接的端口号,进而,可以从中选择用于与终端设备#Y建立SCTP连接的端口号(以下,为了便于理解和区分,记做:端口号#X),并且,终端设备#X可以根据H.323协议,通过例如开启逻辑信道消息或终端能力集消息等将该端口号#X发送给网关设备,从而,网关设备能够通过例如SDP等消息将该端口号#X发送给终端设备#Y。Specifically, the terminal device #X can determine the port number to be connected based on the DTLS protocol, and further, can select a port number for establishing an SCTP connection with the terminal device #Y (hereinafter, for ease of understanding and distinction, note: port No. #X), and the terminal device #X can transmit the port number #X to the gateway device by, for example, turning on a logical channel message or a terminal capability set message according to the H.323 protocol, whereby the gateway device can pass, for example, SDP or the like. The message sends the port number #X to the terminal device #Y.
类似地,终端设备#Y能够确定基于该DTLS协议连接的端口号,进而,可以从中选择用于与终端设备#X建立SCTP连接的端口号(以下,为了便于理解和区分,记做:端口号#Y),并且,终端设备#Y可以根据SIP,通过例如SDP消息将该端口号#Y发送给网关设备,从而,网关设备能够通过例如开启逻辑信道消息或终端能力集消息等,将该端口号#X发送给终端设备#X。Similarly, the terminal device #Y can determine the port number connected based on the DTLS protocol, and further, can select a port number for establishing an SCTP connection with the terminal device #X (hereinafter, for ease of understanding and distinction, it is noted as: port number #Y), and the terminal device #Y can transmit the port number #Y to the gateway device by, for example, an SDP message according to the SIP, so that the gateway device can connect the port by, for example, turning on a logical channel message or a terminal capability set message or the like. #X is sent to the terminal device #X.
通过上述交互流程,终端设备#X与终端设备#Y能够获知彼此所使用的端口号,从而能够根据该端口号,建立SCTP连接,并进行数据传输,并且, 根据该端口号建立SCTP连接以及通过该SCTP连接传输数据的方法和过程可以与现有技术相似,这里,为了避免赘述,省略其详细说明。Through the above interaction process, the terminal device #X and the terminal device #Y can know the port number used by each other, thereby being able to establish an SCTP connection according to the port number, and perform data transmission, and The method and process for establishing an SCTP connection according to the port number and transmitting data through the SCTP connection may be similar to the prior art. Here, in order to avoid redundancy, a detailed description thereof will be omitted.
需要说明的是,以上列举的终端设备#X与终端设备#Y之间协商哈希函数,以建立DTLS连接的过程,但本发明并不限定于此,其他用于建立DTLS连接的参数均可以通过终端设备#X与终端设备#Y之间的协商过程确定,并且,该协商过程与上述方法300中过列举的协商过程相似。It should be noted that the hash function is negotiated between the terminal device #X and the terminal device #Y listed above to establish a DTLS connection process, but the present invention is not limited thereto, and other parameters for establishing a DTLS connection may be used. It is determined by a negotiation process between the terminal device #X and the terminal device #Y, and the negotiation process is similar to the negotiation process enumerated in the above method 300.
另外,在本发明实施例中,如上所述确定的哈希函数#X及哈希函数#Y可以是相同的,也可以是不同的,本发明并未特别限定。In addition, in the embodiment of the present invention, the hash function #X and the hash function #Y determined as described above may be the same or different, and the present invention is not particularly limited.
根据本发明实施例的用于传输数据的方法,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。A method for transmitting data according to an embodiment of the present invention, using a H.323 protocol, a first terminal device, and a second terminal device using SIP to negotiate a hash function and fingerprint information via a gateway device, capable of being in the first terminal device and A DTLS protocol connection based on the hash function and the fingerprint information is established between the two terminal devices, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism. The security of the transmitted data, and the DTLS protocol can be applied to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
方式DMode D
图4示出了从网关设备角度描述的,根据本发明另一实施例的传输数据的方法400的示意性流程图。该应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,该第一终端设备与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,如图4所示,该方法400包括:4 shows a schematic flow diagram of a method 400 of transmitting data in accordance with another embodiment of the present invention, as described from the perspective of a gateway device. In the communication system including the first terminal device, the second terminal device, and the gateway device, the first terminal device communicates with the gateway device through an H.323 protocol, and the second terminal device and the gateway device Through session initiation protocol SIP communication, as shown in FIG. 4, the method 400 includes:
S410,该网关设备接收该第一终端设备发送的哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数;S410, the gateway device receives a hash function list sent by the first terminal device, where the hash function list includes at least one hash function supported by the first terminal device;
S420,该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数;S420. The gateway device performs a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, where the candidate hash function belongs to the second a hash function supported by the terminal device;
S430,该网关设备向该第一终端设备发送该备选哈希函数,以便于该第一终端设备从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息;S430. The gateway device sends the candidate hash function to the first terminal device, so that the first terminal device determines a target hash function from the candidate hash function, and determines that the target hash function is corresponding to the target hash function. Fingerprint information;
S440,该网关设备接收该第一终端设备发送的该目标哈希函数和该指纹信息,并向该第二终端发送该目标哈希函数和该指纹信息,以便于该第一终 端设备和该第二终端设备根据该目标哈希函数和该指纹信息建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。S440. The gateway device receives the target hash function and the fingerprint information sent by the first terminal device, and sends the target hash function and the fingerprint information to the second terminal, so as to facilitate the first terminal. The end device and the second terminal device establish a data packet transport layer security protocol DTLS protocol connection according to the target hash function and the fingerprint information, and transmit data through the DTLS protocol connection.
目前,随着视频会议技术等媒体通信技术的发展和普及,并且,该媒体通信技术能够提供多种会话(也可以称为“呼叫”)建立协议,从而,终端设备能够根据自身能力(例如,所支持的会话建立协议),选择相应的会话建立协议建立会话连接,进而可以通过该会话连接与其他终端设备进行协商,以建立数据传输连接,从而完成与其他终端设备的媒体通信。At present, with the development and popularization of media communication technologies such as video conferencing technology, and the media communication technology can provide a variety of sessions (also referred to as "calls") to establish protocols, thereby, the terminal device can be based on its own capabilities (for example, The supported session establishment protocol selects a corresponding session establishment protocol to establish a session connection, and then can negotiate with other terminal devices through the session connection to establish a data transmission connection, thereby completing media communication with other terminal devices.
作为上述会话建立协议,可以列举H.323协议和会话初始化协议(SIP,Session Initiation Protocol)。并且,不同的会话协议对应不同的数据传输连接,例如,H.323协议对应基于H.235协议的数据传输连接,SIP对应基于数据包传输层安全性(DTLS,Datagram Transport Layer Security)协议的数据传输连接。As the above session establishment protocol, an H.323 protocol and a Session Initiation Protocol (SIP) can be cited. Moreover, different session protocols correspond to different data transmission connections. For example, the H.323 protocol corresponds to a data transmission connection based on the H.235 protocol, and the SIP corresponds to data based on a Datagram Transport Layer Security (DTLS) protocol. Transfer connection.
由于不同的数据传输连接无法兼容(例如,无法识别对方的编码格式等),如果两个终端设备分别使用H.323协议和SIP建立会话,则该会话(或者说,数据传输连接)将在网关设备处终结,由网关设备对在两个终端设备之间传输的数据进行转发(例如,对编码格式进行转换等),因此,增大的网关设备的负担,降低了系统的传输性能,严重影响用户体验。Since different data transmission connections are not compatible (for example, the other party's encoding format cannot be recognized), if two terminal devices establish a session using the H.323 protocol and SIP respectively, the session (or data transmission connection) will be at the gateway. The device terminates, and the gateway device forwards the data transmitted between the two terminal devices (for example, converting the encoding format, etc.), thereby increasing the burden on the gateway device, reducing the transmission performance of the system, and seriously affecting user experience.
与此相对,根据本发明实施例的用于传输数据的方法200,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。In contrast, according to the method 200 for transmitting data according to the embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a relationship between the first terminal device and the second terminal device. The DTLS protocol of the security parameter is connected, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving Affect the user experience.
具体地说,在本发明实施例中,第一终端设备(以下,为了便于理解和区分,记做:终端设备#A)与可以配置于使用H.323协议(具体地说,是使用H.323协议建立会话连接)的子通信系统,第二终端设备(以下,为了便于理解和区分,记做:终端设备#B)可以配置于使用SIP协议(具体地说,是使用SIP协议建立会话连接)的子通信系统,从而,终端设备#A与网关设备之间能够基于该H.323协议进行通信,例如,传输信令,终端设备#B与网关设备之间能够基于该SIP协议进行通信,例如,传输信令。Specifically, in the embodiment of the present invention, the first terminal device (hereinafter, for convenience of understanding and distinction, recorded as: terminal device #A) and can be configured to use the H.323 protocol (specifically, using H. The sub-communication system in which the 323 protocol establishes a session connection), the second terminal device (hereinafter, for ease of understanding and distinction, recorded as: terminal device #B) can be configured to use the SIP protocol (specifically, establishing a session connection using the SIP protocol) a sub-communication system, whereby the terminal device #A and the gateway device can communicate based on the H.323 protocol, for example, transmitting signaling, and the terminal device #B and the gateway device can communicate based on the SIP protocol, For example, signaling is transmitted.
在本发明实施例中,终端设备#A与终端设备#B可以经由网关设备协商 确定哈希函数和指纹信息(也可以称为:安全参数)从而,可以基于该哈希函数和指纹信息建立数据包传输层安全性协议(DTLS,Datagram Transport Layer Security),以通过该DTLS协议进行数据传输,从而,能够有效利用DTLS协议的安全认证机制(即,基于哈希函数和指纹信息的加密和认证)提高数据传输的安全性。In the embodiment of the present invention, the terminal device #A and the terminal device #B may negotiate via the gateway device. Determining a hash function and fingerprint information (which may also be referred to as a security parameter), whereby a data packet transport layer security (DTLS) may be established based on the hash function and the fingerprint information to perform the DTLS protocol. Data transmission, thereby enabling efficient use of the DTLS protocol's secure authentication mechanism (ie, encryption and authentication based on hash functions and fingerprint information) to improve data transmission security.
首先,终端设备#A可以将其能够支持的哈希函数记录在哈希函数列表中,根据H.323协议将该哈希函数列表封装入通信系统所提供的能够在终端设备#A与网关设备之间传输的消息内,并将该消息传输至网关设备。First, the terminal device #A can record the hash function that it can support in the hash function list, and encapsulate the hash function list into the communication system to provide the terminal device #A and the gateway device according to the H.323 protocol. The message is transmitted between and transmitted to the gateway device.
可选地,该第一终端设备发送给该网关设备的哈希函数列表承载于该第一终端设备发送给该网关设备的终端能力集消息中。Optionally, the hash function list sent by the first terminal device to the gateway device is carried in a terminal capability set message sent by the first terminal device to the gateway device.
具体地说,作为承载上述哈希函数列表的消息,可以列举终端设备能力集(Terminal Capability Set)消息,从而,能够利用现有协议中提供的消息承载该哈希函数列表,提高了本发明的通用性和实用性。Specifically, as the message carrying the hash function list, a terminal capability set (Terminal Capability Set) message may be listed, so that the hash function list can be carried by using the message provided in the existing protocol, thereby improving the present invention. Versatility and practicality.
应理解,以上列举的终端能力集消息,仅为承载上述哈希函数列表的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#A与网关设备之间传输的消息,或者说,终端设备#A与网关设备能够基于H.323协议收发的消息,均落入本发明的保护范围内。It should be understood that the terminal capability set message enumerated above is only an exemplary description of a message carrying the above hash function list, and the present invention is also limited thereto, and other messages that can be transmitted between the terminal device #A and the gateway device, In other words, the message that the terminal device #A and the gateway device can send and receive based on the H.323 protocol falls within the protection scope of the present invention.
需要说明的是,在本发明实施例中,终端设备#A记录在哈希函数列表中的哈希函数可以是终端设备#A所支持的全部哈希函数,也可以是终端设备#A所支持的部分哈希函数,本发明并未特别限定,例如,该哈希函数列表所记录的哈希函数的数量可以根据系统(或标准)规定或该哈希函数列表所承载于的消息的容量(或者说,该消息所能够承载的信息量)任意变更。It should be noted that, in the embodiment of the present invention, the hash function recorded by the terminal device #A in the hash function list may be all the hash functions supported by the terminal device #A, or may be supported by the terminal device #A. The partial hash function is not particularly limited in the present invention. For example, the number of hash functions recorded by the hash function list may be determined according to a system (or standard) or a capacity of a message carried by the hash function list ( In other words, the amount of information that the message can carry is arbitrarily changed.
从而,在S410中,网关设备能够接收到上述携带哈希函数列表的消息,并基于H.323协议对该消息解封装从而获取上述哈希函数列表。Thus, in S410, the gateway device can receive the message carrying the hash function list and decapsulate the message based on the H.323 protocol to obtain the hash function list.
在S420,网关设备可以根据上述哈希函数列表,基于SIP,进行与终端设备#B之间的协商处理,以从哈希函数列表中确定终端设备#B所能够支持的(一个或多个)备选哈希函数。作为示例而非限定,可以列举以下协商处理的具体过程。At S420, the gateway device may perform a negotiation process with the terminal device #B based on the SIP function list according to the foregoing hash function list to determine, from the hash function list, the one or more supported by the terminal device #B. Alternative hash function. As an example and not a limitation, the following specific process of the negotiation process can be cited.
可选地,该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,包括:Optionally, the gateway device performs a negotiation process with the second terminal device according to the hash function list, to determine at least one candidate hash function from the hash function list, including:
该网关设备向该第二终端设备发送待验证哈希函数,该待验证哈希函数 是该哈希函数列表中的任一哈希函数;The gateway device sends a to-be-verified hash function to the second terminal device, the to-be-verified hash function Is any hash function in the list of hash functions;
该网关设备接收该第二终端设备发送的验证消息,该验证消息用于指示该待验证哈希函数是否属于该第二终端设备支持的哈希函数;The gateway device receives the verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device;
该网关设备在根据该验证消息,确定该待验证哈希函数属于该第二终端设备支持的哈希函数时,将该待验证哈希函数确定为备选哈希函数。The gateway device determines, according to the verification message, that the to-be-verified hash function belongs to the hash function supported by the second terminal device, and determines the to-be-verified hash function as an alternative hash function.
具体的,网关设备可以从该哈希函数列表中选择任一(例如,哈希函数列表中的首个)哈希函数,作为待验证哈希函数,并根据SIP将该待验证哈希函数封装入通信系统所提供的能够在网关设备与终端设备#B之间传输的消息内,并将该消息传输至终端设备#B。Specifically, the gateway device may select any hash function (for example, the first one in the hash function list) from the hash function list as a hash function to be verified, and encapsulate the to-be-verified hash function according to SIP. The message provided by the communication system can be transmitted between the gateway device and the terminal device #B, and the message is transmitted to the terminal device #B.
可选地,该网关设备发送给该第二终端设备的待验证哈希函数承载于该网关设备发送给该第二终端设备的SIP消息中的会话描述协议邀请SDP Offer消息体中。从而,能够利用现有协议中提供的消息承载该待验证哈希函数,提高了本发明的通用性和实用性。Optionally, the to-be-verified hash function sent by the gateway device to the second terminal device is carried in the session description protocol invitation SDP Offer message body in the SIP message sent by the gateway device to the second terminal device. Thereby, the hash function to be verified can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
终端设备#B能够接收到上述待验证哈希函数的消息,并基于SIP对该消息解封装从而获取上述待验证哈希函数。The terminal device #B can receive the message of the hash function to be verified, and decapsulate the message based on the SIP to obtain the hash function to be verified.
并且,终端设备#B可以将该待验证哈希函数与其自身支持的哈希函数进行对照处理,从而确定该待验证哈希函数是否属于终端设备#B能够支持的哈希函数。Moreover, the terminal device #B can compare the hash function to be verified with the hash function supported by itself, thereby determining whether the to-be-verified hash function belongs to a hash function that the terminal device #B can support.
如果终端设备#B确定该待验证哈希函数属于终端设备#B能够支持的哈希函数,则可以向根据SIP,向网关设备发送指示该终端设备#B能够支持该待验证哈希函数的验证消息(以下,为了便于理解和区分,记做:第一类型的验证消息)。从而,网关设备在接收到该第一类型的验证消息时,可以确定发送给终端设备#B的待验证哈希函数属于该终端设备#B能够支持该待验证哈希函数,进而将该待验证哈希函数确定为备选哈希函数。If the terminal device #B determines that the to-be-verified hash function belongs to a hash function that the terminal device #B can support, it may send a verification to the gateway device according to the SIP that the terminal device #B can support the to-be-verified hash function. Message (hereinafter, for ease of understanding and differentiation, remember: the first type of verification message). Therefore, when receiving the first type of verification message, the gateway device may determine that the to-be-verified hash function sent to the terminal device #B belongs to the terminal device #B and can support the to-be-verified hash function, thereby further verifying the to-be-verified The hash function is determined to be an alternate hash function.
如果终端设备#B确定该待验证哈希函数不属于终端设备#B能够支持的哈希函数,则可以向根据SIP,向网关设备发送指示该终端设备#B不支持该待验证哈希函数的验证消息(以下,为了便于理解和区分,记做:第二类型的验证消息)。从而,网关设备在接收到该第二类型的验证消息时,可以确定发送给终端设备#B的待验证哈希函数不属于该终端设备#B能够支持该待验证哈希函数,进而不将该待验证哈希函数确定为备选哈希函数。If the terminal device #B determines that the to-be-verified hash function does not belong to a hash function that the terminal device #B can support, it may send a notification to the gateway device according to the SIP that the terminal device #B does not support the to-be-verified hash function. Verification message (hereinafter, for ease of understanding and differentiation, it is recorded as: the second type of verification message). Therefore, when receiving the second type of verification message, the gateway device may determine that the to-be-verified hash function sent to the terminal device #B does not belong to the terminal device #B, and can support the to-be-verified hash function, and thus does not The hash function to be verified is determined as an alternative hash function.
可选地,该网关设备在根据该验证消息,确定该待验证哈希函数属于该 第二终端设备支持的哈希函数时,将该待验证哈希函数确定为备选哈希函数,包括:Optionally, the gateway device determines, according to the verification message, that the to-be-verified hash function belongs to the When the hash function supported by the second terminal device is used, the hash function to be verified is determined as an alternate hash function, including:
该网关设备在确定该验证消息携带有该待验证哈希函数时,确定该待验证哈希函数属于该第二终端设备支持的哈希函数,并将该待验证哈希函数确定为备选哈希函数。When determining that the verification message carries the to-be-verified hash function, the gateway device determines that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and determines the to-be-verified hash function as an alternative. Greek function.
具体地说,在本发明实施例中,作为区分上述第一类型的验证消息与第二类型的验证消息的方法,网关设备可以判定验证消息中是否携带有该网关设备发送给该终端设备#B的待验证哈希函数。Specifically, in the embodiment of the present invention, as a method for distinguishing the first type of the verification message from the second type of the verification message, the gateway device may determine whether the verification message carries the gateway device and sends the message to the terminal device #B. The hash function to be verified.
例如,如果终端设备#B判定网关设备所发送的待验证哈希函数属于该终端设备#B所支持的哈希函数,则可以将该待验证哈希函数封装在上述验证消息中,并发送给网关设备,从而,网关设备在确定该验证消息中携带有待验证哈希函数时,可以确定该验证消息为第一类型的验证消息,即,所携带的待验证哈希函数属于备选哈希函数。For example, if the terminal device #B determines that the to-be-verified hash function sent by the gateway device belongs to a hash function supported by the terminal device #B, the hash function to be verified may be encapsulated in the verification message and sent to the verification message. The gateway device, when the gateway device determines that the verification message carries the hash function to be verified, the verification message may be determined to be the first type of verification message, that is, the carried hash function to be verified belongs to the candidate hash function. .
或者,如果终端设备#B判定网关设备所发送的待验证哈希函数不属于该终端设备#B所支持的哈希函数,则可以不将不携带任何哈希函数的验证消息发送给网关设备,从而,网关设备在确定该验证消息中不携带待验证哈希函数时,可以确定该验证消息为第二类型的验证消息,即,所发送给终端设备#B的待验证哈希函数不属于备选哈希函数。Alternatively, if the terminal device #B determines that the to-be-verified hash function sent by the gateway device does not belong to the hash function supported by the terminal device #B, the verification message that does not carry any hash function may not be sent to the gateway device. Therefore, when determining that the verification message does not carry the to-be-verified hash function, the gateway device may determine that the verification message is the second type of verification message, that is, the to-be-verified hash function sent to the terminal device #B is not in the standby mode. Select the hash function.
可选地,该第二终端设备发送给该网关设备的验证消息为SIP消息,且该第二终端设备发送给该网关设备的待验证哈希函数承载于在该SIP消息的SDP Answer消息体中。从而,能够利用现有协议中提供的消息作为该验证消息,提高了本发明的通用性和实用性。Optionally, the verification message sent by the second terminal device to the gateway device is a SIP message, and the to-be-verified hash function sent by the second terminal device to the gateway device is carried in the SDP Answer message body of the SIP message. . Thereby, the message provided in the existing protocol can be utilized as the verification message, which improves the versatility and practicability of the present invention.
从而,网关设备可以在确定出一个备选哈希函数后(例如,网关设备可以依次选取多个待验证哈希函数,并与终端设备#B进行多次协商,直至确定一个备选哈希函数),停止上述协商过。Thus, the gateway device may determine an alternate hash function (for example, the gateway device may sequentially select a plurality of hash functions to be verified and perform multiple negotiation with the terminal device #B until an alternative hash function is determined. ), stop the above consultation.
或者,网关设备也可以与终端设备#B进行N(即,哈希函数列表包括的哈希函数的数量)次协商,以确定出该哈希函数列表中所有能够作为备选哈希函数的哈希函数。Alternatively, the gateway device may also perform N (ie, the number of hash functions included in the hash function list) with the terminal device #B to determine that all of the hash function lists can be used as an alternative hash function. Greek function.
在如上所述确定了(一个或多个)备选哈希函数之后,在S430中,该网关设备可以根据H.323协议将该备选哈希函数封装入通信系统所提供的能够在终端设备#A与网关设备之间传输的消息内,并将该消息传输至终端设 备#A。After determining the candidate hash function(s) as described above, in S430, the gateway device may encapsulate the candidate hash function into the communication system to provide the terminal device according to the H.323 protocol. #A and the message transmitted between the gateway device, and transmit the message to the terminal Prepare #A.
可选地,该网关设备发送给该第一终端设备的备选哈希函数承载于该网关设备发送给该第一终端设备的终端能力集消息中。Optionally, an alternate hash function sent by the gateway device to the first terminal device is carried in a terminal capability set message sent by the gateway device to the first terminal device.
具体地说,作为承载上述备选哈希函数的消息,可以列举终端设备能力集(Terminal Capability Set)消息,从而,能够利用现有协议中提供的消息承载该备选哈希函数,提高了本发明的通用性和实用性。Specifically, as a message carrying the foregoing alternative hash function, a terminal capability set (Terminal Capability Set) message may be listed, so that the candidate hash function can be carried by using the message provided in the existing protocol, thereby improving the present The versatility and utility of the invention.
应理解,以上列举的终端能力集消息,仅为承载上述备选哈希函数的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#A与网关设备之间传输的消息,或者说,终端设备#A与网关设备能够基于H.323协议收发的消息,均落入本发明的保护范围内。It should be understood that the terminal capability set message listed above is only an exemplary description of the message carrying the above-mentioned alternative hash function, and the present invention is also limited thereto, and other messages that can be transmitted between the terminal device #A and the gateway device. In other words, the terminal device #A and the gateway device can send and receive messages based on the H.323 protocol, and all fall within the protection scope of the present invention.
这样,终端设备#A能够接收到上述备选哈希函数的消息,并基于H.323协议对该消息解封装从而获取上述备选哈希函数。由于该备选哈希函数为终端设备#A和终端设备#B双方均能够支持的哈希函数,因此,终端设备#A可以从备选哈希函数中选择任一哈希函数,作为目标哈希函数。Thus, the terminal device #A can receive the message of the above alternative hash function and decapsulate the message based on the H.323 protocol to obtain the above-described alternative hash function. Since the alternative hash function is a hash function that both terminal device #A and terminal device #B can support, terminal device #A can select any hash function from the candidate hash function as the target. Greek function.
在如上所述确定了目标哈希函数之后,终端设备#A可以确定与该目标哈希函数相对应的指纹信息,并且,该过程可以与现有技术中,确定一个哈希函数相对应的指纹信息的过程相似,这里,为了避免赘述,省略其详细说明。After determining the target hash function as described above, the terminal device #A may determine the fingerprint information corresponding to the target hash function, and the process may be related to determining a fingerprint corresponding to the hash function in the prior art. The process of the information is similar, and the detailed description thereof is omitted here to avoid redundancy.
其后,终端设备#A可以根据H.323协议,将目标哈希函数与该指纹信息封装入通信系统所提供的能够在终端设备#A与网关设备之间传输的消息内,并将该消息传输至网关设备。Thereafter, the terminal device #A may encapsulate the target hash function and the fingerprint information into a message that can be transmitted between the terminal device #A and the gateway device according to the H.323 protocol, and the message is Transfer to the gateway device.
可选地,该第一终端设备发送给该网关设备的目标哈希函数和指纹信息承载于该第一终端设备发送给该网关设备的开启逻辑信道消息中。Optionally, the target hash function and the fingerprint information sent by the first terminal device to the gateway device are carried in an open logical channel message sent by the first terminal device to the gateway device.
具体地说,作为承载上述目标哈希函数和指纹信息的消息,可以列举开启逻辑信道(Open Logical Channel)消息,从而,能够利用现有协议中提供的消息承载该目标哈希函数和指纹信息,提高了本发明的通用性和实用性。Specifically, as the message carrying the target hash function and the fingerprint information, an Open Logical Channel message may be enumerated, so that the target hash function and the fingerprint information can be carried by using the message provided in the existing protocol. The versatility and utility of the present invention are enhanced.
应理解,以上列举的开启逻辑信道消息,仅为承载上述目标哈希函数和指纹信息的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#A与网关设备之间传输的消息,或者说,终端设备#A与网关设备能够基于H.323协议收发的消息,均落入本发明的保护范围内。It should be understood that the above-listed open logical channel message is only an exemplary description of the message carrying the above-mentioned target hash function and fingerprint information, and the present invention is also limited thereto, and other can be transmitted between the terminal device #A and the gateway device. The message, or the message that the terminal device #A and the gateway device can send and receive based on the H.323 protocol, fall within the scope of the present invention.
从而,在S440中,网关设备能够接收到上述携带目标哈希函数和指纹 信息的消息,并基于H.323协议对该消息解封装从而获取上述目标哈希函数和指纹信息。并且,可以根据SIP,将目标哈希函数与该指纹信息封装入通信系统所提供的能够在终端设备#B与网关设备之间传输的消息内,并将该消息传输至终端设备#B。Thereby, in S440, the gateway device can receive the above-mentioned carrying target hash function and fingerprint The message of the information, and decapsulating the message based on the H.323 protocol to obtain the above-mentioned target hash function and fingerprint information. Moreover, the target hash function and the fingerprint information may be encapsulated into a message that can be transmitted between the terminal device #B and the gateway device according to the SIP, and the message is transmitted to the terminal device #B.
可选地,该网关设备发送给该第二终端设备的目标哈希函数和指纹信息承载于该网关设备发送给该第二终端设备的SIP消息中的SDP Offer消息体中。从而,能够利用现有协议中提供的消息承载该目标哈希函数和指纹信息,提高了本发明的通用性和实用性。Optionally, the target hash function and the fingerprint information sent by the gateway device to the second terminal device are carried in an SDP Offer message body in the SIP message sent by the gateway device to the second terminal device. Thereby, the target hash function and the fingerprint information can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
应理解,以上列举的开启逻辑信道消息,仅为承载上述目标哈希函数和指纹信息的消息的示例性说明,本发明并为限定于此,其他能够在终端设备#B与网关设备之间传输的消息,或者说,终端设备#B与网关设备能够基于SIP收发的消息,均落入本发明的保护范围内。It should be understood that the above-listed open logical channel message is only an exemplary description of the message carrying the above-mentioned target hash function and fingerprint information, and the present invention is also limited thereto, and other can be transmitted between the terminal device #B and the gateway device. The message, or the message that the terminal device #B and the gateway device can send and receive based on the SIP, are all within the scope of the present invention.
从而,终端设备#B能够接收到上述携带目标哈希函数和指纹信息的消息,并基于SIP对该消息解封装从而获取上述目标哈希函数和指纹信息。Thereby, the terminal device #B can receive the above-mentioned message carrying the target hash function and the fingerprint information, and decapsulate the message based on the SIP to acquire the target hash function and the fingerprint information.
可选地,该方法还包括:Optionally, the method further includes:
该网关设备接收该第二终端设备发送的确认信息,该确认信息用于指示该第二终端设备已收到该目标哈希函数和该指纹信息;The gateway device receives the confirmation information sent by the second terminal device, where the confirmation information is used to indicate that the second terminal device has received the target hash function and the fingerprint information;
该网关设备向该第一终端设备发送该确认信息,以便于该第一终端设备基于该确认信息,根据该目标哈希函数和该指纹信息与该第二终端设备建立DTLS协议连接。The gateway device sends the confirmation information to the first terminal device, so that the first terminal device establishes a DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information based on the confirmation information.
具体地说,终端设备#B在获取上述目标哈希函数和指纹信息之后,可以根据SIP协议,将用于指示终端设备#B已收到该目标哈希函数的确认信息封装入通信系统所提供的能够在终端设备#B与网关设备之间传输的消息内,并将该消息传输至网关设备。Specifically, after acquiring the target hash function and the fingerprint information, the terminal device #B may encapsulate the confirmation information indicating that the terminal device #B has received the target hash function into the communication system according to the SIP protocol. The message can be transmitted between the terminal device #B and the gateway device and transmitted to the gateway device.
可选地,该第二终端设备发送给该网关设备的确认信息承载于该第二终端设备发送给该网关设备的SIP消息中的SDP Answer消息体中。从而,能够利用现有协议中提供的消息承载该确认信息,提高了本发明的通用性和实用性。Optionally, the acknowledgment information sent by the second terminal device to the gateway device is carried in the SDP Answer message body in the SIP message sent by the second terminal device to the gateway device. Thereby, the acknowledgment information can be carried by the message provided in the existing protocol, which improves the versatility and practicability of the present invention.
从而,网关设备能够接收到上述携带确认信息的消息,并基于SIP对该消息解封装从而获取上述确认信息,并且,可以基于H.323协议将确认信息封装入通信系统所提供的能够在终端设备#A与网关设备之间传输的消息 内,并将该消息传输至终端设备#A。Therefore, the gateway device can receive the message carrying the confirmation information, and decapsulate the message based on the SIP to obtain the confirmation information, and can encapsulate the confirmation information into the terminal device provided by the communication system based on the H.323 protocol. Message transmitted between #A and the gateway device Inside, and the message is transmitted to terminal device #A.
可选地,该网关设备发送给该第一终端设备的确认信息承载于该网关设备发送给该第一终端设备的开启逻辑信道响应消息中。Optionally, the acknowledgment information sent by the gateway device to the first terminal device is carried in an open logical channel response message sent by the gateway device to the first terminal device.
具体地说,作为承载上述确认信息的消息,可以列举开启逻辑信道响应消息,从而,能够利用现有协议中提供的消息承载该确认信息,提高了本发明的通用性和实用性。Specifically, as the message carrying the acknowledgement information, the logical channel response message is opened, so that the acknowledgement information can be carried by the message provided in the existing protocol, thereby improving the versatility and practicability of the present invention.
从而,终端设备#A能够接收到上述携带确认信息的消息,并基于H.323协议对该消息解封装从而获取上述确认信息,进而确定终端设备#B已接收到上述目标哈希函数,从而可以执行上述建立DTLS协议连接的动作。Therefore, the terminal device #A can receive the message carrying the confirmation information, and decapsulate the message based on the H.323 protocol to obtain the confirmation information, thereby determining that the terminal device #B has received the target hash function, thereby Perform the above actions to establish a DTLS protocol connection.
通过使终端设备#B在接收到目标哈希函数和指纹信息之后,通过网关设备向终端设备#A返回确认信息,终端设备#A可以根据该确认信息确定终端设备#B已做好建立DTLS协议连接的准备,从而,能够进一步提高本发明实施例的用于传输数据的方法的可靠性。After the terminal device #B receives the confirmation information from the gateway device to the terminal device #A after receiving the target hash function and the fingerprint information, the terminal device #A can determine, according to the confirmation information, that the terminal device #B is ready to establish the DTLS protocol. The preparation of the connection, thereby, can further improve the reliability of the method for transmitting data of the embodiment of the present invention.
由此,终端设备#A和终端设备#B双方能够获知目标哈希函数和指纹信息,从而,终端设备#A和终端设备#B可以根据目标哈希函数和指纹信息之间建立DTLS协议连接。例如,终端设备#A可以根据目标哈希函数和指纹信息与终端设备#A进行安全认证(也可以称为:DTLS握手)。Thereby, both the terminal device #A and the terminal device #B can know the target hash function and the fingerprint information, and thus, the terminal device #A and the terminal device #B can establish a DTLS protocol connection according to the target hash function and the fingerprint information. For example, the terminal device #A can perform security authentication (also referred to as a DTLS handshake) with the terminal device #A according to the target hash function and the fingerprint information.
即,终端设备#A可以根据目标哈希函数和指纹信息生成验证信息#A(例如,终端设备#A可以根据目标哈希函数对指纹信息进行加密而生成一个代码),并将该验证信息#A发送给终端设备#B。That is, the terminal device #A can generate the verification information #A according to the target hash function and the fingerprint information (for example, the terminal device #A can encrypt the fingerprint information according to the target hash function to generate a code), and the verification information # A is sent to terminal device #B.
并且,终端设备#B可以根据目标哈希函数和指纹信息生成验证信息#B(例如,终端设备#B可以根据目标哈希函数对指纹信息进行加密而生成一个代码),并将该验证信息#B发送给终端设备#A。And, the terminal device #B can generate the verification information #B according to the target hash function and the fingerprint information (for example, the terminal device #B can encrypt the fingerprint information according to the target hash function to generate a code), and the verification information # B is sent to terminal device #A.
从而,当终端设备#B确定终端设备#A所发送的上述验证信息#A与其生成的验证信息#B一致时,终端设备#B可以确定终端设备#A通过安全验证,可以与该终端设备#A建立DTLS连接。Therefore, when the terminal device #B determines that the above-described verification information #A transmitted by the terminal device #A coincides with the verification information #B generated by it, the terminal device #B can determine that the terminal device #A passes the security verification, and can be associated with the terminal device # A establishes a DTLS connection.
类似的,当终端设备#A确定终端设备#B所发送的上述验证信息#B与其生成的验证信息#A一致时,终端设备#A可以确定终端设备#B通过安全验证,可以与该终端设备#A建立DTLS连接。Similarly, when the terminal device #A determines that the above-mentioned verification information #B transmitted by the terminal device #B coincides with the verification information #A generated by the terminal device #B, the terminal device #A can determine that the terminal device #B passes the security verification and can communicate with the terminal device. #A Establish a DTLS connection.
并且,建立DTLS协议连接的过程可以与现有技术相似,这里为了避免赘述,省略其详细说明。 Moreover, the process of establishing a DTLS protocol connection may be similar to the prior art, and a detailed description thereof will be omitted herein to avoid redundancy.
应理解,以上列举的DTLS握手的过程仅为示例性说明,本发明并未限定于此,例如,终端设备#A与终端设备#B还可以根据RFC 6347规定的流程进行鉴权认证交换,并在鉴权认证成功后,开启逻辑信道,进行数据传输。It should be understood that the process of the above-mentioned DTLS handshake is only an exemplary description, and the present invention is not limited thereto. For example, the terminal device #A and the terminal device #B may also perform authentication authentication exchange according to the procedure specified in RFC 6347, and After the authentication is successful, the logical channel is opened for data transmission.
其后,终端设备#A与终端设备#B可以通过该DTLS协议连接传输视频会议的相关数据。例如,终端设备#A与终端设备#B可以在该DTLS协议连接的基础上,建立应用层协议连接,例如,流控制传输协议(SCTP,Stream Control Transmission Protocol)连接,并通过该SCTP连接传输数据。Thereafter, the terminal device #A and the terminal device #B can connect and transmit related data of the video conference through the DTLS protocol. For example, the terminal device #A and the terminal device #B can establish an application layer protocol connection, for example, a Stream Control Transmission Protocol (SCTP) connection, and transmit data through the SCTP connection, based on the DTLS protocol connection. .
应理解,以上列举的SCTP仅为应用层协议的示例性说明,本发明并未限定于此,其他用于传输数据的等各种应用层协议均落入本发明的保护范围内。以下,为了便于理解和说明,以基于DTLS协议连接建立SCTP连接的过程为例,进行说明。It should be understood that the above-mentioned SCTP is only an exemplary description of the application layer protocol, and the present invention is not limited thereto, and various other application layer protocols for transmitting data are all within the scope of the present invention. Hereinafter, in order to facilitate understanding and explanation, a process of establishing an SCTP connection by using a DTLS protocol connection will be described as an example.
可选地,该方法还包括:Optionally, the method further includes:
该第一终端设备向该网关设备发送第一端口号,以便于该网关设备向该第二终端设备转发该第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;The first terminal device sends a first port number to the gateway device, so that the gateway device forwards the first port number to the second terminal device, where the first port number is used by the first terminal device for establishing a port number of a flow control transport protocol SCTP connection connected based on the DTLS protocol;
该第一终端设备接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Receiving, by the first terminal device, a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, where the second port number is used by the second terminal device Establishing a port number of the SCTP connection connected based on the DTLS protocol;
该第一终端设备根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以通过该SCTP连接传输数据。The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
具体地说,在如上所述建立了DTLS协议连接后,终端设备#A能够确定基于DTLS协议连接的端口号,进而,可以从中选择用于与终端设备#B建立SCTP连接的端口号(以下,为了便于理解和区分,记做:端口号#A),并且,终端设备#A可以根据H.323协议,将该端口号#A发送给网关设备。Specifically, after the DTLS protocol connection is established as described above, the terminal device #A can determine the port number based on the DTLS protocol connection, and further, can select a port number for establishing an SCTP connection with the terminal device #B (hereinafter, In order to facilitate understanding and distinction, it is recorded as: port number #A), and the terminal device #A can transmit the port number #A to the gateway device according to the H.323 protocol.
从而,网关设备可以根据H.323协议接收到来自终端设备#A的端口号#A,并根据SIP将该端口号#A发送给终端设备#B。Thereby, the gateway device can receive the port number #A from the terminal device #A according to the H.323 protocol, and transmit the port number #A to the terminal device #B according to the SIP.
类似地,终端设备#B能够确定基于DTLS协议连接的端口号,进而,可以从中选择用于与终端设备#A建立SCTP连接的端口号(以下,为了便于理解和区分,记做:端口号#B),并且,终端设备#B可以根据SIP,将该端口号#B发送给网关设备。Similarly, the terminal device #B can determine the port number based on the DTLS protocol connection, and further, the port number for establishing the SCTP connection with the terminal device #A can be selected therefrom (hereinafter, for ease of understanding and distinction, note: port number # B), and the terminal device #B can transmit the port number #B to the gateway device according to the SIP.
从而,网关设备可以根据SIP接收到来自终端设备#B的端口号#B,并 根据H.323协议将该端口号#B发送给终端设备#A。Thereby, the gateway device can receive the port number #B from the terminal device #B according to the SIP, and The port number #B is transmitted to the terminal device #A according to the H.323 protocol.
可选地,该第一终端设备发送给该网关设备的第一端口号承载于开启逻辑信道消息中,Optionally, the first port number that is sent by the first terminal device to the gateway device is carried in the open logical channel message,
该网关设备发送给该第一终端设备的第二端口号承载于开启逻辑信道响应消息中,The second port number sent by the gateway device to the first terminal device is carried in the open logical channel response message,
该网关设备发送给该第二终端设备的第一端口号承载于SIP消息的SDP Offer消息体中,The first port number sent by the gateway device to the second terminal device is carried in the SDP Offer message body of the SIP message,
该第二终端设备发送给该网关设备的第二端口号承载于SIP消息的SDP Answer消息体中。The second port number sent by the second terminal device to the gateway device is carried in the SDP Answer message body of the SIP message.
具体地说,在如上所述确定了目标哈希函数和指纹信息之后,终端设备#A和终端设备#B已经能够确认即将建立的DTLS协议连接,从而,能够在建立DTLS协议连接之前,将所选择用于建立SCTP连接的端口号发送给对方。Specifically, after the target hash function and the fingerprint information are determined as described above, the terminal device #A and the terminal device #B have been able to confirm the connection of the DTLS protocol to be established, and thus, before establishing the DTLS protocol connection, Select the port number used to establish the SCTP connection and send it to the other party.
因此,在本发明实施例中,终端设备#A可以通过上述Open Logical Channel消息,将其选择的端口号(即,端口号#A)发送给网关设备。网关设备可以通过上述Open Logical Channel Ack消息,将终端设备#B选择的端口号(即,端口号#B)发送给终端设备#A。Therefore, in the embodiment of the present invention, the terminal device #A can send the selected port number (ie, port number #A) to the gateway device through the above Open Logical Channel message. The gateway device may send the port number selected by the terminal device #B (ie, port number #B) to the terminal device #A through the above Open Logical Channel Ack message.
并且,网关设备可以通过上述SIP更新消息的SDP消息体,将终端设备#A选择的端口号(即,端口号#A)发送给终端设备#B。终端设备#B可以通过上述SIP更新响应消息的SDP消息体,将其选择的端口号(即,端口号#B)发送给网关设备。And, the gateway device can send the port number (ie, port number #A) selected by the terminal device #A to the terminal device #B through the SDP message body of the SIP update message. The terminal device #B can transmit the selected port number (ie, port number #B) to the gateway device through the SDP message body of the SIP update response message described above.
可选地,该第一终端设备发送给该网关设备的该第一端口号、该目标哈希函数及该指纹信息承载于同一消息,Optionally, the first port number sent by the first terminal device to the gateway device, the target hash function, and the fingerprint information are carried in the same message.
该网关设备发送给该第二终端设备的该第一端口号、该目标哈希函数及该指纹信息承载于同一消息。The first port number sent by the gateway device to the second terminal device, the target hash function, and the fingerprint information are carried in the same message.
具体地说,终端设备#A和网关设备可以将端口号#A、目标哈希函数和指纹信息承载于同一消息中。Specifically, the terminal device #A and the gateway device can carry the port number #A, the target hash function, and the fingerprint information in the same message.
类似地,终端设备#B和网关设备可以将端口号#B和确认信息承载于同一消息中。Similarly, terminal device #B and the gateway device can carry port number #B and acknowledgment information in the same message.
从而,能够减少系统的信令交互,提高通信效率。Thereby, the signaling interaction of the system can be reduced, and the communication efficiency is improved.
通过上述交互流程,终端设备#A与终端设备#B能够获知彼此所使用的 端口号,从而能够根据该端口号,建立SCTP连接,并进行数据传输,并且,根据该端口号建立SCTP连接以及通过该SCTP连接传输数据的方法和过程可以与现有技术相似,这里,为了避免赘述,省略其详细说明。Through the above interaction process, the terminal device #A and the terminal device #B can know each other's use. a port number, so that an SCTP connection can be established according to the port number, and data transmission is performed, and a method and a process for establishing an SCTP connection according to the port number and transmitting data through the SCTP connection can be similar to the prior art, where The details are omitted.
需要说明的是,以上列举的终端设备#A与终端设备#B之间协商哈希函数,以建立DTLS连接的过程,但本发明并不限定于此,其他用于建立DTLS连接的参数均可以通过终端设备#A与终端设备#B之间的协商过程确定,并且,该协商过程与上述方法400中过列举的协商过程相似。It should be noted that the hash function is negotiated between the terminal device #A and the terminal device #B listed above to establish a DTLS connection process, but the present invention is not limited thereto, and other parameters for establishing a DTLS connection may be used. It is determined by a negotiation process between the terminal device #A and the terminal device #B, and the negotiation process is similar to the negotiation process enumerated in the above method 400.
根据本发明实施例的用于传输数据的方法,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。A method for transmitting data according to an embodiment of the present invention, using a H.323 protocol, a first terminal device, and a second terminal device using SIP to negotiate a hash function and fingerprint information via a gateway device, capable of being in the first terminal device and A DTLS protocol connection based on the hash function and the fingerprint information is established between the two terminal devices, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism. The security of the transmitted data, and the DTLS protocol can be applied to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图5示出了从第二终端设备(使用H.323协议与上述第一终端设备进行通信的设备,例如,上述终端设备#2)角度描述的根据本发明再一实施例的传输数据的方法500的示意性流程图,该方法500应用于包括第一终端设备、第二终端设备的通信系统中,所述第一终端设备与所述第二终端设备之间通过H.323协议进行通信,如图5所示,所述方法500包括:FIG. 5 shows a method for transmitting data according to still another embodiment of the present invention, from the perspective of a second terminal device (a device that communicates with the first terminal device using the H.323 protocol, for example, the above-described terminal device #2) 500 is a schematic flowchart of the method 500 applied to a communication system including a first terminal device and a second terminal device, where the first terminal device communicates with the second terminal device by using an H.323 protocol. As shown in FIG. 5, the method 500 includes:
S510,该第二终端设备根据该H.323协议,向该第一终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数;S510. The first terminal device sends the first hash function list to the first terminal device according to the H.323 protocol, where the first hash function list includes at least one hash function supported by the second terminal device. ;
S520,该第二终端设备根据该H.323协议,接收该第一终端设备发送的目标哈希函数以及与该目标哈希函数相对应的指纹信息,其中,该目标哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标哈希函数属于该第一终端设备所支持的哈希函数;S520. The second terminal device receives, according to the H.323 protocol, a target hash function sent by the first terminal device and fingerprint information corresponding to the target hash function, where the target hash function is the first The terminal device is determined from the first hash function list, and the target hash function belongs to a hash function supported by the first terminal device;
S530,该第二终端设备根据该目标哈希函数和该指纹信息与该第一终端设备建立数据包传输层安全性协议DTLS协议连接,以通过该DTLS协议连接与第二终端设备之间传输数据。S530, the second terminal device establishes a data packet transport layer security protocol DTLS protocol connection with the first terminal device according to the target hash function and the fingerprint information, to transmit data between the second terminal device and the second terminal device through the DTLS protocol connection. .
可选地,在该第二终端设备根据该H.323协议,接收该第一终端设备发送的目标哈希函数以及与该目标哈希函数相对应的指纹信息之前,该方法还 包括:Optionally, before the second terminal device receives the target hash function sent by the first terminal device and the fingerprint information corresponding to the target hash function according to the H.323 protocol, the method further include:
该第二终端设备根据该H.323协议,向该第二终端设备发送角色指示信息,该角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”或“被动”中的至少一种,以便于该第一终端设备在确定该第一终端设备支持的角色包括“主动”且该第二终端设备支持的角色包括“被动”时,从该第一哈希函数列表中确定目标哈希函数。The second terminal device sends role indication information to the second terminal device according to the H.323 protocol, where the role indication information is used to indicate a role supported by the second terminal device, and the role is “active” or “passive”. At least one of the first terminal device, in order to determine that the role supported by the first terminal device includes "active" and the role supported by the second terminal device includes "passive", from the first hash function list Determine the target hash function.
可选地,该角色指示信息与该第一哈希函数列表承载于同一消息。Optionally, the role indication information is carried in the same message as the first hash function list.
可选地,该目标哈希函数是该第一终端设备根据自身所支持的哈希函数从该第一哈希函数列表中确定的。Optionally, the target hash function is determined by the first terminal device from the first hash function list according to a hash function supported by the first terminal device.
可选地,在该第二终端设备根据该H.323协议,接收该第一终端设备发送的目标哈希函数以及与该目标哈希函数相对应的指纹信息之前,该方法还包括:Optionally, before the second terminal device receives the target hash function sent by the first terminal device and the fingerprint information corresponding to the target hash function according to the H.323 protocol, the method further includes:
该第二终端设备根据该H.323协议,接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个哈希函数;Receiving, by the second terminal device, the second hash function list sent by the first terminal device according to the H.323 protocol, where the second hash function list includes at least one hash function supported by the first terminal device;
该第二终端设备根据该第二哈希函数列表,确定该第一哈希函数列表,以使该第一哈希函数列表所包括的哈希函数属于该第二哈希函数列表。The second terminal device determines the first hash function list according to the second hash function list, so that the hash function included in the first hash function list belongs to the second hash function list.
可选地,在该第二终端设备根据该目标哈希函数和该指纹信息与该第一终端设备建立DTLS协议连接之前,该方法还包括:Optionally, before the second terminal device establishes a DTLS protocol connection with the first terminal device according to the target hash function and the fingerprint information, the method further includes:
该第二终端设备根据该H.323协议,向该第二终端设备发送的确认信息,该确认信息用于指示该第二终端设备支持该目标哈希函数和该指纹信息。The confirmation information sent by the second terminal device to the second terminal device according to the H.323 protocol, the confirmation information is used to indicate that the second terminal device supports the target hash function and the fingerprint information.
可选地,该第一哈希函数列表承载于终端能力集消息,以及Optionally, the first hash function list is carried in a terminal capability set message, and
该目标哈希函数和该指纹信息承载于开启逻辑信道消息。The target hash function and the fingerprint information are carried on the open logical channel message.
可选地,该方法还包括:Optionally, the method further includes:
该第二终端设备接收该第一终端设备发送的第一端口号,该第一端口号是该DTLS协议连接提供的端口号中该第一终端设备所使用的用于建立流控制传输协议SCTP连接的端口号;The second terminal device receives the first port number sent by the first terminal device, where the first port number is used by the first terminal device in the port number provided by the DTLS protocol connection to establish a flow control transmission protocol SCTP connection. Port number;
该第二终端设备向该第一终端设备发送第二端口号,该第二端口号是该DTLS协议连接提供的端口号中该第二终端设备所使用的用于建立SCTP连接的端口号;The second terminal device sends a second port number to the first terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection in the port number provided by the DTLS protocol connection;
该第二终端设备根据该第一端口号和该第二端口号与该第一终端设备 建立SCTP连接,以通过该SCTP连接与第一终端设备之间传输数据。The second terminal device and the first terminal device according to the first port number and the second port number An SCTP connection is established to transfer data between the first terminal device through the SCTP connection.
可选地,该第一端口号承载于开启逻辑信道消息,以及Optionally, the first port number is carried in the open logical channel message, and
该第二端口号承载于开启逻辑信道确认消息。The second port number is carried in the open logical channel acknowledgement message.
可选地,该第一端口号与该目标哈希函数及该指纹信息承载于同一消息。Optionally, the first port number is carried in the same message as the target hash function and the fingerprint information.
在该方法500中,第二终端设备的动作与上述方法200中终端设备#2的动作相似,第一终端设备的动作与上述方法200中终端设备#1的动作相似,为了避免赘述,省略其详细说明。In the method 500, the action of the second terminal device is similar to the action of the terminal device #2 in the method 200, and the action of the first terminal device is similar to the action of the terminal device #1 in the method 200, and is omitted in order to avoid redundancy. Detailed description.
根据本发明实施例的用于传输数据的方法,通过使第一终端设备基于H.323协议来与第二终端设备协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the method for transmitting data according to the embodiment of the present invention, the first terminal device can negotiate the hash function and the fingerprint information with the second terminal device based on the H.323 protocol, and can be in the first terminal device and the second terminal device. A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图6示出了从第一终端设备(即,使用H.323协议经由网关设备与使用SIP的终端设备进行通信的设备,例如,上述终端设备#X)角度描述的根据本发明再一实施例的传输数据的方法600的示意性流程图,该方法600应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,该第一终端设备与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,如图6所示,该方法600包括:6 shows a further embodiment according to the present invention from the perspective of a first terminal device (ie, a device that communicates with a terminal device using SIP via a gateway device using a H.323 protocol, eg, the terminal device #X described above) A schematic flowchart of a method 600 for transmitting data, the method 600 being applied to a communication system including a first terminal device, a second terminal device, and a gateway device, the first terminal device and the gateway device passing the H.323 In the protocol communication, the second terminal device communicates with the gateway device through the session initiation protocol SIP. As shown in FIG. 6, the method 600 includes:
S610,该第一终端设备接收该网关设备发送的第一哈希函数列表,其中,该第一哈希函数列表中记录有该第二终端设备发送给该网关设备的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数,从该第一哈希函数列表中确定目标第一哈希函数,并确定与该目标第一哈希函数相对应的第一指纹信息,其中,该目标第一哈希函数属于该第一终端设备支持的哈希函数,该目标第一哈希函数和该第一指纹信息用于对该第一终端设备进行认证,向该网关设备发送该目标第一哈希函数和该第一指纹信息,以便于该网关设备将该目标第一哈希函数和该第一指纹信息发送给该第二终端设备;S610, the first terminal device receives the first hash function list sent by the gateway device, where the first hash function list records at least one first hash function sent by the second terminal device to the gateway device. The first hash function belongs to a hash function supported by the second terminal device, and the target first hash function is determined from the first hash function list, and the first hash function corresponding to the target is determined. a first fingerprint information, wherein the target first hash function belongs to a hash function supported by the first terminal device, and the target first hash function and the first fingerprint information are used to authenticate the first terminal device, Sending the target first hash function and the first fingerprint information to the gateway device, so that the gateway device sends the target first hash function and the first fingerprint information to the second terminal device;
S620,该第一终端设备向该网关设备发送第二哈希函数列表,该第二哈 希函数列表包括该第一终端设备所支持的至少一个第二哈希函数,接收该网关设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该网关设备发送的该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证;S620, the first terminal device sends a second hash function list to the gateway device, where the second The hash function list includes at least one second hash function supported by the first terminal device, and receives the target second hash function and the second fingerprint information sent by the gateway device, where the target second hash function is the first The second terminal device is determined from part or all of the second hash function sent by the gateway device, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is a fingerprint information corresponding to the target second hash function, where the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
S630,该第一终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。S630, the first terminal device performs authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, to establish a data packet transmission. The layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
可选地,该方法还包括:Optionally, the method further includes:
该第一终端设备向该网关设备发送第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,以便于该网关设备将该第一端口号发送给该第二终端设备;The first terminal device sends a first port number to the gateway device, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, so as to facilitate The gateway device sends the first port number to the second terminal device;
该第一终端设备接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,且该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Receiving, by the first terminal device, a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, and the second port number is used by the second terminal device a port number for establishing an SCTP connection based on the DTLS protocol connection;
该第一终端设备根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, so as to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
可选地,在该第一终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理之前,该方法还包括:Optionally, before the first terminal device performs the authentication process with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, The method also includes:
该第一终端设备向该网关设备发送第一角色指示信息,该第一角色指示信息用于指示该第一终端设备支持的角色,该角色为“主动”和“被动”中的至少一种,以便于该网关设备将该第一角色指示信息发送给该第二终端设备;The first terminal device sends the first role indication information to the gateway device, where the first role indication information is used to indicate a role supported by the first terminal device, and the role is at least one of “active” and “passive”. So that the gateway device sends the first role indication information to the second terminal device;
该第一终端设备接收该网关设备发送的第二角色指示信息,该第二角色指示信息是该第二终端设备发送给该网关设备的,且该第二角色指示信息用于指示该第二终端设备支持的角色;以及Receiving, by the first terminal device, the second role indication information that is sent by the gateway device, where the second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is used to indicate the second terminal The role supported by the device;
该第一终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第 二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,包括:The first terminal device according to the target first hash function, the first fingerprint information, the target number The second hash function and the second fingerprint information are authenticated by the second terminal device, including:
该第一终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数、该第二指纹信息、该第一终端设备支持的角色和该第二终端设备支持的角色与该第二终端设备进行认证处理。The first terminal device according to the target first hash function, the first fingerprint information, the target second hash function, the second fingerprint information, the role supported by the first terminal device, and the second terminal device support The role performs authentication processing with the second terminal device.
在该方法600中,第一终端设备的动作与上述方法300中终端设备#X的动作相似,第二终端设备的动作与上述方法300中终端设备#Y的动作相似,网关设备的动作与上述方法300中网关设备的动作相似与上述为了避免赘述,省略其详细说明。In the method 600, the action of the first terminal device is similar to the action of the terminal device #X in the method 300, and the action of the second terminal device is similar to the action of the terminal device #Y in the method 300, and the action of the gateway device is as described above. The operations of the gateway device in the method 300 are similar to those described above in order to avoid redundancy, and detailed description thereof will be omitted.
根据本发明实施例的用于传输数据的方法600,使用H.323协议第一终端设备和使用SIP的第二终端设备通过网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。A method 600 for transmitting data according to an embodiment of the present invention, using a H.323 protocol, a first terminal device, and a second terminal device using SIP, to negotiate a hash function and fingerprint information through a gateway device, capable of being in the first terminal device and A DTLS protocol connection based on the hash function and the fingerprint information is established between the second terminal devices, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism. Improve the security of the transmitted data, and without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
图7示出了从第一终端设备(即,使用H.323协议经由网关设备与使用SIP的终端设备进行通信的设备,例如,上述终端设备#A)角度描述的根据本发明再一实施例的传输数据的方法700的示意性流程图,该方法700应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,该第一终端设备与该网关设备之间通过H.323协议通信,该第二终端设备与该网关设备之间通过会话初始化协议SIP通信,如图7所示,该方法700包括:FIG. 7 illustrates still another embodiment of the present invention from the perspective of a first terminal device (ie, a device that communicates with a terminal device using SIP via a gateway device using a H.323 protocol, eg, the terminal device #A described above) A schematic flowchart of a method 700 for transmitting data, the method 700 being applied to a communication system including a first terminal device, a second terminal device, and a gateway device, the first terminal device and the gateway device passing the H.323 In the protocol communication, the second terminal device communicates with the gateway device through the session initiation protocol SIP. As shown in FIG. 7, the method 700 includes:
该第一终端设备向该网关设备发送哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数,以便于该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数;The first terminal device sends a hash function list to the gateway device, where the hash function list includes at least one hash function supported by the first terminal device, so that the gateway device according to the hash function list and the second The terminal device performs a negotiation process to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device;
该第一终端设备接收该网关设备发送的该备选哈希函数;Receiving, by the first terminal device, the candidate hash function sent by the gateway device;
该第一终端设备从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息;The first terminal device determines a target hash function from the candidate hash function, and determines fingerprint information corresponding to the target hash function;
该第一终端设备向该网关设备发送该目标哈希函数和该指纹信息,以便于该网关设备向该第二终端转发该目标哈希函数和该指纹信息; The first terminal device sends the target hash function and the fingerprint information to the gateway device, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal;
该第一终端设备根据该目标哈希函数和该指纹信息,与该第二终端设备建立数据包传输层安全性协议DTLS协议连接,以通过该DTLS协议连接传输数据。The first terminal device establishes a data packet transport layer security protocol DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information, to transmit data through the DTLS protocol connection.
可选地,该备选哈希函数是该网关设备根据该第二终端设备发送的验证消息确定的,该验证消息用于指示该网关设备发送给该第二终端设备的待验证哈希函数是否属于该第二终端设备支持的哈希函数,该待验证哈希函数是该哈希函数列表中的任一哈希函数。Optionally, the candidate hash function is determined by the gateway device according to the verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function sent by the gateway device to the second terminal device is A hash function supported by the second terminal device, the hash function to be verified is any hash function in the hash function list.
可选地,该备选哈希函数是该网关设备在确定该验证消息携带有该待验证哈希函数时,根据该待验证哈希函数确定的。Optionally, the candidate hash function is determined by the gateway device according to the to-be-verified hash function when determining that the verification message carries the to-be-verified hash function.
可选地,该网关设备发送给该第二终端设备的待验证哈希函数承载于该网关设备发送给该第二终端设备的SIP消息的会话描述协议邀请SDP Offer消息体中,Optionally, the to-be-verified hash function sent by the gateway device to the second terminal device is carried in a session description protocol invitation SDP Offer message body of the SIP message sent by the gateway device to the second terminal device,
该第二终端设备发送给该网关设备的验证消息为SIP消息,且该第二终端设备发送给该网关设备的待验证哈希函数承载于在该SIP消息的SDP响应Answer消息体中。The verification message sent by the second terminal device to the gateway device is a SIP message, and the to-be-verified hash function sent by the second terminal device to the gateway device is carried in the SDP response Answer message body of the SIP message.
可选地,该第一终端设备发送给该网关设备的哈希函数列表承载于该第一终端设备发送给该网关设备的终端能力集消息中,Optionally, the hash function list sent by the first terminal device to the gateway device is carried in a terminal capability set message sent by the first terminal device to the gateway device,
该网关设备发送给该第一终端设备的备选哈希函数承载于该网关设备发送给该第一终端设备的终端能力集消息中,The candidate hash function sent by the gateway device to the first terminal device is carried in the terminal capability set message sent by the gateway device to the first terminal device,
该第一终端设备发送给该网关设备的目标哈希函数和指纹信息承载于该第一终端设备发送给该网关设备的开启逻辑信道消息中。The target hash function and the fingerprint information sent by the first terminal device to the gateway device are carried in the open logical channel message sent by the first terminal device to the gateway device.
可选地,在该第一终端设备根据该目标哈希函数和该指纹信息,与该第二终端设备建立数据包传输层安全性协议DTLS协议连接之前,该方法还包括:Optionally, before the first terminal device establishes a data packet transport layer security protocol DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information, the method further includes:
该第一终端设备接收该网关设备发送的确认信息,该确认信息是该第二终端设备发送给该网关设备的,该确认信息用于指示该第二终端设备支持该目标哈希函数和该指纹信息;以及Receiving, by the first terminal device, the confirmation information sent by the gateway device, where the confirmation information is sent by the second terminal device to the gateway device, the confirmation information is used to indicate that the second terminal device supports the target hash function and the fingerprint Information;
该第一终端设备根据该目标哈希函数和该指纹信息,与该第二终端设备建立数据包传输层安全性协议DTLS协议连接,包括:The first terminal device establishes a data packet transport layer security protocol DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information, including:
该第一终端设备基于该确认信息,根据该目标哈希函数和该指纹信息与该第二终端设备建立DTLS协议连接。 The first terminal device establishes a DTLS protocol connection with the second terminal device according to the target hash function and the fingerprint information based on the confirmation information.
可选地,该网关设备发送给该第一终端设备的确认信息承载于该网关设备发送给该第一终端设备的开启逻辑信道响应消息中。Optionally, the acknowledgment information sent by the gateway device to the first terminal device is carried in an open logical channel response message sent by the gateway device to the first terminal device.
可选地,该方法还包括:Optionally, the method further includes:
该第一终端设备向该网关设备发送第一端口号,以便于该网关设备向该第二终端设备转发该第一端口号,该第一端口号是该DTLS协议连接提供的端口号中该第一终端设备所使用的用于建立流控制传输协议SCTP连接的端口号;The first terminal device sends a first port number to the gateway device, so that the gateway device forwards the first port number to the second terminal device, where the first port number is the port number provided by the DTLS protocol connection. a port number used by a terminal device to establish a flow control transport protocol SCTP connection;
该第一终端设备接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,该第二端口号是该DTLS协议连接提供的端口号中该第二终端设备所使用的用于建立SCTP连接的端口号;Receiving, by the first terminal device, a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, where the second port number is the port number provided by the DTLS protocol connection. a port number used by the second terminal device to establish an SCTP connection;
该第一终端设备根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以通过该SCTP连接传输数据。The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
可选地,该第一终端设备发送给该网关设备的第一端口号承载于开启逻辑信道消息中,Optionally, the first port number that is sent by the first terminal device to the gateway device is carried in the open logical channel message,
该网关设备发送给该第一终端设备的第二端口号承载于开启逻辑信道响应消息中。The second port number sent by the gateway device to the first terminal device is carried in the open logical channel response message.
可选地,该第一终端设备发送给该网关设备的该第一端口号、该目标哈希函数及该指纹信息承载于同一消息。Optionally, the first port number sent by the first terminal device to the gateway device, the target hash function, and the fingerprint information are carried in the same message.
在该方法700中,第一终端设备的动作与上述方法400中终端设备#A的动作相似,第二终端设备的动作与上述方法400中终端设备#B的动作相似,网关设备的动作与上述方法700中网关设备的动作相似与上述为了避免赘述,省略其详细说明。In the method 700, the action of the first terminal device is similar to the action of the terminal device #A in the method 400, and the action of the second terminal device is similar to the action of the terminal device #B in the method 400, and the action of the gateway device is as described above. The operations of the gateway device in the method 700 are similar to those described above in order to avoid redundancy, and detailed description thereof is omitted.
根据本发明实施例的用于传输数据的方法700,使用H.323协议第一终端设备和使用SIP的第二终端设备通过网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。A method 700 for transmitting data according to an embodiment of the present invention uses a H.323 protocol first terminal device and a second terminal device using SIP to negotiate a hash function and fingerprint information through a gateway device, which can be in the first terminal device and A DTLS protocol connection based on the hash function and the fingerprint information is established between the second terminal devices, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism. Improve the security of the transmitted data, and without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience.
以上,结合图1至图7详细说明了根据本发明实施例的用于传输数据的方法,下面,结合图8至图14详细说明根据本发明实施例的用于传输数据 的装置。In the above, a method for transmitting data according to an embodiment of the present invention is described in detail with reference to FIGS. 1 through 7. Hereinafter, a method for transmitting data according to an embodiment of the present invention will be described in detail with reference to FIGS. 8 through 14. s installation.
图8示出了根据本发明实施例的用于传输数据的装置800的示意性框图。该装置800配置于包括该装置800和第二终端设备的通信系统中,该装置800与该第二终端设备之间通过H.323协议进行通信,该装置800包括:FIG. 8 shows a schematic block diagram of an apparatus 800 for transmitting data in accordance with an embodiment of the present invention. The device 800 is configured in a communication system including the device 800 and the second terminal device, and the device 800 communicates with the second terminal device by using an H.323 protocol, and the device 800 includes:
接收单元810,用于接收该第二终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数;The receiving unit 810 is configured to receive a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device;
处理单元820,用于从该第一哈希函数列表中确定第一哈希函数,并确定与该第一哈希函数相对应的第一指纹信息;The processing unit 820 is configured to determine a first hash function from the first hash function list, and determine first fingerprint information corresponding to the first hash function;
发送单元830,用于向该第二终端设备发送该第一哈希函数和该第一指纹信息,其中,该第一哈希函数属于该装置支持的哈希函数,第一哈希函数和该第一指纹信息用于针对该装置的认证;The sending unit 830 is configured to send the first hash function and the first fingerprint information to the second terminal device, where the first hash function belongs to a hash function supported by the device, the first hash function and the The first fingerprint information is used for authentication of the device;
该发送单元830还用于向该第二终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该装置所支持的至少一个哈希函数;The sending unit 830 is further configured to send, to the second terminal device, a second hash function list, where the second hash function list includes at least one hash function supported by the device;
该接收单元810还用于接收该第二终端发送的第二哈希函数和第二指纹信息,其中,该第二哈希函数是该第二终端设备从该第二哈希函数列表中确定的,且该第二哈希函数属于该装置支持的哈希函数,该第二指纹信息是与该第二哈希函数相对应的指纹信息,第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证;The receiving unit 810 is further configured to receive the second hash function and the second fingerprint information sent by the second terminal, where the second hash function is determined by the second terminal device from the second hash function list. And the second hash function belongs to a hash function supported by the device, the second fingerprint information is fingerprint information corresponding to the second hash function, and the second hash function and the second fingerprint information are used for The second terminal device performs authentication;
该处理单元820还用于根据该第一哈希函数、该第一指纹信息、该第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。The processing unit 820 is further configured to perform authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information to establish a data packet transport layer security. The protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
可选地,该发送单元还用与向该第二终端设备发送第一端口号,该第一端口号是该装置所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;Optionally, the sending unit further sends a first port number to the second terminal device, where the first port number is a port used by the device to establish a flow control transmission protocol SCTP connection based on the DTLS protocol connection. number;
该接收单元还用与接收该第二终端设备发送的第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;The receiving unit further receives and receives a second port number sent by the second terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
该处理单元还用于根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。 The processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
可选地,该发送单元还用于向该第二终端设备发送第一角色指示信息,该第一角色指示信息用于指示该装置支持的角色,该角色为“主动”和“被动”中的至少一种;Optionally, the sending unit is further configured to send, to the second terminal device, first role indication information, where the first role indication information is used to indicate a role supported by the device, where the role is “active” and “passive” At least one
该接收单元还用于接收该第二终端设备发送的第二角色指示信息,该第二角色指示信息用于指示该第二终端设备支持的角色;以及The receiving unit is further configured to receive second role indication information that is sent by the second terminal device, where the second role indication information is used to indicate a role supported by the second terminal device;
该处理单元具体用于根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该装置支持的角色和该第二终端设备支持的角色与该第二终端设备进行认证处理。The processing unit is specifically configured to: according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role supported by the device, and a role supported by the second terminal device The second terminal device performs authentication processing.
根据本发明实施例的用于传输数据的装置800可对应于本发明实施例的方法中的第一终端设备(例如,上述终端设备#α),并且,该用于传输数据的装置800中的各单元即模块和上述其他操作和/或功能分别为了实现图1中的方法100的相应流程,为了简洁,在此不再赘述。The apparatus 800 for transmitting data according to an embodiment of the present invention may correspond to a first terminal device (for example, the above-described terminal device #α) in the method of the embodiment of the present invention, and in the apparatus 800 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 100 in FIG. 1 , and are not described herein again for brevity.
根据本发明实施例的用于传输数据的装置,通过使第一终端设备和第二终端设备基于H.323协议来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。An apparatus for transmitting data according to an embodiment of the present invention, by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图9示出了根据本发明实施例的用于传输数据的装置900的示意性框图。该装置900配置于包括该装置900和第二终端设备的通信系统中,该装置900与第二终端设备之间通过H.323协议进行通信,该装置900包括:FIG. 9 shows a schematic block diagram of an apparatus 900 for transmitting data in accordance with an embodiment of the present invention. The device 900 is configured in a communication system including the device 900 and the second terminal device, and the device 900 communicates with the second terminal device by using an H.323 protocol, and the device 900 includes:
接收单元910,用于接收该第二终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数;The receiving unit 910 is configured to receive a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device;
处理单元920,用于从该第一哈希函数列表中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息,其中,该目标哈希函数属于该装置所支持的哈希函数;The processing unit 920 is configured to determine a target hash function from the first hash function list, and determine fingerprint information corresponding to the target hash function, where the target hash function belongs to a hash supported by the device function;
发送单元930,用于向该第二终端设备发送该目标哈希函数和该指纹信息;a sending unit 930, configured to send the target hash function and the fingerprint information to the second terminal device;
该处理单元940还用于根据该目标哈希函数和该指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通 过该DTLS协议连接与第二终端设备之间传输数据。The processing unit 940 is further configured to perform an authentication process with the second terminal device according to the target hash function and the fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection, and Data is transmitted between the DTLS protocol connection and the second terminal device.
可选地,该接收单元还用于接收该第二终端设备发送的角色指示信息,该角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;Optionally, the receiving unit is further configured to receive role indication information sent by the second terminal device, where the role indication information is used to indicate a role supported by the second terminal device, where the role is “active” and “passive” At least one
该处理单元还用于根据角色指示信息,确定该第二终端设备支持的角色,并在确定该装置支持的角色包括“主动”且该第二终端设备支持的角色包括“被动”时,从该第一哈希函数列表中确定目标哈希函数。The processing unit is further configured to determine, according to the role indication information, a role supported by the second terminal device, and when determining that the role supported by the device includes “active” and the role supported by the second terminal device includes “passive”, The target hash function is determined in the first hash function list.
可选地,该处理单元具体用于根据自身所支持的哈希函数,从该第一哈希函数列表中确定目标哈希函数。Optionally, the processing unit is specifically configured to determine a target hash function from the first hash function list according to a hash function supported by the processing unit.
可选地,该发送单元还用于向该第二终端设备发送第二哈希函数列表,该第二哈希函数列表包括该装置所支持的至少一个哈希函数,以便于该第二终端设备根据该第二哈希函数列表,确定该第一哈希函数列表,其中,该第一哈希函数列表所包括的哈希函数属于该第二哈希函数列表;以及Optionally, the sending unit is further configured to send, to the second terminal device, a second hash function list, where the second hash function list includes at least one hash function supported by the device, to facilitate the second terminal device. Determining, according to the second hash function list, the first hash function list, wherein the hash function included in the first hash function list belongs to the second hash function list;
该处理单元具体用于确定该第一哈希函数列表中任一哈希函数为目标哈希函数。The processing unit is specifically configured to determine that any of the hash functions in the first hash function list is a target hash function.
可选地,该发送单元还用于向该第二终端设备发送第一端口号,该第一端口号是该装置所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;Optionally, the sending unit is further configured to send, to the second terminal device, a first port number, where the first port number is a port used by the device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection. number;
该接收单元还用于接收该第二终端设备发送的第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;The receiving unit is further configured to receive a second port number sent by the second terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
该处理单元还用与根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。The processing unit further establishes an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data between the SCTP connection and the second terminal device over the DTLS protocol connection.
根据本发明实施例的用于传输数据的装置900可对应于本发明实施例的方法中的第一终端设备(例如,上述终端设备#1),并且,该用于传输数据的装置900中的各单元即模块和上述其他操作和/或功能分别为了实现图2中的方法200的相应流程,为了简洁,在此不再赘述。The apparatus 900 for transmitting data according to an embodiment of the present invention may correspond to a first terminal device (for example, the above-described terminal device #1) in the method of the embodiment of the present invention, and in the apparatus 900 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 200 in FIG. 2, and are not described herein again for brevity.
根据本发明实施例的用于传输数据的装置,通过使第一终端设备和第二终端设备基于H.323协议来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从 而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。An apparatus for transmitting data according to an embodiment of the present invention, by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device Establish a DTLS protocol connection based on the hash function and fingerprint information, The first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data, and can make the DTLS protocol applicable to the H.323 protocol. The terminal device further improves the reliability and practicability of the terminal device and improves the user experience.
图10示出了根据本发明实施例的用于传输数据的装置1000的示意性框图。该装置1000配置于包括第一终端设备和该装置1000的通信系统中,该装置1000与第一终端设备之间通过H.323协议进行通信,该装置1000包括:FIG. 10 shows a schematic block diagram of an apparatus 1000 for transmitting data in accordance with an embodiment of the present invention. The device 1000 is configured in a communication system including a first terminal device and the device 1000. The device 1000 communicates with the first terminal device through an H.323 protocol, and the device 1000 includes:
发送单元1100,用于向该第一终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该装置所支持的至少一个哈希函数;a sending unit 1100, configured to send, to the first terminal device, a first hash function list, where the first hash function list includes at least one hash function supported by the device;
接收单元1200,用于接收该第一终端设备发送的目标哈希函数以及与该目标哈希函数相对应的指纹信息,其中,该目标哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标哈希函数属于该第一终端设备所支持的哈希函数;The receiving unit 1200 is configured to receive a target hash function sent by the first terminal device and fingerprint information corresponding to the target hash function, where the target hash function is the first terminal device from the first hash Determined in the function list, and the target hash function belongs to a hash function supported by the first terminal device;
处理单元1300,用于根据该目标哈希函数和该指纹信息与该第一终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与装置之间传输数据。The processing unit 1300 is configured to perform authentication processing with the first terminal device according to the target hash function and the fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection, and transmit the connection between the device and the device through the DTLS protocol. data.
可选地,该发送单元还用于向该第一终端设备发送角色指示信息,该角色指示信息用于指示该装置支持的角色,该角色为“主动”或“被动”中的至少一种,以便于该第一终端设备在确定该第一终端设备支持的角色包括“主动”且该装置支持的角色包括“被动”时,从该第一哈希函数列表中确定目标哈希函数。Optionally, the sending unit is further configured to send, to the first terminal device, role indication information, where the role indication information is used to indicate a role supported by the device, where the role is at least one of “active” or “passive”. The target hash function is determined from the first hash function list, so that the first terminal device determines that the role supported by the first terminal device includes "active" and the role supported by the device includes "passive".
可选地,该目标哈希函数是该第一终端设备根据自身所支持的哈希函数从该第一哈希函数列表中确定的。Optionally, the target hash function is determined by the first terminal device from the first hash function list according to a hash function supported by the first terminal device.
可选地,该接收单元还用于接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个哈希函数;Optionally, the receiving unit is further configured to receive a second hash function list sent by the first terminal device, where the second hash function list includes at least one hash function supported by the first terminal device;
该处理单元还用于根据该第二哈希函数列表,确定该第一哈希函数列表,以使该第一哈希函数列表所包括的哈希函数属于该第二哈希函数列表。The processing unit is further configured to determine the first hash function list according to the second hash function list, so that the hash function included in the first hash function list belongs to the second hash function list.
可选地,该接收单元还用于接收该第一终端设备发送的第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;Optionally, the receiving unit is further configured to receive a first port number sent by the first terminal device, where the first port number is used by the first terminal device to establish a flow control transmission protocol based on the DTLS protocol connection. The port number of the SCTP connection;
该发送单元还用于向该第一终端设备发送第二端口号,该第二端口号是 该装置所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;The sending unit is further configured to send a second port number to the first terminal device, where the second port number is The port number used by the device to establish an SCTP connection based on the DTLS protocol connection;
该处理单元还用于根据该第一端口号和该第二端口号与该第一终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第一终端设备之间传输数据。The processing unit is further configured to establish an SCTP connection with the first terminal device according to the first port number and the second port number, to transmit data between the first terminal device and the first terminal device on the DTLS protocol connection.
根据本发明实施例的用于传输数据的装置1000可对应于本发明实施例的方法中的第二终端设备(例如,上述终端设备#2),并且,该用于传输数据的装置1000中的各单元即模块和上述其他操作和/或功能分别为了实现图5中的方法500的相应流程,为了简洁,在此不再赘述。The apparatus 1000 for transmitting data according to an embodiment of the present invention may correspond to a second terminal device (for example, the above-described terminal device #2) in the method of the embodiment of the present invention, and in the apparatus 1000 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 500 in FIG. 5, and are not described herein again for brevity.
根据本发明实施例的用于传输数据的装置,通过使第一终端设备和第二终端设备基于H.323协议来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。An apparatus for transmitting data according to an embodiment of the present invention, by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图11示出了根据本发明实施例的用于传输数据的装置1100的示意性框图。该装置1100配置于包括第一终端设备、第二终端设备和该装置的通信系统中,该装置1100与第一终端设备之间通过H.323协议进行通信,装置1100与第二终端设备之间通过SIP进行通信,该装置1100包括:FIG. 11 shows a schematic block diagram of an apparatus 1100 for transmitting data in accordance with an embodiment of the present invention. The device 1100 is configured in a communication system including a first terminal device, a second terminal device, and the device, where the device 1100 communicates with the first terminal device by using an H.323 protocol, and between the device 1100 and the second terminal device. Communicating via SIP, the apparatus 1100 includes:
接收单元1110,用于接收该第二终端设备发送的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数,并接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个第二哈希函数;The receiving unit 1110 is configured to receive at least one first hash function sent by the second terminal device, where the first hash function belongs to a hash function supported by the second terminal device, and receives the first terminal device a second hash function list, the second hash function list including at least one second hash function supported by the first terminal device;
发送单元1120,用于向该第一终端设备发送记录有该第一哈希函数的第一哈希函数列表,并向该第二终端设备发送该第二哈希函数的部分或全部;The sending unit 1120 is configured to send, to the first terminal device, a first hash function list recorded with the first hash function, and send part or all of the second hash function to the second terminal device;
该接收单元1110还用于接收该第二终端设备发送的目标第一哈希函数和第一指纹信息,并接收该第二终端设备发送的目标第二哈希函数和第二指纹信息其中,该目标第一哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标第一哈希函数属于该第一终端设备支持的哈希函数,该第一指纹信息是与该目标第一哈希函数相对应的指纹信息,该目标第一哈希函数和第一指纹信息用于对该第一终端设备进行认证,该目标第二哈希函数 是该第二终端设备从该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和第二指纹信息用于对该第二终端设备进行认证;The receiving unit 1110 is further configured to receive the target first hash function and the first fingerprint information sent by the second terminal device, and receive the target second hash function and the second fingerprint information sent by the second terminal device, where The target first hash function is determined by the first terminal device from the first hash function list, and the target first hash function belongs to a hash function supported by the first terminal device, and the first fingerprint information is Fingerprint information corresponding to the target first hash function, the target first hash function and the first fingerprint information are used to authenticate the first terminal device, the target second hash function The second terminal device is determined from part or all of the second hash function, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is related to the target a fingerprint information corresponding to the second hash function, where the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
该发送单元1120还用于向该第二终端设备发送该目标第一哈希函数和该第一指纹信息,并向该第一终端设备发送该目标第二哈希函数和该第二指纹信息,以便于该第一终端设备和该第二终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。The sending unit 1120 is further configured to send the target first hash function and the first fingerprint information to the second terminal device, and send the target second hash function and the second fingerprint information to the first terminal device, So that the first terminal device and the second terminal device perform authentication processing according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information to establish a data packet transmission. The layer security protocol is connected to the DTLS protocol and transmits data through the DTLS protocol connection.
可选地,该接收单元还用于接收该第一终端设备发送的第一角色指示信息及该第二终端设备发送的第二角色指示信息,该第一角色指示信息用于指示该第一终端设备支持的角色,该第二角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;Optionally, the receiving unit is further configured to receive the first role indication information that is sent by the first terminal device, and the second role indication information that is sent by the second terminal device, where the first role indication information is used to indicate the first terminal. a role supported by the device, where the second role indication information is used to indicate a role supported by the second terminal device, where the role is at least one of “active” and “passive”;
该发送单元还用于向该第二终端设备发送该第一角色指示信息,并向该第一终端设备发送该第二角色指示信息,以便于该第一终端设备和该第二终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该第一终端设备支持的角色和该第二终端设备支持的角色进行认证处理。The sending unit is further configured to send the first role indication information to the second terminal device, and send the second role indication information to the first terminal device, so that the first terminal device and the second terminal device are configured according to the The first hash function, the first fingerprint information, the second hash function, the second fingerprint information, the role supported by the first terminal device, and the role supported by the second terminal device perform authentication processing.
可选地,该接收单元还用于接收该第一终端设备发送的第一端口号及该第二终端设备发送的第二端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Optionally, the receiving unit is further configured to receive a first port number sent by the first terminal device and a second port number sent by the second terminal device, where the first port number is used by the first terminal device Establishing a port number of the flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
该发送单元还用于向该第二终端设备转发该第一端口号,并向该第一终端设备转发该第二端口号,以便于该第一终端设备和该第二终端设备根据该第一端口号和该第二端口号建立SCTP连接,并通过该SCTP连接传输数据。The sending unit is further configured to forward the first port number to the second terminal device, and forward the second port number to the first terminal device, so that the first terminal device and the second terminal device are configured according to the first The port number establishes an SCTP connection with the second port number, and transmits data through the SCTP connection.
根据本发明实施例的用于传输数据的装置1100可对应于本发明实施例的方法中的网关设备,并且,该用于传输数据的装置1100中的各单元即模块和上述其他操作和/或功能分别为了实现图3中的方法300的相应流程,为了简洁,在此不再赘述。 The apparatus 1100 for transmitting data according to an embodiment of the present invention may correspond to a gateway device in the method of the embodiment of the present invention, and each unit in the apparatus 1100 for transmitting data, that is, a module and the above other operations and/or The functions are respectively implemented in order to implement the corresponding process of the method 300 in FIG. 3, and are not described herein for brevity.
根据本发明实施例的用于传输数据的装置,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。并且,根据本发明实施例的用于传输数据的装置,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the apparatus for transmitting data according to the embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device. The connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience. And, the apparatus for transmitting data according to an embodiment of the present invention, using the H.323 protocol, the first terminal device, and the second terminal device using the SIP, to negotiate a hash function and fingerprint information via the gateway device, capable of being in the first terminal device Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication. The mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图12示出了根据本发明实施例的用于传输数据的装置1200的示意性框图。该装置1200配置于包括该装置1200、第二终端设备和网关设备的通信系统中,该装置1200与网关设备之间通过H.323协议进行通信,网关设备与第二终端设备之间通过SIP进行通信,该装置1200包括:FIG. 12 shows a schematic block diagram of an apparatus 1200 for transmitting data in accordance with an embodiment of the present invention. The device 1200 is configured in a communication system including the device 1200, the second terminal device, and the gateway device. The device 1200 communicates with the gateway device through the H.323 protocol, and the gateway device and the second terminal device communicate with each other through the SIP. Communication, the device 1200 includes:
接收单元1210,用于接收该网关设备发送的第一哈希函数列表,其中,该第一哈希函数列表中记录有该第二终端设备发送给该网关设备的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数;The receiving unit 1210 is configured to receive a first hash function list sent by the gateway device, where the first hash function list records at least one first hash function sent by the second terminal device to the gateway device, The first hash function belongs to a hash function supported by the second terminal device;
处理单元1220,用于从该第一哈希函数列表中确定目标第一哈希函数,并确定与该目标第一哈希函数相对应的第一指纹信息,其中,该目标第一哈希函数属于该装置支持的哈希函数,该目标第一哈希函数和该第一指纹信息用于针对该装置的认证;The processing unit 1220 is configured to determine a target first hash function from the first hash function list, and determine first fingerprint information corresponding to the target first hash function, where the target first hash function a hash function supported by the device, the target first hash function and the first fingerprint information being used for authentication of the device;
发送单元1230,用于向该网关设备发送该目标第一哈希函数和该第一指纹信息,以便于该网关设备将该目标第一哈希函数和该第一指纹信息发送给该第二终端设备,用于向该网关设备发送第二哈希函数列表,该第二哈希函数列表包括该装置所支持的至少一个第二哈希函数;The sending unit 1230 is configured to send the target first hash function and the first fingerprint information to the gateway device, so that the gateway device sends the target first hash function and the first fingerprint information to the second terminal. a device, configured to send, to the gateway device, a second hash function list, where the second hash function list includes at least one second hash function supported by the device;
该接收单元1210还用于接收该网关设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该网关设备发送的该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相 对应的指纹信息,该目标第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证;The receiving unit 1210 is further configured to receive the target second hash function and the second fingerprint information sent by the gateway device, where the target second hash function is the second hash sent by the second terminal device from the gateway device Determined in part or all of the Greek function, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is related to the target second hash function Corresponding fingerprint information, the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
该处理单元1220还用于根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。The processing unit 1220 is further configured to perform authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, to establish a data packet transmission. The layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
可选地,该发送单元还用于向该网关设备发送第一端口号,该第一端口号是该装置所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,以便于该网关设备将该第一端口号发送给该第二终端设备;Optionally, the sending unit is further configured to send, to the gateway device, a first port number, where the first port number is a port number used by the device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, So that the gateway device sends the first port number to the second terminal device;
该接收单元还用于接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,且该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;The receiving unit is further configured to receive a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, and the second port number is used by the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection;
该处理单元还用于根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。The processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
可选地,该发送单元还用于向该网关设备发送第一角色指示信息,该第一角色指示信息用于指示该装置支持的角色,该角色为“主动”和“被动”中的至少一种,以便于该网关设备将该第一角色指示信息发送给该第二终端设备;Optionally, the sending unit is further configured to send, to the gateway device, first role indication information, where the first role indication information is used to indicate a role supported by the device, where the role is at least one of “active” and “passive” So that the gateway device sends the first role indication information to the second terminal device;
该接收单元还用于接收该网关设备发送的第二角色指示信息,该第二角色指示信息是该第二终端设备发送给该网关设备的,且该第二角色指示信息用于指示该第二终端设备支持的角色;以及The receiving unit is further configured to receive the second role indication information that is sent by the gateway device, where the second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is used to indicate the second The role supported by the terminal device;
该处理单元具体用于根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数、该第二指纹信息、该装置支持的角色和该第二终端设备支持的角色与该第二终端设备进行认证处理。The processing unit is specifically configured to: according to the target first hash function, the first fingerprint information, the target second hash function, the second fingerprint information, a role supported by the device, and a role supported by the second terminal device The second terminal device performs an authentication process.
根据本发明实施例的用于传输数据的装置1200可对应于本发明实施例的方法中的第一终端设备(例如,上述终端设备#X),并且,该用于传输数据的装置1200中的各单元即模块和上述其他操作和/或功能分别为了实现图6中的方法600的相应流程,为了简洁,在此不再赘述。The apparatus 1200 for transmitting data according to an embodiment of the present invention may correspond to a first terminal device (for example, the above-described terminal device #X) in the method of the embodiment of the present invention, and in the apparatus 1200 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 600 in FIG. 6, and are not described herein again for brevity.
根据本发明实施例的用于传输数据的装置,第一终端设备和第二终端设 备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。并且,根据本发明实施例的用于传输数据的装置,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。Apparatus for transmitting data according to an embodiment of the present invention, a first terminal device and a second terminal The DTLS protocol connection based on the security parameter can be established between the first terminal device and the second terminal device by using the gateway device to negotiate the security parameter, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection. Without the forwarding of the gateway device, the burden on the gateway device can be reduced, the transmission performance of the system can be improved, and the impact on the user experience can be improved. And, the apparatus for transmitting data according to an embodiment of the present invention, using the H.323 protocol, the first terminal device, and the second terminal device using the SIP, to negotiate a hash function and fingerprint information via the gateway device, capable of being in the first terminal device Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication. The mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图13示出了根据本发明实施例的用于传输数据的装置1300的示意性框图。该装置1300配置于包括第一终端设备、第二终端设备和该装置的通信系统中,该装置1300与第一终端设备之间通过H.323协议进行通信,装置1300与第二终端设备之间通过SIP进行通信,该装置1300包括:FIG. 13 shows a schematic block diagram of an apparatus 1300 for transmitting data in accordance with an embodiment of the present invention. The device 1300 is configured in a communication system including a first terminal device, a second terminal device, and the device, where the device 1300 communicates with the first terminal device by using an H.323 protocol, and between the device 1300 and the second terminal device. Communicating via SIP, the apparatus 1300 includes:
接收单元1310,用于接收该第一终端设备发送的哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数;The receiving unit 1310 is configured to receive a hash function list sent by the first terminal device, where the hash function list includes at least one hash function supported by the first terminal device;
处理单元1320,用于根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数;The processing unit 1320 is configured to perform a negotiation process with the second terminal device according to the hash function list, to determine at least one candidate hash function from the hash function list, where the candidate hash function belongs to the first a hash function supported by the second terminal device;
发送单元1330,用于向该第一终端设备发送该备选哈希函数,以便于该第一终端设备从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息;The sending unit 1330 is configured to send the candidate hash function to the first terminal device, so that the first terminal device determines the target hash function from the candidate hash function, and determines that the target hash function is Corresponding fingerprint information;
该接收单元1310还用于接收该第一终端设备发送的该目标哈希函数和该指纹信息;The receiving unit 1310 is further configured to receive the target hash function and the fingerprint information sent by the first terminal device;
该发送单元1330还用于向该第二终端发送该目标哈希函数和该指纹信息,以便于该第一终端设备和该第二终端设备根据该目标哈希函数和该指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。The sending unit 1330 is further configured to send the target hash function and the fingerprint information to the second terminal, so that the first terminal device and the second terminal device perform authentication processing according to the target hash function and the fingerprint information, The data packet transmission layer security protocol DTLS protocol connection is established, and the data is transmitted through the DTLS protocol connection.
可选地,该发送单元还用于向该第二终端设备发送待验证哈希函数,该待验证哈希函数是该哈希函数列表中的任一哈希函数; Optionally, the sending unit is further configured to send, to the second terminal device, a hash function to be verified, where the to-be-verified hash function is any hash function in the hash function list;
该接收单元还用于接收该第二终端设备发送的验证消息,该验证消息用于指示该待验证哈希函数是否属于该第二终端设备支持的哈希函数;The receiving unit is further configured to receive a verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device;
该处理单元具体用于在根据该验证消息,确定该待验证哈希函数属于该第二终端设备支持的哈希函数时,将该待验证哈希函数确定为备选哈希函数。The processing unit is specifically configured to determine, according to the verification message, that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and determine the to-be-verified hash function as an alternate hash function.
可选地,该处理单元具体用于在确定该验证消息携带有该待验证哈希函数时,确定该待验证哈希函数属于该第二终端设备支持的哈希函数,并将该待验证哈希函数确定为备选哈希函数。Optionally, the processing unit is specifically configured to: when determining that the verification message carries the to-be-verified hash function, determine that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and the to-be-verified The Greek function is determined to be an alternate hash function.
可选地,该接收单元还用于接收该第一终端设备发送的第一端口号及该第二终端设备发送的第二端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Optionally, the receiving unit is further configured to receive a first port number sent by the first terminal device and a second port number sent by the second terminal device, where the first port number is used by the first terminal device Establishing a port number of the flow control transport protocol SCTP connection based on the DTLS protocol connection, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
该发送单元还用于向该第二终端设备转发该第一端口号,并向该第一终端设备转发该第二端口号,以便于该第一终端设备和该第二终端设备根据该第一端口号和该第二端口号建立SCTP连接,并通过该SCTP连接传输数据。The sending unit is further configured to forward the first port number to the second terminal device, and forward the second port number to the first terminal device, so that the first terminal device and the second terminal device are configured according to the first The port number establishes an SCTP connection with the second port number, and transmits data through the SCTP connection.
根据本发明实施例的用于传输数据的装置1300可对应于本发明实施例的方法中的网关设备,并且,该用于传输数据的装置1300中的各单元即模块和上述其他操作和/或功能分别为了实现图4中的方法400的相应流程,为了简洁,在此不再赘述。The apparatus 1300 for transmitting data according to an embodiment of the present invention may correspond to a gateway device in the method of the embodiment of the present invention, and each unit in the apparatus 1300 for transmitting data, that is, a module and the above other operations and/or The functions are respectively implemented in order to implement the corresponding process of the method 400 in FIG. 4, and are not described herein for brevity.
根据本发明实施例的用于传输数据的装置,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。并且,根据本发明实施例的用于传输数据的装置,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设 备的可靠性和实用性,改善用户体验。According to the apparatus for transmitting data according to the embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device. The connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience. And, the apparatus for transmitting data according to an embodiment of the present invention, using the H.323 protocol, the first terminal device, and the second terminal device using the SIP, to negotiate a hash function and fingerprint information via the gateway device, capable of being in the first terminal device Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication. The mechanism improves the security of the transmitted data, and enables the DTLS protocol to be applied to the terminal device using the H.323 protocol, thereby improving the terminal design. Reliability and usability to improve the user experience.
图14示出了根据本发明实施例的用于传输数据的装置1400的示意性框图。该装置1400配置于包括该装置1400、第二终端设备和网关设备的通信系统中,该装置1400与网关设备之间通过H.323协议进行通信,网关设备与第二终端设备之间通过SIP进行通信,该装置1400包括:FIG. 14 shows a schematic block diagram of an apparatus 1400 for transmitting data in accordance with an embodiment of the present invention. The device 1400 is configured in a communication system including the device 1400, the second terminal device, and the gateway device. The device 1400 communicates with the gateway device through the H.323 protocol, and the gateway device and the second terminal device communicate with each other through the SIP. Communication, the device 1400 includes:
发送单元1410,用于向该网关设备发送哈希函数列表,该哈希函数列表包括该装置所支持的至少一个哈希函数,以便于该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数;a sending unit 1410, configured to send, to the gateway device, a hash function list, where the hash function list includes at least one hash function supported by the device, so that the gateway device and the second terminal device according to the hash function list Performing a negotiation process to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device;
接收单元1420,用于接收该网关设备发送的该备选哈希函数;The receiving unit 1420 is configured to receive the candidate hash function sent by the gateway device.
处理单元1430,用于从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息;The processing unit 1430 is configured to determine a target hash function from the candidate hash function, and determine fingerprint information corresponding to the target hash function;
该发送单元1410还用于向该网关设备发送该目标哈希函数和该指纹信息,以便于该网关设备向该第二终端转发该目标哈希函数和该指纹信息;The sending unit 1410 is further configured to send the target hash function and the fingerprint information to the gateway device, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal;
该处理单元1430还用于根据该目标哈希函数和该指纹信息,与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。The processing unit 1430 is further configured to perform an authentication process with the second terminal device according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and connect and transmit data through the DTLS protocol.
可选地,该发送单元还用于向该网关设备发送第一端口号,以便于该网关设备向该第二终端设备转发该第一端口号,该第一端口号是该装置所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;Optionally, the sending unit is further configured to send the first port number to the gateway device, so that the gateway device forwards the first port number to the second terminal device, where the first port number is used by the device. a port number for establishing a flow control transport protocol SCTP connection based on the DTLS protocol connection;
该接收单元还用于接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;The receiving unit is further configured to receive a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, where the second port number is used by the second terminal device a port number for establishing an SCTP connection based on the DTLS protocol connection;
该处理单元还用于根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以通过该SCTP连接传输数据。The processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
根据本发明实施例的用于传输数据的装置1400可对应于本发明实施例的方法中的第一终端设备(例如,上述终端设备#A),并且,该用于传输数据的装置1400中的各单元即模块和上述其他操作和/或功能分别为了实现图7中的方法700的相应流程,为了简洁,在此不再赘述。The apparatus 1400 for transmitting data according to an embodiment of the present invention may correspond to a first terminal device (for example, the above-described terminal device #A) in the method of the embodiment of the present invention, and in the apparatus 1400 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 700 in FIG. 7, and are not described herein again for brevity.
根据本发明实施例的用于传输数据的装置,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建 立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。并且,根据本发明实施例的用于传输数据的装置,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the apparatus for transmitting data according to the embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can be built between the first terminal device and the second terminal device. The DTLS protocol connection based on the security parameter enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device and improving the transmission of the system. Performance, improvement affects the user experience. And, the apparatus for transmitting data according to an embodiment of the present invention, using the H.323 protocol, the first terminal device, and the second terminal device using the SIP, to negotiate a hash function and fingerprint information via the gateway device, capable of being in the first terminal device Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication. The mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
以上,结合图1至图7详细说明了根据本发明实施例的用于传输数据的方法,下面,结合图15至图21详细说明根据本发明实施例的用于传输数据的设备。Hereinabove, a method for transmitting data according to an embodiment of the present invention is described in detail with reference to FIGS. 1 through 7, and an apparatus for transmitting data according to an embodiment of the present invention will be described in detail below with reference to FIGS. 15 through 21.
图15示出了根据本发明实施例的用于传输数据的设备1500的示意性框图。该设备1500与第二终端设备之间通过H.323协议进行通信,该设备1500包括:FIG. 15 shows a schematic block diagram of an apparatus 1500 for transmitting data in accordance with an embodiment of the present invention. The device 1500 communicates with the second terminal device by using an H.323 protocol, and the device 1500 includes:
总线1510;Bus 1510;
与所述总线1510相连的处理器1520;a processor 1520 connected to the bus 1510;
与所述总线1510相连的存储器1530;a memory 1530 connected to the bus 1510;
与所述总线1510相连的收发器1540;a transceiver 1540 connected to the bus 1510;
其中,所述处理器1520通过所述总线1510,调用所述存储器1530中存储的程序,以用于控制该收发器接收该第二终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数,从该第一哈希函数列表中确定第一哈希函数;The processor 1520, by using the bus 1510, invokes a program stored in the memory 1530, for controlling the transceiver to receive a first hash function list sent by the second terminal device, the first hash. The function list includes at least one hash function supported by the second terminal device, and the first hash function is determined from the first hash function list;
用于确定与该第一哈希函数相对应的第一指纹信息;Used to determine first fingerprint information corresponding to the first hash function;
用于控制该收发器向该第二终端设备发送该第一哈希函数和该第一指纹信息,其中,该第一哈希函数属于该设备1500支持的哈希函数,第一哈希函数和该第一指纹信息用于针对该设备1500的认证;And configured to control the transceiver to send the first hash function and the first fingerprint information to the second terminal device, where the first hash function belongs to a hash function supported by the device 1500, and the first hash function and The first fingerprint information is used for authentication of the device 1500;
用于控制该收发器向该第二终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该设备1500所支持的至少一个哈希函数;a second hash function list for controlling the transceiver to send to the second terminal device, the second hash function list including at least one hash function supported by the device 1500;
用于控制该收发器接收该第二终端发送的第二哈希函数和第二指纹信 息,其中,该第二哈希函数是该第二终端设备从该第二哈希函数列表中确定的,且该第二哈希函数属于该设备1500支持的哈希函数,该第二指纹信息是与该第二哈希函数相对应的指纹信息,第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证;And configured to control the transceiver to receive the second hash function and the second fingerprint sent by the second terminal Information, wherein the second hash function is determined by the second terminal device from the second hash function list, and the second hash function belongs to a hash function supported by the device 1500, and the second fingerprint information is Is the fingerprint information corresponding to the second hash function, where the second hash function and the second fingerprint information are used to authenticate the second terminal device;
用于根据该第一哈希函数、该第一指纹信息、该第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。And performing authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection. And transmitting data between the second terminal device through the DTLS protocol connection.
可选地,该处理器还用于控制该收发器向该第二终端设备发送第一端口号,该第一端口号是该设备1500所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;Optionally, the processor is further configured to control the transceiver to send a first port number to the second terminal device, where the first port number is used by the device 1500 to establish a flow control transmission based on the DTLS protocol connection. The port number of the protocol SCTP connection;
用于控制该收发器接收该第二终端设备发送的第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Controlling, by the transceiver, a second port number sent by the second terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
用于根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。And configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
可选地,该处理器还用于控制该收发器向该第二终端设备发送第一角色指示信息,该第一角色指示信息用于指示该设备1500支持的角色,该角色为“主动”和“被动”中的至少一种;Optionally, the processor is further configured to control the transceiver to send first role indication information to the second terminal device, where the first role indication information is used to indicate a role supported by the device 1500, and the role is “active” and At least one of "passive";
用于控制该收发器接收该第二终端设备发送的第二角色指示信息,该第二角色指示信息用于指示该第二终端设备支持的角色;以及Controlling, by the transceiver, second role indication information sent by the second terminal device, where the second role indication information is used to indicate a role supported by the second terminal device;
用于根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该设备1500支持的角色和该第二终端设备支持的角色与该第二终端设备进行认证处理。And the second terminal device according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, the role supported by the device 1500, and the role supported by the second terminal device Perform authentication processing.
具体的应用中,设备1500可以嵌入或者本身可以就是例如视频会议终端等终端设备,还可以包括容纳发射电路和接收电路的载体,以允许设备1500和远程位置之间进行数据发射和接收。In a specific application, device 1500 may be embedded or may itself be a terminal device such as a video conferencing terminal, and may also include a carrier that houses the transmitting circuitry and the receiving circuitry to allow for data transmission and reception between device 1500 and a remote location.
总线除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚明起见,在图中将各种总线都标为总线1510。In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 1510 in the figure.
处理器可以实现或者执行本发明方法实施例中的公开的各步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理 器,解码器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用解码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。The processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention. The general purpose processor may be a microprocessor or the processor may be any conventional processing , decoder, etc. The steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
应理解,在本发明实施例中,该处理器1520可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器1520还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 1520 may be a central processing unit ("CPU"), and the processor 1520 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
该存储器1530可以包括只读存储器和随机存取存储器,并向处理器提供指令和数据。存储器1530的一部分还可以包括非易失性随机存取存储器。例如,存储器1530还可以存储设备类型的信息。The memory 1530 can include read only memory and random access memory and provides instructions and data to the processor. A portion of the memory 1530 may also include a non-volatile random access memory. For example, the memory 1530 can also store information of the device type.
在实现过程中,上述方法的各步骤可以通过处理器1520中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1530,处理器1520读取存储器1530中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1520 or an instruction in a form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in the memory 1530, and the processor 1520 reads the information in the memory 1530 and performs the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
根据本发明实施例的用于传输数据的设备1500可对应于本发明实施例的方法中的第一终端设备(例如,上述终端设备#α),并且,该用于传输数据的设备1500中的各单元即模块和上述其他操作和/或功能分别为了实现图1中的方法100的相应流程,为了简洁,在此不再赘述。The apparatus 1500 for transmitting data according to an embodiment of the present invention may correspond to a first terminal device (for example, the above-described terminal device #α) in the method of the embodiment of the present invention, and in the device 1500 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 100 in FIG. 1 , and are not described herein again for brevity.
根据本发明实施例的用于传输数据的设备,通过使第一终端设备和第二终端设备基于H.323协议来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。An apparatus for transmitting data according to an embodiment of the present invention, by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图16示出了根据本发明实施例的用于传输数据的设备1600的示意性框 图。该设备1600与第二终端设备之间通过H.323协议进行通信,该设备1600包括:16 shows a schematic block of an apparatus 1600 for transmitting data in accordance with an embodiment of the present invention. Figure. The device 1600 communicates with the second terminal device through the H.323 protocol, and the device 1600 includes:
总线1610;Bus 1610;
与所述总线1610相连的处理器1620;a processor 1620 connected to the bus 1610;
与所述总线1610相连的存储器1630;a memory 1630 connected to the bus 1610;
与所述总线1610相连的收发器1640;a transceiver 1640 connected to the bus 1610;
其中,所述处理器1620通过所述总线1610,调用所述存储器1630中存储的程序,以用于控制该收发器接收该第二终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该第二终端设备所支持的至少一个哈希函数;The processor 1620, by using the bus 1610, invokes a program stored in the memory 1630, for controlling the transceiver to receive a first hash function list sent by the second terminal device, the first hash. The function list includes at least one hash function supported by the second terminal device;
用于从该第一哈希函数列表中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息,其中,该目标哈希函数属于该设备1600所支持的哈希函数;And determining a target hash function from the first hash function list, and determining fingerprint information corresponding to the target hash function, wherein the target hash function belongs to a hash function supported by the device 1600;
用于控制该收发器向该第二终端设备发送该目标哈希函数和该指纹信息;And configured to control the transceiver to send the target hash function and the fingerprint information to the second terminal device;
用于根据该目标哈希函数和该指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。And performing authentication processing with the second terminal device according to the target hash function and the fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection, and transmitting data between the second terminal device and the second terminal device through the DTLS protocol connection. .
可选地,该处理器还用于控制该收发器接收该第二终端设备发送的角色指示信息,该角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;Optionally, the processor is further configured to control, by the transceiver, role indication information sent by the second terminal device, where the role indication information is used to indicate a role supported by the second terminal device, where the role is “active” and “ At least one of passive;
用于根据角色指示信息,确定该第二终端设备支持的角色,并在确定该设备1600支持的角色包括“主动”且该第二终端设备支持的角色包括“被动”时,从该第一哈希函数列表中确定目标哈希函数。And determining, according to the role indication information, a role supported by the second terminal device, and determining that the role supported by the device 1600 includes “active” and the role supported by the second terminal device includes “passive”, from the first The target hash function is determined in the list of Greek functions.
可选地,该处理器具体用于根据自身所支持的哈希函数,从该第一哈希函数列表中确定目标哈希函数。Optionally, the processor is specifically configured to determine a target hash function from the first hash function list according to a hash function supported by the processor.
可选地,该处理器还用于控制该收发器向该第二终端设备发送第二哈希函数列表,该第二哈希函数列表包括该设备1600所支持的至少一个哈希函数,以便于该第二终端设备根据该第二哈希函数列表,确定该第一哈希函数列表,其中,该第一哈希函数列表所包括的哈希函数属于该第二哈希函数列表;以及Optionally, the processor is further configured to control the transceiver to send a second hash function list to the second terminal device, where the second hash function list includes at least one hash function supported by the device 1600, so as to facilitate Determining, by the second terminal device, the first hash function list according to the second hash function list, wherein the hash function included in the first hash function list belongs to the second hash function list;
用于确定该第一哈希函数列表中任一哈希函数为目标哈希函数。 It is used to determine that any of the hash functions in the first hash function list is a target hash function.
可选地,该处理器还用于控制该收发器向该第二终端设备发送第一端口号,该第一端口号是该设备1600所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;Optionally, the processor is further configured to control the transceiver to send a first port number to the second terminal device, where the first port number is used by the device 1600 to establish a flow control transmission based on the DTLS protocol connection. The port number of the protocol SCTP connection;
用于控制该收发器接收该第二终端设备发送的第二端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Controlling, by the transceiver, a second port number sent by the second terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
用于根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。And configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
具体的应用中,设备1600可以嵌入或者本身可以就是例如视频会议终端等终端设备,还可以包括容纳发射电路和接收电路的载体,以允许设备1600和远程位置之间进行数据发射和接收。In a particular application, device 1600 may be embedded or may itself be a terminal device such as a video conferencing terminal, and may also include a carrier that houses the transmitting circuitry and the receiving circuitry to allow for data transmission and reception between device 1600 and a remote location.
总线除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚明起见,在图中将各种总线都标为总线1610。In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 1610 in the figure.
处理器可以实现或者执行本发明方法实施例中的公开的各步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器,解码器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用解码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。The processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention. The general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like. The steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
应理解,在本发明实施例中,该处理器1620可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器1620还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 1620 may be a central processing unit ("CPU"), and the processor 1620 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
该存储器1630可以包括只读存储器和随机存取存储器,并向处理器提供指令和数据。存储器1630的一部分还可以包括非易失性随机存取存储器。例如,存储器1630还可以存储设备类型的信息。The memory 1630 can include read only memory and random access memory and provides instructions and data to the processor. A portion of the memory 1630 can also include a non-volatile random access memory. For example, the memory 1630 can also store information of the device type.
在实现过程中,上述方法的各步骤可以通过处理器1620中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块 组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1630,处理器1620读取存储器1630中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 1620 or an instruction in a form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as hardware processor execution, or use hardware and software modules in the processor. The combination execution is completed. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in the memory 1630, and the processor 1620 reads the information in the memory 1630 and combines the hardware to perform the steps of the above method. To avoid repetition, it will not be described in detail here.
根据本发明实施例的用于传输数据的设备1600可对应于本发明实施例的方法中的第一终端设备(例如,上述终端设备#1),并且,该用于传输数据的设备1600中的各单元即模块和上述其他操作和/或功能分别为了实现图2中的方法200的相应流程,为了简洁,在此不再赘述。The apparatus 1600 for transmitting data according to an embodiment of the present invention may correspond to a first terminal device (for example, the above-described terminal device #1) in the method of the embodiment of the present invention, and in the device 1600 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 200 in FIG. 2, and are not described herein again for brevity.
根据本发明实施例的用于传输数据的设备,通过使第一终端设备和第二终端设备基于H.323协议来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。An apparatus for transmitting data according to an embodiment of the present invention, by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图17示出了根据本发明实施例的用于传输数据的设备1700的示意性框图。该设备1700与第一终端设备之间通过H.323协议进行通信,该设备1700包括:FIG. 17 shows a schematic block diagram of an apparatus 1700 for transmitting data in accordance with an embodiment of the present invention. The device 1700 communicates with the first terminal device by using an H.323 protocol, and the device 1700 includes:
总线1710;Bus 1710;
与所述总线1710相连的处理器1720;a processor 1720 connected to the bus 1710;
与所述总线1710相连的存储器1730;a memory 1730 connected to the bus 1710;
与所述总线1710相连的收发器1740;a transceiver 1740 connected to the bus 1710;
其中,所述处理器1720通过所述总线1710,调用所述存储器1730中存储的程序,以用于控制该收发器向该第一终端设备发送的第一哈希函数列表,该第一哈希函数列表包括该设备1700所支持的至少一个哈希函数;The processor 1720, by using the bus 1710, invokes a program stored in the memory 1730 for controlling a first hash function list sent by the transceiver to the first terminal device, the first hash. The function list includes at least one hash function supported by the device 1700;
用于控制该收发器接收该第一终端设备发送的目标哈希函数以及与该目标哈希函数相对应的指纹信息,其中,该目标哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标哈希函数属于该第一终端设备所支持的哈希函数;And controlling the transceiver to receive the target hash function sent by the first terminal device and the fingerprint information corresponding to the target hash function, wherein the target hash function is the first terminal device from the first hash Determined in the function list, and the target hash function belongs to a hash function supported by the first terminal device;
用于根据该目标哈希函数和该指纹信息与该第一终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议 连接与设备1700之间传输数据。And performing authentication processing with the first terminal device according to the target hash function and the fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection, and adopting the DTLS protocol The connection transfers data to and from device 1700.
可选地,该处理器还用于控制该收发器向该第一终端设备发送角色指示信息,该角色指示信息用于指示该设备1700支持的角色,该角色为“主动”或“被动”中的至少一种,以便于该第一终端设备在确定该第一终端设备支持的角色包括“主动”且该设备1700支持的角色包括“被动”时,从该第一哈希函数列表中确定目标哈希函数。Optionally, the processor is further configured to control the transceiver to send role indication information to the first terminal device, where the role indication information is used to indicate a role supported by the device 1700, where the role is “active” or “passive”. At least one of the first terminal device determining the target from the first hash function list when determining that the role supported by the first terminal device includes "active" and the role supported by the device 1700 includes "passive" Hash function.
可选地,该目标哈希函数是该第一终端设备根据自身所支持的哈希函数从该第一哈希函数列表中确定的。Optionally, the target hash function is determined by the first terminal device from the first hash function list according to a hash function supported by the first terminal device.
可选地,该处理器还用于控制该收发器接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个哈希函数;Optionally, the processor is further configured to control the transceiver to receive a second hash function list sent by the first terminal device, where the second hash function list includes at least one hash function supported by the first terminal device ;
用于根据该第二哈希函数列表,确定该第一哈希函数列表,以使该第一哈希函数列表所包括的哈希函数属于该第二哈希函数列表。And determining, according to the second hash function list, the first hash function list, so that the hash function included in the first hash function list belongs to the second hash function list.
可选地,该处理器还用于控制该收发器接收该第一终端设备发送的第一端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;Optionally, the processor is further configured to control the transceiver to receive the first port number sent by the first terminal device, where the first port number is used by the first terminal device to establish a connection based on the DTLS protocol. The port number of the flow control transport protocol SCTP connection;
用于控制该收发器向该第一终端设备发送第二端口号,该第二端口号是该设备1700所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Controlling the transceiver to send a second port number to the first terminal device, where the second port number is a port number used by the device 1700 to establish an SCTP connection based on the DTLS protocol connection;
用于根据该第一端口号和该第二端口号与该第一终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第一终端设备之间传输数据。And configured to establish an SCTP connection with the first terminal device according to the first port number and the second port number, to transmit data between the first terminal device and the first terminal device on the DTLS protocol connection.
具体的应用中,设备1700可以嵌入或者本身可以就是例如视频会议终端等终端设备,还可以包括容纳发射电路和接收电路的载体,以允许设备1700和远程位置之间进行数据发射和接收。In a specific application, the device 1700 may be embedded or may itself be a terminal device such as a video conferencing terminal, and may also include a carrier that houses the transmitting circuit and the receiving circuit to allow data transmission and reception between the device 1700 and the remote location.
总线除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚明起见,在图中将各种总线都标为总线1710。In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 1710 in the figure.
处理器可以实现或者执行本发明方法实施例中的公开的各步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器,解码器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用解码处理器中的硬件及软件模块组合执行完成。软 件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。The processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention. The general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like. The steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor. Soft The module can be located in a conventional storage medium such as a random access memory, a flash memory, a read only memory, a programmable read only memory or an electrically erasable programmable memory, a register, or the like.
应理解,在本发明实施例中,该处理器1720可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器1720还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 1720 may be a central processing unit ("CPU"), and the processor 1720 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
该存储器1730可以包括只读存储器和随机存取存储器,并向处理器20提供指令和数据。存储器1730的一部分还可以包括非易失性随机存取存储器。例如,存储器1030还可以存储设备类型的信息。The memory 1730 can include read only memory and random access memory and provides instructions and data to the processor 20. A portion of the memory 1730 can also include a non-volatile random access memory. For example, the memory 1030 can also store information of the device type.
在实现过程中,上述方法的各步骤可以通过处理器1720中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1730,处理器1720读取存储器1730中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1720 or an instruction in a form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in the memory 1730, and the processor 1720 reads the information in the memory 1730 and performs the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
根据本发明实施例的用于传输数据的设备1700可对应于本发明实施例的方法中的第二终端设备(例如,上述终端设备#2),并且,该用于传输数据的设备1700中的各单元即模块和上述其他操作和/或功能分别为了实现图5中的方法500的相应流程,为了简洁,在此不再赘述。The apparatus 1700 for transmitting data according to an embodiment of the present invention may correspond to a second terminal device (for example, the above-described terminal device #2) in the method of the embodiment of the present invention, and the device 1700 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 500 in FIG. 5, and are not described herein again for brevity.
根据本发明实施例的用于传输数据的设备,通过使第一终端设备和第二终端设备基于H.323协议来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。An apparatus for transmitting data according to an embodiment of the present invention, by causing a first terminal device and a second terminal device to negotiate a hash function and fingerprint information based on an H.323 protocol, can be in the first terminal device and the second terminal device A DTLS protocol connection based on the hash function and the fingerprint information is established, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication mechanism to improve the security of the transmission data. And can make the DTLS protocol applicable to terminal devices using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图18示出了根据本发明实施例的用于传输数据的设备1800的示意性框图。该设备1800与第一终端设备之间通过H.323协议进行通信,设备1800与第二终端设备之间通过SIP进行通信,该设备1800包括: FIG. 18 shows a schematic block diagram of an apparatus 1800 for transmitting data in accordance with an embodiment of the present invention. The device 1800 communicates with the first terminal device through the H.323 protocol, and the device 1800 communicates with the second terminal device through the SIP. The device 1800 includes:
总线1810;Bus 1810;
与所述总线1810相连的处理器1820;a processor 1820 connected to the bus 1810;
与所述总线1810相连的存储器1830;a memory 1830 connected to the bus 1810;
与所述总线1810相连的收发器1840;a transceiver 1840 connected to the bus 1810;
其中,所述处理器1820通过所述总线1810,调用所述存储器1830中存储的程序,以用于控制该收发器接收该第二终端设备发送的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数;The processor 1820, by using the bus 1810, invokes a program stored in the memory 1830, for controlling the transceiver to receive at least one first hash function sent by the second terminal device, where the first The hash function belongs to a hash function supported by the second terminal device;
用于控制该收发器向该第一终端设备发送记录有该第一哈希函数的第一哈希函数列表;And configured to control the transceiver to send, to the first terminal device, a first hash function list recorded with the first hash function;
用于控制该收发器接收该第二终端设备发送的目标第一哈希函数和第一指纹信息,其中,该目标第一哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标第一哈希函数属于该第一终端设备支持的哈希函数,该第一指纹信息是与该目标第一哈希函数相对应的指纹信息,该目标第一哈希函数和第一指纹信息用于对该第一终端设备进行认证;And configured to control the transceiver to receive the target first hash function and the first fingerprint information sent by the second terminal device, where the target first hash function is that the first terminal device is from the first hash function list Determining, and the target first hash function belongs to a hash function supported by the first terminal device, the first fingerprint information is fingerprint information corresponding to the target first hash function, and the target first hash function And the first fingerprint information is used to authenticate the first terminal device;
用于控制该收发器接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个第二哈希函数;Controlling, by the transceiver, a second hash function list sent by the first terminal device, where the second hash function list includes at least one second hash function supported by the first terminal device;
用于控制该收发器向该第二终端设备发送该第二哈希函数的部分或全部;Controlling the transceiver to send part or all of the second hash function to the second terminal device;
用于控制该收发器接收该第二终端设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和第二指纹信息用于对该第二终端设备进行认证;And configured to control the transceiver to receive the target second hash function and the second fingerprint information sent by the second terminal device, where the target second hash function is a part of the second terminal device from the second hash function Or all determined, and the target second hash function belongs to a hash function supported by the second terminal device, the second fingerprint information is fingerprint information corresponding to the target second hash function, and the target second The hash function and the second fingerprint information are used to authenticate the second terminal device;
用于控制该收发器向该第二终端设备发送该目标第一哈希函数和该第一指纹信息,并向该第一终端设备发送该目标第二哈希函数和该第二指纹信息,以便于该第一终端设备和该第二终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。And configured to control the transceiver to send the target first hash function and the first fingerprint information to the second terminal device, and send the target second hash function and the second fingerprint information to the first terminal device, so that The first terminal device and the second terminal device perform authentication processing according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information to establish a data packet transport layer. The security protocol DTLS protocol connects and transmits data through the DTLS protocol connection.
可选地,该处理器还用于控制该收发器接收该第一终端设备发送的第一角色指示信息及该第二终端设备发送的第二角色指示信息,该第一角色指示 信息用于指示该第一终端设备支持的角色,该第二角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种;Optionally, the processor is further configured to: control, by the transceiver, the first role indication information sent by the first terminal device, and the second role indication information sent by the second terminal device, where the first role indication is The information is used to indicate a role supported by the first terminal device, where the second role indication information is used to indicate a role supported by the second terminal device, and the role is at least one of “active” and “passive”;
用于控制该收发器向该第二终端设备发送该第一角色指示信息,并向该第一终端设备发送该第二角色指示信息,以便于该第一终端设备和该第二终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该第一终端设备支持的角色和该第二终端设备支持的角色进行认证处理。And transmitting, by the transceiver, the first role indication information to the second terminal device, and sending the second role indication information to the first terminal device, so that the first terminal device and the second terminal device are configured according to the The first hash function, the first fingerprint information, the second hash function, the second fingerprint information, the role supported by the first terminal device, and the role supported by the second terminal device perform authentication processing.
可选地,该处理器还用于控制该收发器接收该第一终端设备发送的第一端口号及该第二终端设备发送的第二端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Optionally, the processor is further configured to control the transceiver to receive the first port number sent by the first terminal device and the second port number sent by the second terminal device, where the first port number is the first terminal device a port number used to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, the second port number being a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection ;
用于控制该收发器向该第二终端设备转发该第一端口号,并向该第一终端设备转发该第二端口号,以便于该第一终端设备和该第二终端设备根据该第一端口号和该第二端口号建立SCTP连接,并通过该SCTP连接传输数据。Controlling the transceiver to forward the first port number to the second terminal device, and forwarding the second port number to the first terminal device, so that the first terminal device and the second terminal device are configured according to the first The port number establishes an SCTP connection with the second port number, and transmits data through the SCTP connection.
具体的应用中,设备1800可以嵌入或者本身可以就是例如网关等网关设备,还可以包括容纳发射电路和接收电路的载体,以允许设备1800和远程位置之间进行数据发射和接收。In a particular application, device 1800 may be embedded or may itself be a gateway device such as a gateway, and may also include a carrier that houses the transmitting circuitry and the receiving circuitry to allow for data transmission and reception between device 1800 and a remote location.
总线除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚明起见,在图中将各种总线都标为总线1810。In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 1810 in the figure.
处理器可以实现或者执行本发明方法实施例中的公开的各步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器,解码器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用解码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。The processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention. The general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like. The steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
应理解,在本发明实施例中,该处理器1820可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器1820还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。 It should be understood that in the embodiment of the present invention, the processor 1820 may be a central processing unit ("CPU"), and the processor 1820 may also be another general-purpose processor, a digital signal processor (DSP). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
该存储器1830可以包括只读存储器和随机存取存储器,并向处理器1820提供指令和数据。存储器1830的一部分还可以包括非易失性随机存取存储器。例如,存储器1830还可以存储设备类型的信息。The memory 1830 can include read only memory and random access memory and provides instructions and data to the processor 1820. A portion of memory 1830 may also include a non-volatile random access memory. For example, the memory 1830 can also store information of the device type.
在实现过程中,上述方法的各步骤可以通过处理器1820中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1830,处理器1820读取存储器1830中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1820 or an instruction in the form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in the memory 1830, and the processor 1820 reads the information in the memory 1830 and, in conjunction with its hardware, performs the steps of the above method. To avoid repetition, it will not be described in detail here.
根据本发明实施例的用于传输数据的设备1800可对应于本发明实施例的方法中的网关设备,并且,该用于传输数据的设备1800中的各单元即模块和上述其他操作和/或功能分别为了实现图3中的方法300的相应流程,为了简洁,在此不再赘述。The apparatus 1800 for transmitting data according to an embodiment of the present invention may correspond to a gateway apparatus in the method of the embodiment of the present invention, and each unit in the apparatus 1800 for transmitting data, that is, a module and the above other operations and/or The functions are respectively implemented in order to implement the corresponding process of the method 300 in FIG. 3, and are not described herein for brevity.
根据本发明实施例的用于传输数据的设备,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。并且,根据本发明实施例的用于传输数据的设备,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the apparatus for transmitting data according to the embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device. The connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience. And, the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device. Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication. The mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图19示出了根据本发明实施例的用于传输数据的设备1900的示意性框图。该设备1900与网关设备之间通过H.323协议进行通信,网关设备与第二终端设备之间通过SIP进行通信,该设备1900包括:FIG. 19 shows a schematic block diagram of an apparatus 1900 for transmitting data in accordance with an embodiment of the present invention. The device 1900 communicates with the gateway device through the H.323 protocol, and the gateway device communicates with the second terminal device through the SIP. The device 1900 includes:
总线1910; Bus 1910;
与所述总线1910相连的处理器1920;a processor 1920 connected to the bus 1910;
与所述总线1910相连的存储器1930;a memory 1930 connected to the bus 1910;
与所述总线1910相连的收发器1940;a transceiver 1940 connected to the bus 1910;
其中,所述处理器1920通过所述总线1910,调用所述存储器1930中存储的程序,以用于控制该收发器接收该网关设备发送的第一哈希函数列表,其中,该第一哈希函数列表中记录有该第二终端设备发送给该网关设备的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数;The processor 1920, by using the bus 1910, invokes a program stored in the memory 1930 for controlling the transceiver to receive a first hash function list sent by the gateway device, where the first hash is The function list records at least one first hash function sent by the second terminal device to the gateway device, where the first hash function belongs to a hash function supported by the second terminal device;
用于从该第一哈希函数列表中确定目标第一哈希函数,并确定与该目标第一哈希函数相对应的第一指纹信息,其中,该目标第一哈希函数属于该设备1900支持的哈希函数,该目标第一哈希函数和该第一指纹信息用于针对该设备1900的认证;Used to determine a target first hash function from the first hash function list and determine first fingerprint information corresponding to the target first hash function, wherein the target first hash function belongs to the device 1900 a supported hash function, the target first hash function and the first fingerprint information are used for authentication of the device 1900;
用于控制该收发器向该网关设备发送该目标第一哈希函数和该第一指纹信息,以便于该网关设备将该目标第一哈希函数和该第一指纹信息发送给该第二终端设备;And configured to control the transceiver to send the target first hash function and the first fingerprint information to the gateway device, so that the gateway device sends the target first hash function and the first fingerprint information to the second terminal device;
用于控制该收发器向该网关设备发送第二哈希函数列表,该第二哈希函数列表包括该设备1900所支持的至少一个第二哈希函数;Controlling the transceiver to send a second hash function list to the gateway device, the second hash function list including at least one second hash function supported by the device 1900;
用于控制该收发器接收该网关设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该网关设备发送的该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证;And controlling the transceiver to receive the target second hash function and the second fingerprint information sent by the gateway device, where the target second hash function is the second hash sent by the second terminal device from the gateway device Determining part or all of the function, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is fingerprint information corresponding to the target second hash function, The target second hash function and the second fingerprint information are used to authenticate the second terminal device;
用于根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。And performing authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, to establish a packet transport layer security protocol DTLS The protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
可选地,该处理器还用于控制该收发器向该网关设备发送第一端口号,该第一端口号是该设备1900所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,以便于该网关设备将该第一端口号发送给该第二终端设备; Optionally, the processor is further configured to control the transceiver to send a first port number to the gateway device, where the first port number is used by the device 1900 to establish a flow control transmission protocol SCTP based on the DTLS protocol connection. a port number of the connection, so that the gateway device sends the first port number to the second terminal device;
用于控制该收发器接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,且该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Controlling the transceiver to receive the second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, and the second port number is used by the second terminal device a port number used to establish an SCTP connection based on the DTLS protocol connection;
用于根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以在该DTLS协议连接上,通过该SCTP连接与第二终端设备之间传输数据。And configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data between the SCTP connection and the second terminal device on the DTLS protocol connection.
可选地,该处理器还用于控制该收发器向该网关设备发送第一角色指示信息,该第一角色指示信息用于指示该设备1900支持的角色,该角色为“主动”和“被动”中的至少一种,以便于该网关设备将该第一角色指示信息发送给该第二终端设备;Optionally, the processor is further configured to control the transceiver to send first role indication information to the gateway device, where the first role indication information is used to indicate a role supported by the device 1900, and the role is “active” and “passive”. At least one of the foregoing, so that the gateway device sends the first role indication information to the second terminal device;
用于控制该收发器接收该网关设备发送的第二角色指示信息,该第二角色指示信息是该第二终端设备发送给该网关设备的,且该第二角色指示信息用于指示该第二终端设备支持的角色;以及The second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is used to indicate the second The role supported by the terminal device;
用于根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数、该第二指纹信息、该设备1900支持的角色和该第二终端设备支持的角色与该第二终端设备进行认证处理。And a second hash function according to the target, the first fingerprint information, the target second hash function, the second fingerprint information, a role supported by the device 1900, and a role supported by the second terminal device and the second The terminal device performs authentication processing.
具体的应用中,设备1900可以嵌入或者本身可以就是例如视频会议终端等终端设备,还可以包括容纳发射电路和接收电路的载体,以允许设备1900和远程位置之间进行数据发射和接收。In a particular application, device 1900 may be embedded or may itself be a terminal device such as a video conferencing terminal, and may also include a carrier that houses the transmitting circuitry and the receiving circuitry to allow for data transmission and reception between device 1900 and a remote location.
总线除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚明起见,在图中将各种总线都标为总线1910。In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 1910 in the figure.
处理器可以实现或者执行本发明方法实施例中的公开的各步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器,解码器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用解码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。The processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention. The general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like. The steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
应理解,在本发明实施例中,该处理器1920可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器1920还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。 通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 1920 may be a central processing unit ("CPU"), and the processor 1920 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
该存储器1930可以包括只读存储器和随机存取存储器,并向处理器1920提供指令和数据。存储器1930的一部分还可以包括非易失性随机存取存储器。例如,存储器1930还可以存储设备类型的信息。The memory 1930 can include read only memory and random access memory and provides instructions and data to the processor 1920. A portion of the memory 1930 may also include a non-volatile random access memory. For example, the memory 1930 can also store information of the device type.
在实现过程中,上述方法的各步骤可以通过处理器1920中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器1930,处理器1920读取存储器1930中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the above method may be completed by an integrated logic circuit of hardware in the processor 1920 or an instruction in a form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in memory 1930, and processor 1920 reads the information in memory 1930 and, in conjunction with its hardware, performs the steps of the above method. To avoid repetition, it will not be described in detail here.
根据本发明实施例的用于传输数据的设备1900可对应于本发明实施例的方法中的第一终端设备(例如,上述终端设备#A),并且,该用于传输数据的设备1900中的各单元即模块和上述其他操作和/或功能分别为了实现图6中的方法600的相应流程,为了简洁,在此不再赘述。The apparatus 1900 for transmitting data according to an embodiment of the present invention may correspond to a first terminal device (for example, the above-described terminal device #A) in the method of the embodiment of the present invention, and in the device 1900 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 600 in FIG. 6, and are not described herein again for brevity.
根据本发明实施例的用于传输数据的设备,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。并且,根据本发明实施例的用于传输数据的设备,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the apparatus for transmitting data according to the embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device. The connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience. And, the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device. Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication. The mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图20示出了根据本发明实施例的用于传输数据的设备2000的示意性框图。该设备2000与第一终端设备之间通过H.323协议进行通信,设备2000与第二终端设备之间通过SIP进行通信,该设备2000包括:FIG. 20 shows a schematic block diagram of an apparatus 2000 for transmitting data in accordance with an embodiment of the present invention. The device 2000 communicates with the first terminal device through the H.323 protocol, and the device 2000 communicates with the second terminal device through the SIP. The device 2000 includes:
总线2010; Bus 2010;
与所述总线2010相连的处理器2020;a processor 2020 connected to the bus 2010;
与所述总线2010相连的存储器2030;a memory 2030 connected to the bus 2010;
与所述总线2010相连的收发器2040;a transceiver 2040 connected to the bus 2010;
其中,所述处理器2020通过所述总线2010,调用所述存储器2030中存储的程序,以用于控制该收发器接收该第一终端设备发送的哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数;The processor 2020, by using the bus 2010, invokes a program stored in the memory 2030, for controlling the transceiver to receive a hash function list sent by the first terminal device, where the hash function list includes the At least one hash function supported by the first terminal device;
用于根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数;And performing negotiation processing with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to the second terminal device support Hash function
用于控制该收发器向该第一终端设备发送该备选哈希函数,以便于该第一终端设备从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息;And configured to control the transceiver to send the candidate hash function to the first terminal device, so that the first terminal device determines a target hash function from the candidate hash function, and determines that the target hash function is Corresponding fingerprint information;
用于控制该收发器接收该第一终端设备发送的该目标哈希函数和该指纹信息;And configured to control the transceiver to receive the target hash function and the fingerprint information sent by the first terminal device;
用于控制该收发器向该第二终端发送该目标哈希函数和该指纹信息,以便于该第一终端设备和该第二终端设备根据该目标哈希函数和该指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。And controlling the transceiver to send the target hash function and the fingerprint information to the second terminal, so that the first terminal device and the second terminal device perform authentication processing according to the target hash function and the fingerprint information, to Establish a packet transport layer security protocol DTLS protocol connection and transmit data through the DTLS protocol connection.
可选地,该处理器具体用于控制该收发器向该第二终端设备发送待验证哈希函数,该待验证哈希函数是该哈希函数列表中的任一哈希函数;Optionally, the processor is specifically configured to control the transceiver to send a to-be-verified hash function to the second terminal device, where the to-be-verified hash function is any hash function in the hash function list;
用于控制该收发器接收该第二终端设备发送的验证消息,该验证消息用于指示该待验证哈希函数是否属于该第二终端设备支持的哈希函数;Controlling, by the transceiver, the verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device;
用于在根据该验证消息,确定该待验证哈希函数属于该第二终端设备支持的哈希函数时,将该待验证哈希函数确定为备选哈希函数。And determining, by using the verification message, that the to-be-verified hash function belongs to the hash function supported by the second terminal device, and determining the to-be-verified hash function as an alternate hash function.
可选地,该处理器具体用于在确定该验证消息携带有该待验证哈希函数时,确定该待验证哈希函数属于该第二终端设备支持的哈希函数,并将该待验证哈希函数确定为备选哈希函数。Optionally, the processor is specifically configured to: when determining that the verification message carries the to-be-verified hash function, determine that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and the to-be-verified The Greek function is determined to be an alternate hash function.
可选地,该处理器还用于控制该收发器接收该第一终端设备发送的第一角色指示信息及该第二终端设备发送的第二角色指示信息,该第一角色指示信息用于指示该第一终端设备支持的角色,该第二角色指示信息用于指示该第二终端设备支持的角色,该角色为“主动”和“被动”中的至少一种; Optionally, the processor is further configured to receive, by the transceiver, the first role indication information sent by the first terminal device and the second role indication information sent by the second terminal device, where the first role indication information is used to indicate a role supported by the first terminal device, where the second role indication information is used to indicate a role supported by the second terminal device, where the role is at least one of “active” and “passive”;
用于控制该收发器向该第二终端设备发送该第一角色指示信息,并向该第一终端设备发送该第二角色指示信息,以便于该第一终端设备和该第二终端设备根据该第一哈希函数、该第一指纹信息、该第二哈希函数、该第二指纹信息、该第一终端设备支持的角色和该第二终端设备支持的角色进行认证处理。And transmitting, by the transceiver, the first role indication information to the second terminal device, and sending the second role indication information to the first terminal device, so that the first terminal device and the second terminal device are configured according to the The first hash function, the first fingerprint information, the second hash function, the second fingerprint information, the role supported by the first terminal device, and the role supported by the second terminal device perform authentication processing.
可选地,该处理器还用于控制该收发器接收该第一终端设备发送的第一端口号及该第二终端设备发送的第二端口号,该第一端口号是该第一终端设备所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;Optionally, the processor is further configured to control the transceiver to receive the first port number sent by the first terminal device and the second port number sent by the second terminal device, where the first port number is the first terminal device a port number used to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, the second port number being a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection ;
用于控制该收发器向该第二终端设备转发该第一端口号,并向该第一终端设备转发该第二端口号,以便于该第一终端设备和该第二终端设备根据该第一端口号和该第二端口号建立SCTP连接,并通过该SCTP连接传输数据。Controlling the transceiver to forward the first port number to the second terminal device, and forwarding the second port number to the first terminal device, so that the first terminal device and the second terminal device are configured according to the first The port number establishes an SCTP connection with the second port number, and transmits data through the SCTP connection.
具体的应用中,设备2000可以嵌入或者本身可以就是例如网关等网关设备,还可以包括容纳发射电路和接收电路的载体,以允许设备2000和远程位置之间进行数据发射和接收。In a specific application, the device 2000 may be embedded or may itself be a gateway device such as a gateway, and may also include a carrier that houses the transmitting circuit and the receiving circuit to allow data transmission and reception between the device 2000 and the remote location.
总线除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚明起见,在图中将各种总线都标为总线2010。In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 2010 in the figure.
处理器可以实现或者执行本发明方法实施例中的公开的各步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器,解码器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用解码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。The processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention. The general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like. The steps of the method disclosed in the embodiments of the present invention may be directly implemented by the hardware processor, or may be performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
应理解,在本发明实施例中,该处理器2020可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器2020还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 2020 may be a central processing unit (Central Processing Unit (CPU), and the processor 2020 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
该存储器2030可以包括只读存储器和随机存取存储器,并向处理器2020提供指令和数据。存储器2030的一部分还可以包括非易失性随机存取 存储器。例如,存储器2030还可以存储设备类型的信息。The memory 2030 can include read only memory and random access memory and provides instructions and data to the processor 2020. A portion of the memory 2030 may also include non-volatile random access Memory. For example, the memory 2030 can also store information of the device type.
在实现过程中,上述方法的各步骤可以通过处理器2020中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器2030,处理器2020读取存储器2030中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 2020 or an instruction in a form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in the memory 2030, and the processor 2020 reads the information in the memory 2030 and performs the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
根据本发明实施例的用于传输数据的设备2000可对应于本发明实施例的方法中的网关设备,并且,该用于传输数据的设备2000中的各单元即模块和上述其他操作和/或功能分别为了实现图4中的方法400的相应流程,为了简洁,在此不再赘述。The device 2000 for transmitting data according to an embodiment of the present invention may correspond to a gateway device in the method of the embodiment of the present invention, and each unit in the device 2000 for transmitting data, that is, a module and the above other operations and/or The functions are respectively implemented in order to implement the corresponding process of the method 400 in FIG. 4, and are not described herein for brevity.
根据本发明实施例的用于传输数据的设备,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。并且,根据本发明实施例的用于传输数据的设备,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the apparatus for transmitting data according to the embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device. The connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience. And, the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device. Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication. The mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图21示出了根据本发明实施例的用于传输数据的设备2100的示意性框图。该设备2100与网关设备之间通过H.323协议进行通信,网关设备与第二终端设备之间通过SIP进行通信,该设备2100包括:Figure 21 shows a schematic block diagram of an apparatus 2100 for transmitting data in accordance with an embodiment of the present invention. The device 2100 communicates with the gateway device through the H.323 protocol, and the gateway device communicates with the second terminal device through the SIP. The device 2100 includes:
总线2110;Bus 2110;
与所述总线2110相连的处理器2120;a processor 2120 connected to the bus 2110;
与所述总线2110相连的存储器2130;a memory 2130 connected to the bus 2110;
与所述总线2110相连的收发器2140; a transceiver 2140 connected to the bus 2110;
其中,所述处理器2120通过所述总线2110,调用所述存储器2130中存储的程序,以用于控制该收发器向该网关设备发送哈希函数列表,该哈希函数列表包括该设备2100所支持的至少一个哈希函数,以便于该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数;The processor 2120 calls, by using the bus 2110, a program stored in the memory 2130, for controlling the transceiver to send a hash function list to the gateway device, where the hash function list includes the device 2100 Supporting at least one hash function, so that the gateway device performs a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, wherein the device The hash function is selected to belong to a hash function supported by the second terminal device;
用于控制该收发器接收该网关设备发送的该备选哈希函数;And configured to control the transceiver to receive the candidate hash function sent by the gateway device;
用于从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息;And determining a target hash function from the candidate hash function, and determining fingerprint information corresponding to the target hash function;
用于控制该收发器向该网关设备发送该目标哈希函数和该指纹信息,以便于该网关设备向该第二终端转发该目标哈希函数和该指纹信息;And configured to control the transceiver to send the target hash function and the fingerprint information to the gateway device, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal;
用于根据该目标哈希函数和该指纹信息,与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。And performing authentication processing with the second terminal device according to the target hash function and the fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection, and transmitting data through the DTLS protocol connection.
可选地,该处理器还用于控制该收发器向该网关设备发送第一端口号,以便于该网关设备向该第二终端设备转发该第一端口号,该第一端口号是该设备2100所使用的用于建立基于该DTLS协议连接的流控制传输协议SCTP连接的端口号;Optionally, the processor is further configured to control the transceiver to send the first port number to the gateway device, so that the gateway device forwards the first port number to the second terminal device, where the first port number is the device The port number used by the 2100 to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection;
用于控制该收发器接收该网关设备发送的第二端口号,该第二端口号是该第二终端设备发送给该网关设备的,该第二端口号是该第二终端设备所使用的用于建立基于该DTLS协议连接的SCTP连接的端口号;And the second port number is sent by the second terminal device to the gateway device, where the second port number is used by the second terminal device, where the second port number is sent by the second terminal device. a port number for establishing an SCTP connection based on the DTLS protocol connection;
用于根据该第一端口号和该第二端口号与该第二终端设备建立SCTP连接,以通过该SCTP连接传输数据。And configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data by using the SCTP connection.
具体的应用中,设备2100可以嵌入或者本身可以就是例如视频会议终端等终端设备,还可以包括容纳发射电路和接收电路的载体,以允许设备2100和远程位置之间进行数据发射和接收。In a specific application, the device 2100 may be embedded or may itself be a terminal device such as a video conferencing terminal, and may further include a carrier that houses the transmitting circuit and the receiving circuit to allow data transmission and reception between the device 2100 and the remote location.
总线除包括数据总线之外,还包括电源总线、控制总线和状态信号总线。但是为了清楚明起见,在图中将各种总线都标为总线2110。In addition to the data bus, the bus includes a power bus, a control bus, and a status signal bus. However, for the sake of clarity, various buses are labeled as bus 2110 in the figure.
处理器可以实现或者执行本发明方法实施例中的公开的各步骤及逻辑框图。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器,解码器等。结合本发明实施例所公开的方法的步骤可以直接体现为硬件 处理器执行完成,或者用解码处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。The processor may implement or perform the steps and logic blocks disclosed in the method embodiments of the present invention. The general purpose processor may be a microprocessor or the processor or any conventional processor, decoder or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly embodied as hardware. The processor execution is complete or is performed by a combination of hardware and software modules in the decoding processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like.
应理解,在本发明实施例中,该处理器2120可以是中央处理单元(Central Processing Unit,简称为“CPU”),该处理器2120还可以是其他通用处理器、数字信号处理器(DSP)、专用集成电路(ASIC)、现成可编程门阵列(FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。It should be understood that, in the embodiment of the present invention, the processor 2120 may be a central processing unit ("CPU"), and the processor 2120 may also be other general-purpose processors, digital signal processors (DSPs). , an application specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware component, and the like. The general purpose processor may be a microprocessor or the processor or any conventional processor or the like.
该存储器2130可以包括只读存储器和随机存取存储器,并向处理器2120提供指令和数据。存储器2130的一部分还可以包括非易失性随机存取存储器。例如,存储器2130还可以存储设备类型的信息。The memory 2130 can include read only memory and random access memory and provides instructions and data to the processor 2120. A portion of the memory 2130 may also include a non-volatile random access memory. For example, the memory 2130 can also store information of the device type.
在实现过程中,上述方法的各步骤可以通过处理器2120中的硬件的集成逻辑电路或者软件形式的指令完成。结合本发明实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。软件模块可以位于随机存储器,闪存、只读存储器,可编程只读存储器或者电可擦写可编程存储器、寄存器等本领域成熟的存储介质中。该存储介质位于存储器2130,处理器2120读取存储器2130中的信息,结合其硬件完成上述方法的步骤。为避免重复,这里不再详细描述。In the implementation process, each step of the foregoing method may be completed by an integrated logic circuit of hardware in the processor 2120 or an instruction in a form of software. The steps of the method disclosed in the embodiments of the present invention may be directly implemented as a hardware processor, or may be performed by a combination of hardware and software modules in the processor. The software module can be located in a conventional storage medium such as random access memory, flash memory, read only memory, programmable read only memory or electrically erasable programmable memory, registers, and the like. The storage medium is located in the memory 2130, and the processor 2120 reads the information in the memory 2130 and completes the steps of the above method in combination with its hardware. To avoid repetition, it will not be described in detail here.
根据本发明实施例的用于传输数据的设备2100可对应于本发明实施例的方法中的第一终端设备(例如,上述终端设备#A),并且,该用于传输数据的设备2100中的各单元即模块和上述其他操作和/或功能分别为了实现图7中的方法700的相应流程,为了简洁,在此不再赘述。The device 2100 for transmitting data according to an embodiment of the present invention may correspond to a first terminal device (for example, the above-described terminal device #A) in the method of the embodiment of the present invention, and in the device 2100 for transmitting data The modules and the other operations and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 700 in FIG. 7, and are not described herein again for brevity.
根据本发明实施例的用于传输数据的设备,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。并且,根据本发明实施例的用于传输数据的设备,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输 数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the apparatus for transmitting data according to the embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device. The connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience. And, the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device. Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit through the DTLS protocol connection The data can effectively utilize the security authentication mechanism of the DTLS protocol to improve the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图22示出了根据本发明实施例的用于传输数据的系统2200的示意性架构图。如图22所示,该系统2200包括第一终端设备2210、第二终端设备2220和网关设备2230,该第一终端设备2210与该网关设备2230之间通过H.323协议通信,该第二终端设备2220与该网关设备2230之间通过会话初始化协议SIP通信,其中,FIG. 22 shows a schematic architectural diagram of a system 2200 for transmitting data in accordance with an embodiment of the present invention. As shown in FIG. 22, the system 2200 includes a first terminal device 2210, a second terminal device 2220, and a gateway device 2230. The first terminal device 2210 communicates with the gateway device 2230 through an H.323 protocol, and the second terminal The device 2220 communicates with the gateway device 2230 through a session initiation protocol SIP, where
该网关设备2230用于,接收该第二终端设备发送的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函数,向该第一终端设备发送记录有该第一哈希函数的第一哈希函数列表,接收该第一终端设备发送的目标第一哈希函数和第一指纹信息,其中,该目标第一哈希函数是该第一终端设备从该第一哈希函数列表中确定的,且该目标第一哈希函数属于该第一终端设备支持的哈希函数,该第一指纹信息是与该目标第一哈希函数相对应的指纹信息,该目标第一哈希函数和第一指纹信息用于对该第一终端设备进行认证,用于接收该第一终端设备发送的第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个第二哈希函数,向该第二终端设备发送该第二哈希函数的部分或全部,接收该第二终端设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和第二指纹信息用于对该第二终端设备进行认证,用于向该第二终端设备发送该目标第一哈希函数和该第一指纹信息,并向该第一终端设备发送该目标第二哈希函数和该第二指纹信息,以便于该第一终端设备和该第二终端设备根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据;The gateway device 2230 is configured to receive, by the second terminal device, at least one first hash function, where the first hash function belongs to a hash function supported by the second terminal device, and send a record to the first terminal device. a first hash function list having the first hash function, receiving a target first hash function and first fingerprint information sent by the first terminal device, where the target first hash function is the first terminal device Determining from the first hash function list, and the target first hash function belongs to a hash function supported by the first terminal device, and the first fingerprint information is a fingerprint corresponding to the target first hash function. The first hash function and the first fingerprint information are used to authenticate the first terminal device, and are configured to receive a second hash function list sent by the first terminal device, where the second hash function list includes At least one second hash function supported by the first terminal device, sending part or all of the second hash function to the second terminal device, and receiving the target second hash sent by the second terminal device a function and second fingerprint information, wherein the target second hash function is determined by the second terminal device from part or all of the second hash function, and the target second hash function belongs to the second terminal a hash function supported by the device, the second fingerprint information is fingerprint information corresponding to the target second hash function, and the target second hash function and the second fingerprint information are used to authenticate the second terminal device. And sending the target first hash function and the first fingerprint information to the second terminal device, and sending the target second hash function and the second fingerprint information to the first terminal device, to facilitate the first The terminal device and the second terminal device perform authentication processing according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information to establish a packet transport layer security protocol DTLS. Protocol connection, and transfer data through the DTLS protocol connection;
该第一终端设备2210用于接收该网关设备发送的第一哈希函数列表,其中,该第一哈希函数列表中记录有该第二终端设备发送给该网关设备的至少一个第一哈希函数,该第一哈希函数属于该第二终端设备所支持的哈希函 数,从该第一哈希函数列表中确定目标第一哈希函数,并确定与该目标第一哈希函数相对应的第一指纹信息,其中,该目标第一哈希函数属于该第一终端设备支持的哈希函数,该目标第一哈希函数和该第一指纹信息用于对该第一终端设备进行认证,向该网关设备发送确定的该目标第一哈希函数和该第一指纹信息,以便于该网关设备将该目标第一哈希函数和该第一指纹信息发送给该第二终端设备,用于向该网关设备发送第二哈希函数列表,该第二哈希函数列表包括该第一终端设备所支持的至少一个第二哈希函数,接收该网关设备发送的目标第二哈希函数和第二指纹信息,其中,该目标第二哈希函数是该第二终端设备从该网关设备发送的该第二哈希函数的部分或全部中确定的,且该目标第二哈希函数属于该第二终端设备支持的哈希函数,该第二指纹信息是与该目标第二哈希函数相对应的指纹信息,该目标第二哈希函数和该第二指纹信息用于对该第二终端设备进行认证,用于根据该目标第一哈希函数、该第一指纹信息、该目标第二哈希函数和该第二指纹信息与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接与第二终端设备之间传输数据。The first terminal device 2210 is configured to receive a first hash function list sent by the gateway device, where the first hash function list records at least one first hash sent by the second terminal device to the gateway device. a function, the first hash function belongs to a hash function supported by the second terminal device Number, determining a target first hash function from the first hash function list, and determining first fingerprint information corresponding to the target first hash function, wherein the target first hash function belongs to the first a hash function supported by the terminal device, the target first hash function and the first fingerprint information are used to authenticate the first terminal device, and send the determined target first hash function and the first to the gateway device Fingerprint information, so that the gateway device sends the target first hash function and the first fingerprint information to the second terminal device, and sends a second hash function list to the gateway device, the second hash function The list includes at least one second hash function supported by the first terminal device, and receives a target second hash function and second fingerprint information sent by the gateway device, where the target second hash function is the second terminal The device is determined from part or all of the second hash function sent by the gateway device, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint signal Is fingerprint information corresponding to the second hash function of the target, the target second hash function and the second fingerprint information are used for authenticating the second terminal device, according to the target first hash function, The first fingerprint information, the target second hash function, and the second fingerprint information are authenticated by the second terminal device to establish a data packet transport layer security protocol DTLS protocol connection, and the DTLS protocol is connected and connected through the DTLS protocol. The data is transmitted between the two terminal devices.
根据本发明实施例的网关设备2230可对应于本发明实施例的方法中的网关设备,并且,该网关设备2230中的各单元即模块和上述其他操作和/或功能分别为了实现图3中的方法300的相应流程,为了简洁,在此不再赘述。The gateway device 2230 according to the embodiment of the present invention may correspond to the gateway device in the method of the embodiment of the present invention, and each unit in the gateway device 2230, that is, the module and the other operations and/or functions described above are respectively implemented in FIG. The corresponding process of the method 300 is not described here for brevity.
根据本发明实施例的第一终端设备2210可对应于本发明实施例的方法中的第一终端设备(例如,上述终端设备#X),并且,该第一终端设备2210中的各单元即模块和上述其他操作和/或功能分别为了实现图6中的方法600的相应流程,为了简洁,在此不再赘述。The first terminal device 2210 according to the embodiment of the present invention may correspond to the first terminal device (for example, the terminal device #X) in the method of the embodiment of the present invention, and each unit in the first terminal device 2210 is a module. The other processes and/or functions described above are respectively implemented in order to implement the corresponding process of the method 600 in FIG. 6. For brevity, no further details are provided herein.
根据本发明实施例的用于传输数据的系统,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。并且,根据本发明实施例的用于传输数据的设备,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输 数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the system for transmitting data according to an embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device. The connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience. And, the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device. Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit through the DTLS protocol connection The data can effectively utilize the security authentication mechanism of the DTLS protocol to improve the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
图23示出了根据本发明实施例的用于传输数据的系统2300的示意性架构图。如图23所示,该系统2300包括第一终端设备2310、第二终端设备2320和网关设备2330,该第一终端设备2310与该网关设备2330之间通过H.323协议通信,该第二终端设备2320与该网关设备2330之间通过会话初始化协议SIP通信,其中,FIG. 23 shows a schematic architectural diagram of a system 2300 for transmitting data in accordance with an embodiment of the present invention. As shown in FIG. 23, the system 2300 includes a first terminal device 2310, a second terminal device 2320, and a gateway device 2330. The first terminal device 2310 communicates with the gateway device 2330 through an H.323 protocol, and the second terminal The device 2320 communicates with the gateway device 2330 via a session initiation protocol SIP, where
该网关设备2330用于,接收该第一终端设备发送的哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数,用于根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数,用于向该第一终端设备发送该备选哈希函数,以便于该第一终端设备从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息,用于接收该第一终端设备发送的该目标哈希函数和该指纹信息,并向该第二终端发送该目标哈希函数和该指纹信息,以便于该第一终端设备和该第二终端设备根据该目标哈希函数和该指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据;The gateway device 2330 is configured to receive a hash function list sent by the first terminal device, where the hash function list includes at least one hash function supported by the first terminal device, and is configured according to the hash function list The second terminal device performs a negotiation process to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device, and is used for the Transmitting, by the terminal device, the candidate hash function, so that the first terminal device determines a target hash function from the candidate hash function, and determines fingerprint information corresponding to the target hash function, for receiving the The target hash function and the fingerprint information sent by the first terminal device, and sending the target hash function and the fingerprint information to the second terminal, so that the first terminal device and the second terminal device according to the target The Greek function and the fingerprint information are authenticated to establish a data packet transport layer security protocol DTLS protocol connection, and the data is transmitted through the DTLS protocol connection;
该第一终端设备2310用于,向该网关设备发送哈希函数列表,该哈希函数列表包括该第一终端设备所支持的至少一个哈希函数,以便于该网关设备根据该哈希函数列表与该第二终端设备进行协商处理,以从该哈希函数列表中确定至少一个备选哈希函数,其中,该备选哈希函数属于该第二终端设备支持的哈希函数,用于接收该网关设备发送的该备选哈希函数,用于从该备选哈希函数中确定目标哈希函数,并确定与该目标哈希函数相对应的指纹信息,用于向该网关设备发送该目标哈希函数和该指纹信息,以便于该网关设备向该第二终端转发该目标哈希函数和该指纹信息,用于根据该目标哈希函数和该指纹信息,与该第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过该DTLS协议连接传输数据。The first terminal device 2310 is configured to send, to the gateway device, a hash function list, where the hash function list includes at least one hash function supported by the first terminal device, so that the gateway device is configured according to the hash function list. Negotiating with the second terminal device to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device for receiving The candidate hash function sent by the gateway device is used to determine a target hash function from the candidate hash function, and determine fingerprint information corresponding to the target hash function, for sending the gateway device to the gateway device a target hash function and the fingerprint information, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal, and is configured to perform, according to the target hash function and the fingerprint information, with the second terminal device. The authentication process is to establish a packet transport layer security protocol DTLS protocol connection and transmit data through the DTLS protocol connection.
根据本发明实施例的网关设备2330可对应于本发明实施例的方法中的网关设备,并且,该网关设备2330中的各单元即模块和上述其他操作和/或 功能分别为了实现图4中的方法400的相应流程,为了简洁,在此不再赘述。The gateway device 2330 according to the embodiment of the present invention may correspond to a gateway device in the method of the embodiment of the present invention, and each unit in the gateway device 2330 is a module and the foregoing other operations and/or The functions are respectively implemented in order to implement the corresponding process of the method 400 in FIG. 4, and are not described herein for brevity.
根据本发明实施例的第一终端设备2310可对应于本发明实施例的方法中的第一终端设备(例如,上述终端设备#X),并且,该第一终端设备2310中的各单元即模块和上述其他操作和/或功能分别为了实现图7中的方法700的相应流程,为了简洁,在此不再赘述。The first terminal device 2310 according to the embodiment of the present invention may correspond to the first terminal device (for example, the terminal device #X) in the method of the embodiment of the present invention, and each unit in the first terminal device 2310 is a module. The other processes and/or functions described above are respectively implemented in order to implement the corresponding processes of the method 700 in FIG. 7, and are not described herein again for brevity.
根据本发明实施例的用于传输数据的系统,第一终端设备和第二终端设备经由网关设备协商安全参数,能够在第一终端设备和第二终端设备之间建立基于该安全参数的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,而无需网关设备的转发,从而能够减小网关设备的负担,提高系统的传输性能,改善影响用户体验。并且,根据本发明实施例的用于传输数据的设备,使用H.323协议第一终端设备和使用SIP的第二终端设备经由网关设备来协商哈希函数和指纹信息,能够在第一终端设备和第二终端设备之间建立基于该哈希函数和指纹信息的DTLS协议连接,从而在第一终端设备和第二终端设备能够通过该DTLS协议连接传输数据,进而能够有效利用DTLS协议的安全认证机制提高传输数据的安全性,并且能够使DTLS协议适用于使用H.323协议的终端设备,进而提高终端设备的可靠性和实用性,改善用户体验。According to the system for transmitting data according to an embodiment of the present invention, the first terminal device and the second terminal device negotiate a security parameter via the gateway device, and can establish a DTLS protocol based on the security parameter between the first terminal device and the second terminal device. The connection enables the first terminal device and the second terminal device to transmit data through the DTLS protocol connection without the forwarding of the gateway device, thereby reducing the burden on the gateway device, improving the transmission performance of the system, and improving the impact on the user experience. And, the apparatus for transmitting data according to the embodiment of the present invention uses the H.323 protocol, the first terminal device, and the second terminal device using the SIP to negotiate the hash function and the fingerprint information via the gateway device, and is capable of being in the first terminal device. Establishing a DTLS protocol connection based on the hash function and the fingerprint information with the second terminal device, so that the first terminal device and the second terminal device can transmit data through the DTLS protocol connection, thereby effectively utilizing the DTLS protocol security authentication. The mechanism improves the security of the transmitted data, and can make the DTLS protocol applicable to the terminal device using the H.323 protocol, thereby improving the reliability and practicability of the terminal device and improving the user experience.
应理解,在本发明的各种实施例中,上述各过程的序号的大小并不意味着执行顺序的先后,各过程的执行顺序应以其功能和内在逻辑确定,而不应对本发明实施例的实施过程构成任何限定。It should be understood that, in various embodiments of the present invention, the size of the sequence numbers of the above processes does not mean the order of execution, and the order of execution of each process should be determined by its function and internal logic, and should not be taken to the embodiments of the present invention. The implementation process constitutes any limitation.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本发明的范围。Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the various examples described in connection with the embodiments disclosed herein can be implemented in electronic hardware or a combination of computer software and electronic hardware. Whether these functions are performed in hardware or software depends on the specific application and design constraints of the solution. A person skilled in the art can use different methods for implementing the described functions for each particular application, but such implementation should not be considered to be beyond the scope of the present invention.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。A person skilled in the art can clearly understand that for the convenience and brevity of the description, the specific working process of the system, the device and the unit described above can refer to the corresponding process in the foregoing method embodiment, and details are not described herein again.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可 以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division, and may be implemented in actual implementation. In a different manner, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be in an electrical, mechanical or other form.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, may be located in one place, or may be distributed to multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
另外,在本发明各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。The functions may be stored in a computer readable storage medium if implemented in the form of a software functional unit and sold or used as a standalone product. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, or a part of the technical solution, may be embodied in the form of a software product, which is stored in a storage medium, including The instructions are used to cause a computer device (which may be a personal computer, server, or network device, etc.) to perform all or part of the steps of the methods described in various embodiments of the present invention. The foregoing storage medium includes: a U disk, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk, and the like. .
以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。 The above is only a specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the present invention. It should be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the appended claims.

Claims (52)

  1. 一种用于传输数据的方法,其特征在于,应用于包括第一终端设备、第二终端设备的通信系统中,所述第一终端设备与所述第二终端设备之间通过H.323协议进行通信,所述方法包括:A method for transmitting data, characterized in that, in a communication system including a first terminal device and a second terminal device, the first terminal device and the second terminal device pass the H.323 protocol. Communicating, the method comprising:
    所述第一终端设备接收所述第二终端设备发送的第一哈希函数列表,所述第一哈希函数列表包括所述第二终端设备所支持的至少一个哈希函数,从所述第一哈希函数列表中确定第一哈希函数,并确定与所述第一哈希函数相对应的第一指纹信息,向所述第二终端设备发送所述第一哈希函数和所述第一指纹信息,其中,所述第一哈希函数属于所述第一终端设备支持的哈希函数,第一哈希函数和所述第一指纹信息用于对所述第一终端设备进行认证;Receiving, by the first terminal device, a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device, Determining a first hash function in a hash function list, and determining first fingerprint information corresponding to the first hash function, and transmitting the first hash function and the first to the second terminal device a fingerprint information, wherein the first hash function belongs to a hash function supported by the first terminal device, and the first hash function and the first fingerprint information are used to authenticate the first terminal device;
    所述第一终端设备向所述第二终端设备发送第二哈希函数列表,所述第二哈希函数列表包括所述第一终端设备所支持的至少一个哈希函数,接收所述第二终端发送的第二哈希函数和第二指纹信息,其中,所述第二哈希函数是所述第二终端设备从所述第二哈希函数列表中确定的,且所述第二哈希函数属于所述第二终端设备支持的哈希函数,所述第二指纹信息是与所述第二哈希函数相对应的指纹信息,第二哈希函数和所述第二指纹信息用于对所述第二终端设备进行认证;The first terminal device sends a second hash function list to the second terminal device, where the second hash function list includes at least one hash function supported by the first terminal device, and receives the second a second hash function and a second fingerprint information sent by the terminal, wherein the second hash function is determined by the second terminal device from the second hash function list, and the second hash The function belongs to a hash function supported by the second terminal device, the second fingerprint information is fingerprint information corresponding to the second hash function, and the second hash function and the second fingerprint information are used for The second terminal device performs authentication;
    所述第一终端设备根据所述第一哈希函数、所述第一指纹信息、所述第二哈希函数和所述第二指纹信息与所述第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接与第二终端设备之间传输数据。The first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information to establish data. The packet transport layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
  2. 根据权利要求1所述的方法,其特征在于,所述方法还包括:The method of claim 1 further comprising:
    所述第一终端设备向所述第二终端设备发送第一端口号,所述第一端口号是所述第一终端设备所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号;Transmitting, by the first terminal device, the first port number to the second terminal device, where the first port number is used by the first terminal device to establish a flow control transmission protocol SCTP based on the DTLS protocol connection The port number of the connection;
    所述第一终端设备接收所述第二终端设备发送的第二端口号,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;Receiving, by the first terminal device, a second port number sent by the second terminal device, where the second port number is a port used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection number;
    所述第一终端设备根据所述第一端口号和所述第二端口号与所述第二终端设备建立SCTP连接,以在所述DTLS协议连接上,通过所述SCTP连接与第二终端设备之间传输数据。 The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, to connect to the second terminal device by using the SCTP connection on the DTLS protocol connection. Transfer data between.
  3. 根据权利要求1或2所述的方法,其特征在于,在所述第一终端设备根据所述第一哈希函数、所述第一指纹信息、所述第二哈希函数和所述第二指纹信息与所述第二终端设备进行认证处理之前,所述方法还包括:The method according to claim 1 or 2, wherein at the first terminal device, according to the first hash function, the first fingerprint information, the second hash function, and the second Before the fingerprint information and the second terminal device perform the authentication process, the method further includes:
    所述第一终端设备向所述第二终端设备发送第一角色指示信息,所述第一角色指示信息用于指示所述第一终端设备支持的角色,所述角色为“主动”和“被动”中的至少一种;Transmitting, by the first terminal device, the first role indication information to the second terminal device, where the first role indication information is used to indicate a role supported by the first terminal device, where the role is “active” and “passive” At least one of them;
    所述第一终端设备接收所述第二终端设备发送的第二角色指示信息,所述第二角色指示信息用于指示所述第二终端设备支持的角色;以及The first terminal device receives the second role indication information that is sent by the second terminal device, where the second role indication information is used to indicate a role supported by the second terminal device;
    所述第一终端设备根据所述第一哈希函数、所述第一指纹信息、所述第二哈希函数和所述第二指纹信息与所述第二终端设备进行认证处理,包括:The first terminal device performs authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information, and includes:
    所述第一终端设备根据所述第一哈希函数、所述第一指纹信息、所述第二哈希函数、所述第二指纹信息、所述第一终端设备支持的角色和所述第二终端设备支持的角色与所述第二终端设备进行认证处理。The first terminal device according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role supported by the first terminal device, and the first The role supported by the second terminal device performs authentication processing with the second terminal device.
  4. 一种用于传输数据的方法,其特征在于,应用于包括第一终端设备、第二终端设备的通信系统中,所述第一终端设备与所述第二终端设备之间通过H.323协议进行通信,所述方法包括:A method for transmitting data, characterized in that, in a communication system including a first terminal device and a second terminal device, the first terminal device and the second terminal device pass the H.323 protocol. Communicating, the method comprising:
    所述第一终端设备接收所述第二终端设备发送的第一哈希函数列表,所述第一哈希函数列表包括所述第二终端设备所支持的至少一个哈希函数;Receiving, by the first terminal device, a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device;
    所述第一终端设备从所述第一哈希函数列表中确定目标哈希函数,并确定与所述目标哈希函数相对应的指纹信息,其中,所述目标哈希函数属于所述第一终端设备所支持的哈希函数;Determining, by the first terminal device, a target hash function from the first hash function list, and determining fingerprint information corresponding to the target hash function, wherein the target hash function belongs to the first a hash function supported by the terminal device;
    所述第一终端设备向所述第二终端设备发送所述目标哈希函数和所述指纹信息;Transmitting, by the first terminal device, the target hash function and the fingerprint information to the second terminal device;
    所述第一终端设备根据所述目标哈希函数和所述指纹信息与所述第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接与第二终端设备之间传输数据。The first terminal device performs authentication processing with the second terminal device according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and is connected through the DTLS protocol. Data is transmitted between the second terminal devices.
  5. 根据权利要求4所述的方法,其特征在于,在所述第一终端设备从所述第一哈希函数列表中确定目标哈希函数之前,所述方法还包括:The method according to claim 4, wherein before the determining, by the first terminal device, the target hash function from the first hash function list, the method further comprises:
    所述第一终端设备接收所述第二终端设备发送的角色指示信息,所述角色指示信息用于指示所述第二终端设备支持的角色,所述角色为“主动”和“被动”中的至少一种; The first terminal device receives the role indication information sent by the second terminal device, where the role indication information is used to indicate a role supported by the second terminal device, where the role is “active” and “passive” At least one
    所述第一终端设备根据角色指示信息,确定所述第二终端设备支持的角色;以及Determining, by the first terminal device, a role supported by the second terminal device according to the role indication information;
    所述第一终端设备从所述第一哈希函数列表中确定目标哈希函数,包括:Determining, by the first terminal device, the target hash function from the first hash function list, including:
    所述第一终端设备在确定所述第一终端设备支持的角色包括“主动”且所述第二终端设备支持的角色包括“被动”时,从所述第一哈希函数列表中确定目标哈希函数。When the first terminal device determines that the role supported by the first terminal device includes “active” and the role supported by the second terminal device includes “passive”, determining the target from the first hash function list. Greek function.
  6. 根据权利要求4或5所述的方法,其特征在于,所述第一终端设备从所述第一哈希函数列表中确定目标哈希函数,包括:The method according to claim 4 or 5, wherein the determining, by the first terminal device, the target hash function from the first hash function list comprises:
    所述第一终端设备根据自身所支持的哈希函数,从所述第一哈希函数列表中确定目标哈希函数。The first terminal device determines a target hash function from the first hash function list according to a hash function supported by itself.
  7. 根据权利要求4或5所述的方法,其特征在于,在所述第一终端设备从所述第一哈希函数列表中确定目标哈希函数之前,所述方法还包括:The method according to claim 4 or 5, wherein before the first terminal device determines the target hash function from the first hash function list, the method further includes:
    所述第一终端设备向所述第二终端设备发送第二哈希函数列表,所述第二哈希函数列表包括所述第一终端设备所支持的至少一个哈希函数,以便于所述第二终端设备根据所述第二哈希函数列表,确定所述第一哈希函数列表,其中,所述第一哈希函数列表所包括的哈希函数属于所述第二哈希函数列表;以及The first terminal device sends a second hash function list to the second terminal device, where the second hash function list includes at least one hash function supported by the first terminal device, to facilitate the Determining, by the second terminal device, the first hash function list according to the second hash function list, wherein the hash function included in the first hash function list belongs to the second hash function list;
    所述第一终端设备从所述第一哈希函数列表中确定目标哈希函数,包括:Determining, by the first terminal device, the target hash function from the first hash function list, including:
    所述第一终端设备确定所述第一哈希函数列表中任一哈希函数为目标哈希函数。The first terminal device determines that any of the hash functions in the first hash function list is a target hash function.
  8. 根据权利要求4至7中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 4 to 7, wherein the method further comprises:
    所述第一终端设备向所述第二终端设备发送第一端口号,所述第一端口号是所述第一终端设备所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号;Transmitting, by the first terminal device, the first port number to the second terminal device, where the first port number is used by the first terminal device to establish a flow control transmission protocol SCTP based on the DTLS protocol connection The port number of the connection;
    所述第一终端设备接收所述第二终端设备发送的第二端口号,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;Receiving, by the first terminal device, a second port number sent by the second terminal device, where the second port number is a port used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection number;
    所述第一终端设备根据所述第一端口号和所述第二端口号与所述第二 终端设备建立SCTP连接,以在所述DTLS协议连接上,通过所述SCTP连接与第二终端设备之间传输数据。The first terminal device according to the first port number and the second port number and the second The terminal device establishes an SCTP connection to transmit data between the SCTP connection and the second terminal device over the DTLS protocol connection.
  9. 一种用于传输数据的方法,其特征在于,应用于包括第一终端设备、第二终端设备的通信系统中,所述第一终端设备与所述第二终端设备之间通过H.323协议进行通信,所述方法包括:A method for transmitting data, characterized in that, in a communication system including a first terminal device and a second terminal device, the first terminal device and the second terminal device pass the H.323 protocol. Communicating, the method comprising:
    所述第二终端设备向所述第一终端设备发送第一哈希函数列表,所述第一哈希函数列表包括所述第二终端设备所支持的至少一个哈希函数;The second terminal device sends a first hash function list to the first terminal device, where the first hash function list includes at least one hash function supported by the second terminal device;
    所述第二终端设备接收所述第一终端设备发送的目标哈希函数以及与所述目标哈希函数相对应的指纹信息,其中,所述目标哈希函数是所述第一终端设备从所述第一哈希函数列表中确定的,且所述目标哈希函数属于所述第一终端设备所支持的哈希函数;The second terminal device receives a target hash function sent by the first terminal device and fingerprint information corresponding to the target hash function, where the target hash function is the first terminal device Determining in the first hash function list, and the target hash function belongs to a hash function supported by the first terminal device;
    所述第二终端设备根据所述目标哈希函数和所述指纹信息与所述第一终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接与第二终端设备之间传输数据。The second terminal device performs authentication processing with the first terminal device according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and is connected through the DTLS protocol. Data is transmitted between the second terminal devices.
  10. 根据权利要求9所述的方法,其特征在于,在所述第二终端设备接收所述第一终端设备发送的目标哈希函数以及与所述目标哈希函数相对应的指纹信息之前,所述方法还包括:The method according to claim 9, wherein before the second terminal device receives the target hash function sent by the first terminal device and the fingerprint information corresponding to the target hash function, The method also includes:
    所述第二终端设备向所述第一终端设备发送角色指示信息,所述角色指示信息用于指示所述第二终端设备支持的角色,所述角色为“主动”或“被动”中的至少一种,以便于所述第一终端设备在确定所述第一终端设备支持的角色包括“主动”且所述第二终端设备支持的角色包括“被动”时,从所述第一哈希函数列表中确定目标哈希函数。The second terminal device sends the role indication information to the first terminal device, where the role indication information is used to indicate a role supported by the second terminal device, where the role is at least one of “active” or “passive” a first, in order to facilitate the first terminal device to determine that the role supported by the first terminal device includes "active" and the role supported by the second terminal device includes "passive", from the first hash function The target hash function is determined in the list.
  11. 根据权利要求9或10所述的方法,其特征在于,所述目标哈希函数是所述第一终端设备根据自身所支持的哈希函数从所述第一哈希函数列表中确定的。The method according to claim 9 or 10, wherein the target hash function is determined by the first terminal device from the first hash function list according to a hash function supported by the first terminal device.
  12. 根据权利要求9或10所述的方法,其特征在于,在所述第二终端设备接收所述第一终端设备发送的目标哈希函数以及与所述目标哈希函数相对应的指纹信息之前,所述方法还包括:The method according to claim 9 or 10, wherein before the second terminal device receives the target hash function sent by the first terminal device and the fingerprint information corresponding to the target hash function, The method further includes:
    所述第二终端设备接收所述第一终端设备发送的第二哈希函数列表,所述第二哈希函数列表包括所述第一终端设备所支持的至少一个哈希函数;Receiving, by the second terminal device, a second hash function list sent by the first terminal device, where the second hash function list includes at least one hash function supported by the first terminal device;
    所述第二终端设备根据所述第二哈希函数列表,确定所述第一哈希函数 列表,以使所述第一哈希函数列表所包括的哈希函数属于所述第二哈希函数列表。Determining, by the second terminal device, the first hash function according to the second hash function list a list such that the hash function included in the first hash function list belongs to the second hash function list.
  13. 根据权利要求9至12中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 9 to 12, wherein the method further comprises:
    所述第二终端设备接收所述第一终端设备发送的第一端口号,所述第一端口号是所述第一终端设备所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号;Receiving, by the second terminal device, the first port number sent by the first terminal device, where the first port number is used by the first terminal device to establish a flow control transmission protocol based on the DTLS protocol connection The port number of the SCTP connection;
    所述第二终端设备向所述第一终端设备发送第二端口号,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;Transmitting, by the second terminal device, the second port number to the first terminal device, where the second port number is a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection ;
    所述第二终端设备根据所述第一端口号和所述第二端口号与所述第一终端设备建立SCTP连接,以在所述DTLS协议连接上,通过所述SCTP连接与第一终端设备之间传输数据。The second terminal device establishes an SCTP connection with the first terminal device according to the first port number and the second port number, to connect to the first terminal device by using the SCTP connection on the DTLS protocol connection. Transfer data between.
  14. 一种用于传输数据的方法,其特征在于,应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,所述第一终端设备与所述网关设备之间通过H.323协议通信,所述第二终端设备与所述网关设备之间通过会话初始化协议SIP通信,所述方法包括:A method for transmitting data, characterized in that, in a communication system including a first terminal device, a second terminal device, and a gateway device, the first terminal device and the gateway device pass H.323 In the protocol communication, the second terminal device communicates with the gateway device through a session initiation protocol SIP, and the method includes:
    所述网关设备接收所述第二终端设备发送的至少一个第一哈希函数,所述第一哈希函数属于所述第二终端设备所支持的哈希函数,向所述第一终端设备发送记录有所述第一哈希函数的第一哈希函数列表,接收所述第一终端设备发送的目标第一哈希函数和第一指纹信息,其中,所述目标第一哈希函数是所述第一终端设备从所述第一哈希函数列表中确定的,且所述目标第一哈希函数属于所述第一终端设备支持的哈希函数,所述第一指纹信息是与所述目标第一哈希函数相对应的指纹信息,所述目标第一哈希函数和第一指纹信息用于对所述第一终端设备进行认证;Receiving, by the gateway device, at least one first hash function sent by the second terminal device, where the first hash function belongs to a hash function supported by the second terminal device, and sends the function to the first terminal device Recording a first hash function list of the first hash function, receiving a target first hash function and first fingerprint information sent by the first terminal device, where the target first hash function is Determining, by the first terminal device, the first hash function from the first hash function list, and the target first hash function belongs to a hash function supported by the first terminal device, where the first fingerprint information is a fingerprint information corresponding to the target first hash function, where the target first hash function and the first fingerprint information are used to authenticate the first terminal device;
    所述网关设备接收所述第一终端设备发送的第二哈希函数列表,所述第二哈希函数列表包括所述第一终端设备所支持的至少一个第二哈希函数,向所述第二终端设备发送所述第二哈希函数的部分或全部,接收所述第二终端设备发送的目标第二哈希函数和第二指纹信息,其中,所述目标第二哈希函数是所述第二终端设备从所述第二哈希函数的部分或全部中确定的,且所述目标第二哈希函数属于所述第二终端设备支持的哈希函数,所述第二指纹信 息是与所述目标第二哈希函数相对应的指纹信息,所述目标第二哈希函数和第二指纹信息用于对所述第二终端设备进行认证;Receiving, by the gateway device, a second hash function list sent by the first terminal device, where the second hash function list includes at least one second hash function supported by the first terminal device, to the The second terminal device sends part or all of the second hash function, and receives the target second hash function and the second fingerprint information sent by the second terminal device, where the target second hash function is the Determining, by the second terminal device, part or all of the second hash function, and the target second hash function belongs to a hash function supported by the second terminal device, the second fingerprint signal The information is fingerprint information corresponding to the target second hash function, and the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
    所述网关设备向所述第二终端设备发送所述目标第一哈希函数和所述第一指纹信息,并向所述第一终端设备发送所述目标第二哈希函数和所述第二指纹信息,以便于所述第一终端设备和所述第二终端设备根据所述目标第一哈希函数、所述第一指纹信息、所述目标第二哈希函数和所述第二指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接传输数据。Transmitting, by the gateway device, the target first hash function and the first fingerprint information to the second terminal device, and sending the target second hash function and the second to the first terminal device Fingerprint information, so that the first terminal device and the second terminal device, according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information The authentication process is performed to establish a packet transport layer security protocol DTLS protocol connection, and the data is transmitted through the DTLS protocol connection.
  15. 根据权利要求14所述的方法,其特征在于,所述方法还包括:The method of claim 14, wherein the method further comprises:
    所述网关设备接收所述第一终端设备发送的第一角色指示信息及所述第二终端设备发送的第二角色指示信息,所述第一角色指示信息用于指示所述第一终端设备支持的角色,所述第二角色指示信息用于指示所述第二终端设备支持的角色,所述角色为“主动”和“被动”中的至少一种;The gateway device receives the first role indication information sent by the first terminal device and the second role indication information sent by the second terminal device, where the first role indication information is used to indicate that the first terminal device supports a role of the second role indicating information used to indicate a role supported by the second terminal device, the role being at least one of "active" and "passive";
    所述网关设备向所述第二终端设备发送所述第一角色指示信息,并向所述第一终端设备发送所述第二角色指示信息,以便于所述第一终端设备和所述第二终端设备根据所述第一哈希函数、所述第一指纹信息、所述第二哈希函数、所述第二指纹信息、所述第一终端设备支持的角色和所述第二终端设备支持的角色进行认证处理。The gateway device sends the first role indication information to the second terminal device, and sends the second role indication information to the first terminal device, so as to facilitate the first terminal device and the second terminal device. The terminal device supports, according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role supported by the first terminal device, and the second terminal device The role is authenticated.
  16. 根据权利要求14或15所述的方法,其特征在于,所述方法还包括:The method according to claim 14 or 15, wherein the method further comprises:
    所述网关设备接收所述第一终端设备发送的第一端口号及所述第二终端设备发送的第二端口号,所述第一端口号是所述第一终端设备所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;The gateway device receives a first port number sent by the first terminal device and a second port number sent by the second terminal device, where the first port number is used by the first terminal device for establishing a port number of a flow control transport protocol SCTP connection connected based on the DTLS protocol, the second port number being a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
    所述网关设备向所述第二终端设备转发所述第一端口号,并向所述第一终端设备转发所述第二端口号,以便于所述第一终端设备和所述第二终端设备根据所述第一端口号和所述第二端口号建立SCTP连接,并通过所述SCTP连接传输数据。Transmitting, by the gateway device, the first port number to the second terminal device, and forwarding the second port number to the first terminal device, to facilitate the first terminal device and the second terminal device Establishing an SCTP connection according to the first port number and the second port number, and transmitting data through the SCTP connection.
  17. 一种用于传输数据的方法,其特征在于,应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,所述第一终端设备与所述网关设备之间通过H.323协议通信,所述第二终端设备与所述网关设备之间通过会话 初始化协议SIP通信,所述方法包括:A method for transmitting data, characterized in that, in a communication system including a first terminal device, a second terminal device, and a gateway device, the first terminal device and the gateway device pass H.323 Protocol communication, the second terminal device and the gateway device pass the session Initializing protocol SIP communication, the method includes:
    所述第一终端设备接收所述网关设备发送的第一哈希函数列表,其中,所述第一哈希函数列表中记录有所述第二终端设备发送给所述网关设备的至少一个第一哈希函数,所述第一哈希函数属于所述第二终端设备所支持的哈希函数,从所述第一哈希函数列表中确定目标第一哈希函数,并确定与所述目标第一哈希函数相对应的第一指纹信息,其中,所述目标第一哈希函数属于所述第一终端设备支持的哈希函数,所述目标第一哈希函数和所述第一指纹信息用于对所述第一终端设备进行认证,向所述网关设备发送所述目标第一哈希函数和所述第一指纹信息,以便于所述网关设备将所述目标第一哈希函数和所述第一指纹信息发送给所述第二终端设备;Receiving, by the first terminal device, the first hash function list sent by the gateway device, where the first hash function list records at least one first that is sent by the second terminal device to the gateway device a hash function, the first hash function belongs to a hash function supported by the second terminal device, determining a target first hash function from the first hash function list, and determining the target a first fingerprint information corresponding to a hash function, wherein the target first hash function belongs to a hash function supported by the first terminal device, the target first hash function and the first fingerprint information And configured to authenticate the first terminal device, and send the target first hash function and the first fingerprint information to the gateway device, so that the gateway device sends the target first hash function and Sending the first fingerprint information to the second terminal device;
    所述第一终端设备向所述网关设备发送第二哈希函数列表,所述第二哈希函数列表包括所述第一终端设备所支持的至少一个第二哈希函数,接收所述网关设备发送的目标第二哈希函数和第二指纹信息,其中,所述目标第二哈希函数是所述第二终端设备从所述网关设备发送的所述第二哈希函数的部分或全部中确定的,且所述目标第二哈希函数属于所述第二终端设备支持的哈希函数,所述第二指纹信息是与所述目标第二哈希函数相对应的指纹信息,所述目标第二哈希函数和所述第二指纹信息用于对所述第二终端设备进行认证;The first terminal device sends a second hash function list to the gateway device, where the second hash function list includes at least one second hash function supported by the first terminal device, and receives the gateway device. a second target hash function and a second fingerprint information, wherein the target second hash function is part or all of the second hash function sent by the second terminal device from the gateway device Determining, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is fingerprint information corresponding to the target second hash function, the target The second hash function and the second fingerprint information are used to authenticate the second terminal device;
    所述第一终端设备根据所述目标第一哈希函数、所述第一指纹信息、所述目标第二哈希函数和所述第二指纹信息与所述第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接与第二终端设备之间传输数据。The first terminal device performs authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, to Establishing a packet transport layer security protocol DTLS protocol connection, and transmitting data between the second terminal device through the DTLS protocol connection.
  18. 根据权利要求17所述的方法,其特征在于,所述方法还包括:The method of claim 17, wherein the method further comprises:
    所述第一终端设备向所述网关设备发送第一端口号,所述第一端口号是所述第一终端设备所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号,以便于所述网关设备将所述第一端口号发送给所述第二终端设备;Transmitting, by the first terminal device, the first port number to the gateway device, where the first port number is used by the first terminal device to establish a flow control transmission protocol SCTP connection based on the DTLS protocol connection a port number, so that the gateway device sends the first port number to the second terminal device;
    所述第一终端设备接收所述网关设备发送的第二端口号,所述第二端口号是所述第二终端设备发送给所述网关设备的,且所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号; Receiving, by the first terminal device, a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, and the second port number is the a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
    所述第一终端设备根据所述第一端口号和所述第二端口号与所述第二终端设备建立SCTP连接,以在所述DTLS协议连接上,通过所述SCTP连接与第二终端设备之间传输数据。The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number, to connect to the second terminal device by using the SCTP connection on the DTLS protocol connection. Transfer data between.
  19. 根据权利要求17或18所述的方法,其特征在于,在所述第一终端设备根据所述目标第一哈希函数、所述第一指纹信息、所述目标第二哈希函数和所述第二指纹信息与所述第二终端设备进行认证处理之前,所述方法还包括:The method according to claim 17 or 18, wherein said first terminal device according to said target first hash function, said first fingerprint information, said target second hash function, and said Before the second fingerprint information and the second terminal device perform the authentication process, the method further includes:
    所述第一终端设备向所述网关设备发送第一角色指示信息,所述第一角色指示信息用于指示所述第一终端设备支持的角色,所述角色为“主动”和“被动”中的至少一种,以便于所述网关设备将所述第一角色指示信息发送给所述第二终端设备;The first terminal device sends the first role indication information to the gateway device, where the first role indication information is used to indicate a role supported by the first terminal device, where the role is “active” and “passive”. At least one of the following, so that the gateway device sends the first role indication information to the second terminal device;
    所述第一终端设备接收所述网关设备发送的第二角色指示信息,所述第二角色指示信息是所述第二终端设备发送给所述网关设备的,且所述第二角色指示信息用于指示所述第二终端设备支持的角色;以及The first terminal device receives the second role indication information that is sent by the gateway device, where the second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is used by the first terminal device. Instructing the role supported by the second terminal device;
    所述第一终端设备根据所述目标第一哈希函数、所述第一指纹信息、所述目标第二哈希函数和所述第二指纹信息与所述第二终端设备进行认证处理,包括:The first terminal device performs authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, including :
    所述第一终端设备根据所述目标第一哈希函数、所述第一指纹信息、所述目标第二哈希函数、所述第二指纹信息、所述第一终端设备支持的角色和所述第二终端设备支持的角色与所述第二终端设备进行认证处理。The first terminal device according to the target first hash function, the first fingerprint information, the target second hash function, the second fingerprint information, and the role and location supported by the first terminal device The role supported by the second terminal device performs authentication processing with the second terminal device.
  20. 一种用于传输数据的方法,其特征在于,应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,所述第一终端设备与所述网关设备之间通过H.323协议通信,所述第二终端设备与所述网关设备之间通过会话初始化协议SIP通信,所述方法包括:A method for transmitting data, characterized in that, in a communication system including a first terminal device, a second terminal device, and a gateway device, the first terminal device and the gateway device pass H.323 In the protocol communication, the second terminal device communicates with the gateway device through a session initiation protocol SIP, and the method includes:
    所述网关设备接收所述第一终端设备发送的哈希函数列表,所述哈希函数列表包括所述第一终端设备所支持的至少一个哈希函数;The gateway device receives a hash function list sent by the first terminal device, where the hash function list includes at least one hash function supported by the first terminal device;
    所述网关设备根据所述哈希函数列表与所述第二终端设备进行协商处理,以从所述哈希函数列表中确定至少一个备选哈希函数,其中,所述备选哈希函数属于所述第二终端设备支持的哈希函数;The gateway device performs a negotiation process with the second terminal device according to the hash function list to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device;
    所述网关设备向所述第一终端设备发送所述备选哈希函数,以便于所述第一终端设备从所述备选哈希函数中确定目标哈希函数,并确定与所述目标 哈希函数相对应的指纹信息;Transmitting, by the gateway device, the candidate hash function to the first terminal device, so that the first terminal device determines a target hash function from the candidate hash function, and determines the target Fingerprint information corresponding to the hash function;
    所述网关设备接收所述第一终端设备发送的所述目标哈希函数和所述指纹信息,并向所述第二终端发送所述目标哈希函数和所述指纹信息,以便于所述第一终端设备和所述第二终端设备根据所述目标哈希函数和所述指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接传输数据。The gateway device receives the target hash function and the fingerprint information sent by the first terminal device, and sends the target hash function and the fingerprint information to the second terminal, so as to facilitate the A terminal device and the second terminal device perform authentication processing according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and transmit data through the DTLS protocol connection.
  21. 根据权利要求20所述的方法,其特征在于,所述网关设备根据所述哈希函数列表与所述第二终端设备进行协商处理,以从所述哈希函数列表中确定至少一个备选哈希函数,包括:The method according to claim 20, wherein the gateway device performs a negotiation process with the second terminal device according to the hash function list to determine at least one candidate from the hash function list. The Greek function, including:
    所述网关设备向所述第二终端设备发送待验证哈希函数,所述待验证哈希函数是所述哈希函数列表中的任一哈希函数;The gateway device sends a to-be-verified hash function to the second terminal device, where the to-be-verified hash function is any hash function in the hash function list;
    所述网关设备接收所述第二终端设备发送的验证消息,所述验证消息用于指示所述待验证哈希函数是否属于所述第二终端设备支持的哈希函数;The gateway device receives the verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device;
    所述网关设备在根据所述验证消息,确定所述待验证哈希函数属于所述第二终端设备支持的哈希函数时,将所述待验证哈希函数确定为备选哈希函数。The gateway device determines, according to the verification message, that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and determines the to-be-verified hash function as an alternate hash function.
  22. 根据权利要求21所述的方法,其特征在于,所述网关设备在根据所述验证消息,确定所述待验证哈希函数属于所述第二终端设备支持的哈希函数时,将所述待验证哈希函数确定为备选哈希函数,包括:The method according to claim 21, wherein the gateway device determines that the to-be-verified hash function belongs to a hash function supported by the second terminal device according to the verification message. Verify that the hash function is determined as an alternate hash function, including:
    所述网关设备在确定所述验证消息携带有所述待验证哈希函数时,确定所述待验证哈希函数属于所述第二终端设备支持的哈希函数,并将所述待验证哈希函数确定为备选哈希函数。And determining, by the gateway device, that the verification message carries the to-be-verified hash function, determining that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and the hash to be verified The function is determined to be an alternate hash function.
  23. 根据权利要求20至22中任一项所述的方法,其特征在于,所述方法还包括:The method according to any one of claims 20 to 22, wherein the method further comprises:
    所述网关设备接收所述第一终端设备发送的第一端口号及所述第二终端设备发送的第二端口号,所述第一端口号是所述第一终端设备所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;The gateway device receives a first port number sent by the first terminal device and a second port number sent by the second terminal device, where the first port number is used by the first terminal device for establishing a port number of a flow control transport protocol SCTP connection connected based on the DTLS protocol, the second port number being a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
    所述网关设备向所述第二终端设备转发所述第一端口号,并向所述第一终端设备转发所述第二端口号,以便于所述第一终端设备和所述第二终端设 备根据所述第一端口号和所述第二端口号建立SCTP连接,并通过所述SCTP连接传输数据。Transmitting, by the gateway device, the first port number to the second terminal device, and forwarding the second port number to the first terminal device, so that the first terminal device and the second terminal are configured And establishing an SCTP connection according to the first port number and the second port number, and transmitting data through the SCTP connection.
  24. 一种用于传输数据的方法,其特征在于,应用于包括第一终端设备、第二终端设备和网关设备的通信系统中,所述第一终端设备与所述网关设备之间通过H.323协议通信,所述第二终端设备与所述网关设备之间通过会话初始化协议SIP通信,所述方法包括:A method for transmitting data, characterized in that, in a communication system including a first terminal device, a second terminal device, and a gateway device, the first terminal device and the gateway device pass H.323 In the protocol communication, the second terminal device communicates with the gateway device through a session initiation protocol SIP, and the method includes:
    所述第一终端设备向所述网关设备发送哈希函数列表,所述哈希函数列表包括所述第一终端设备所支持的至少一个哈希函数,以便于所述网关设备根据所述哈希函数列表与所述第二终端设备进行协商处理,以从所述哈希函数列表中确定至少一个备选哈希函数,其中,所述备选哈希函数属于所述第二终端设备支持的哈希函数;Sending, by the first terminal device, a hash function list to the gateway device, where the hash function list includes at least one hash function supported by the first terminal device, so that the gateway device is configured according to the hash The function list is negotiated with the second terminal device to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to the second terminal device supported by the second terminal device Greek function
    所述第一终端设备接收所述网关设备发送的所述备选哈希函数;Receiving, by the first terminal device, the candidate hash function sent by the gateway device;
    所述第一终端设备从所述备选哈希函数中确定目标哈希函数,并确定与所述目标哈希函数相对应的指纹信息;Determining, by the first terminal device, a target hash function from the candidate hash function, and determining fingerprint information corresponding to the target hash function;
    所述第一终端设备向所述网关设备发送所述目标哈希函数和所述指纹信息,以便于所述网关设备向所述第二终端转发所述目标哈希函数和所述指纹信息;Transmitting, by the first terminal device, the target hash function and the fingerprint information to the gateway device, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal;
    所述第一终端设备根据所述目标哈希函数和所述指纹信息,与所述第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接传输数据。The first terminal device performs an authentication process with the second terminal device according to the target hash function and the fingerprint information to establish a data packet transport layer security protocol DTLS protocol connection, and is connected through the DTLS protocol. transfer data.
  25. 根据权利要求24所述的方法,其特征在于,所述方法还包括:The method of claim 24, wherein the method further comprises:
    所述第一终端设备向所述网关设备发送第一端口号,以便于所述网关设备向所述第二终端设备转发所述第一端口号,所述第一端口号是所述第一终端设备所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号;Transmitting, by the first terminal device, the first port number to the gateway device, so that the gateway device forwards the first port number to the second terminal device, where the first port number is the first terminal a port number used by the device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection;
    所述第一终端设备接收所述网关设备发送的第二端口号,所述第二端口号是所述第二终端设备发送给所述网关设备的,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;Receiving, by the first terminal device, a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, and the second port number is the second port number a port number used by the terminal device to establish an SCTP connection based on the DTLS protocol connection;
    所述第一终端设备根据所述第一端口号和所述第二端口号与所述第二终端设备建立SCTP连接,以通过所述SCTP连接传输数据。 The first terminal device establishes an SCTP connection with the second terminal device according to the first port number and the second port number to transmit data through the SCTP connection.
  26. 一种用于传输数据的装置,其特征在于,配置于包括所述装置和第二终端设备的通信系统中,所述装置与所述第二终端设备之间通过H.323协议进行通信,所述装置包括:An apparatus for transmitting data, characterized in that, in a communication system including the apparatus and the second terminal device, the apparatus communicates with the second terminal device by using an H.323 protocol, The device includes:
    接收单元,用于接收所述第二终端设备发送的第一哈希函数列表,所述第一哈希函数列表包括所述第二终端设备所支持的至少一个哈希函数;a receiving unit, configured to receive a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device;
    处理单元,用于从所述第一哈希函数列表中确定第一哈希函数,并确定与所述第一哈希函数相对应的第一指纹信息;a processing unit, configured to determine a first hash function from the first hash function list, and determine first fingerprint information corresponding to the first hash function;
    发送单元,用于向所述第二终端设备发送所述第一哈希函数和所述第一指纹信息,其中,所述第一哈希函数属于所述装置支持的哈希函数,第一哈希函数和所述第一指纹信息用于针对所述装置的认证;a sending unit, configured to send the first hash function and the first fingerprint information to the second terminal device, where the first hash function belongs to a hash function supported by the device, and the first And the first fingerprint information is used for authentication of the device;
    所述发送单元还用于向所述第二终端设备发送第二哈希函数列表,所述第二哈希函数列表包括所述装置所支持的至少一个哈希函数;The sending unit is further configured to send, to the second terminal device, a second hash function list, where the second hash function list includes at least one hash function supported by the device;
    所述接收单元还用于接收所述第二终端发送的第二哈希函数和第二指纹信息,其中,所述第二哈希函数是所述第二终端设备从所述第二哈希函数列表中确定的,且所述第二哈希函数属于所述第二终端设备支持的哈希函数,所述第二指纹信息是与所述第二哈希函数相对应的指纹信息,第二哈希函数和所述第二指纹信息用于对所述第二终端设备进行认证;The receiving unit is further configured to receive a second hash function and second fingerprint information sent by the second terminal, where the second hash function is that the second terminal device is from the second hash function Determined in the list, and the second hash function belongs to a hash function supported by the second terminal device, the second fingerprint information is fingerprint information corresponding to the second hash function, and the second hash And the second fingerprint information is used to authenticate the second terminal device;
    所述处理单元还用于根据所述第一哈希函数、所述第一指纹信息、所述第二哈希函数和所述第二指纹信息与所述第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接与第二终端设备之间传输数据。The processing unit is further configured to perform authentication processing with the second terminal device according to the first hash function, the first fingerprint information, the second hash function, and the second fingerprint information, to establish The packet transport layer security protocol DTLS protocol is connected, and the data is transmitted between the second terminal device through the DTLS protocol connection.
  27. 根据权利要求26所述的装置,其特征在于,所述发送单元还用与向所述第二终端设备发送第一端口号,所述第一端口号是所述装置所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号;The apparatus according to claim 26, wherein said transmitting unit further transmits a first port number to said second terminal device, said first port number being used by said device for establishing a port number of the SCTP connection of the flow control transport protocol connected by the DTLS protocol;
    所述接收单元还用与接收所述第二终端设备发送的第二端口号,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;The receiving unit is further configured to receive a second port number sent by the second terminal device, where the second port number is used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection. The port number;
    所述处理单元还用于根据所述第一端口号和所述第二端口号与所述第二终端设备建立SCTP连接,以在所述DTLS协议连接上,通过所述SCTP连接与第二终端设备之间传输数据。The processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to connect to the second terminal by using the SCTP connection on the DTLS protocol connection. Transfer data between devices.
  28. 根据权利要求26或27所述的装置,其特征在于,所述发送单元还 用于向所述第二终端设备发送第一角色指示信息,所述第一角色指示信息用于指示所述装置支持的角色,所述角色为“主动”和“被动”中的至少一种;The apparatus according to claim 26 or 27, wherein said transmitting unit further And the first role indication information is used to indicate a role supported by the device, where the role is at least one of “active” and “passive”;
    所述接收单元还用于接收所述第二终端设备发送的第二角色指示信息,所述第二角色指示信息用于指示所述第二终端设备支持的角色;以及The receiving unit is further configured to receive the second role indication information that is sent by the second terminal device, where the second role indication information is used to indicate a role supported by the second terminal device;
    所述处理单元具体用于根据所述第一哈希函数、所述第一指纹信息、所述第二哈希函数、所述第二指纹信息、所述装置支持的角色和所述第二终端设备支持的角色与所述第二终端设备进行认证处理。The processing unit is specifically configured to: according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role supported by the device, and the second terminal The role supported by the device performs authentication processing with the second terminal device.
  29. 一种用于传输数据的装置,其特征在于,配置于包括所述装置和第二终端设备的通信系统中,所述装置与所述第二终端设备之间通过H.323协议进行通信,所述装置包括:An apparatus for transmitting data, characterized in that, in a communication system including the apparatus and the second terminal device, the apparatus communicates with the second terminal device by using an H.323 protocol, The device includes:
    接收单元,用于接收所述第二终端设备发送的第一哈希函数列表,所述第一哈希函数列表包括所述第二终端设备所支持的至少一个哈希函数;a receiving unit, configured to receive a first hash function list sent by the second terminal device, where the first hash function list includes at least one hash function supported by the second terminal device;
    处理单元,用于从所述第一哈希函数列表中确定目标哈希函数,并确定与所述目标哈希函数相对应的指纹信息,其中,所述目标哈希函数属于所述装置所支持的哈希函数;a processing unit, configured to determine a target hash function from the first hash function list, and determine fingerprint information corresponding to the target hash function, wherein the target hash function belongs to the device Hash function
    发送单元,用于向所述第二终端设备发送所述目标哈希函数和所述指纹信息;a sending unit, configured to send the target hash function and the fingerprint information to the second terminal device;
    所述处理单元还用于根据所述目标哈希函数和所述指纹信息与所述第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接与第二终端设备之间传输数据。The processing unit is further configured to perform an authentication process with the second terminal device according to the target hash function and the fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection, and connect through the DTLS protocol. Data is transmitted between the second terminal device.
  30. 根据权利要求29所述的装置,其特征在于,所述接收单元还用于接收所述第二终端设备发送的角色指示信息,所述角色指示信息用于指示所述第二终端设备支持的角色,所述角色为“主动”和“被动”中的至少一种;The device according to claim 29, wherein the receiving unit is further configured to receive role indication information sent by the second terminal device, where the role indication information is used to indicate a role supported by the second terminal device The role is at least one of "active" and "passive";
    所述处理单元还用于根据角色指示信息,确定所述第二终端设备支持的角色,并在确定所述装置支持的角色包括“主动”且所述第二终端设备支持的角色包括“被动”时,从所述第一哈希函数列表中确定目标哈希函数。The processing unit is further configured to determine, according to the role indication information, a role supported by the second terminal device, and determine that the role supported by the device includes “active” and the role supported by the second terminal device includes “passive” The target hash function is determined from the first hash function list.
  31. 根据权利要求29或30所述的装置,其特征在于,所述处理单元具体用于根据自身所支持的哈希函数,从所述第一哈希函数列表中确定目标哈希函数。The apparatus according to claim 29 or 30, wherein the processing unit is specifically configured to determine a target hash function from the first hash function list according to a hash function supported by itself.
  32. 根据权利要求29或30所述的装置,其特征在于,所述发送单元还用于向所述第二终端设备发送第二哈希函数列表,所述第二哈希函数列表包 括所述装置所支持的至少一个哈希函数,以便于所述第二终端设备根据所述第二哈希函数列表,确定所述第一哈希函数列表,其中,所述第一哈希函数列表所包括的哈希函数属于所述第二哈希函数列表;以及The apparatus according to claim 29 or 30, wherein the sending unit is further configured to send a second hash function list to the second terminal device, the second hash function list package Comprising at least one hash function supported by the apparatus, so that the second terminal device determines the first hash function list according to the second hash function list, wherein the first hash function The hash function included in the list belongs to the second hash function list;
    所述处理单元具体用于确定所述第一哈希函数列表中任一哈希函数为目标哈希函数。The processing unit is specifically configured to determine that any of the hash functions in the first hash function list is a target hash function.
  33. 根据权利要求29至32中任一项所述的装置,其特征在于,所述发送单元还用于向所述第二终端设备发送第一端口号,所述第一端口号是所述装置所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号;The device according to any one of claims 29 to 32, wherein the sending unit is further configured to send a first port number to the second terminal device, where the first port number is the device a port number used to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection;
    所述接收单元还用于接收所述第二终端设备发送的第二端口号,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;The receiving unit is further configured to receive a second port number sent by the second terminal device, where the second port number is used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection. The port number;
    所述处理单元还用与根据所述第一端口号和所述第二端口号与所述第二终端设备建立SCTP连接,以在所述DTLS协议连接上,通过所述SCTP连接与第二终端设备之间传输数据。The processing unit further establishes an SCTP connection with the second terminal device according to the first port number and the second port number, and connects to the second terminal by using the SCTP connection on the DTLS protocol connection. Transfer data between devices.
  34. 一种用于传输数据的装置,其特征在于,配置于包括第一终端设备和所述装置的通信系统中,所述第一终端设备与所述装置之间通过H.323协议进行通信,所述装置包括:An apparatus for transmitting data, characterized in that, in a communication system including a first terminal device and the device, the first terminal device communicates with the device through an H.323 protocol, The device includes:
    发送单元,用于向所述第一终端设备发送第一哈希函数列表,所述第一哈希函数列表包括所述装置所支持的至少一个哈希函数;a sending unit, configured to send, to the first terminal device, a first hash function list, where the first hash function list includes at least one hash function supported by the device;
    接收单元,用于接收所述第一终端设备发送的目标哈希函数以及与所述目标哈希函数相对应的指纹信息,其中,所述目标哈希函数是所述第一终端设备从所述第一哈希函数列表中确定的,且所述目标哈希函数属于所述第一终端设备所支持的哈希函数;a receiving unit, configured to receive a target hash function sent by the first terminal device and fingerprint information corresponding to the target hash function, where the target hash function is that the first terminal device is from the Determined in the first hash function list, and the target hash function belongs to a hash function supported by the first terminal device;
    处理单元,用于根据所述目标哈希函数和所述指纹信息与所述第一终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接与装置之间传输数据。a processing unit, configured to perform an authentication process with the first terminal device according to the target hash function and the fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection, and connect and device through the DTLS protocol Transfer data between.
  35. 根据权利要求34所述的装置,其特征在于,所述发送单元还用于向所述第一终端设备发送角色指示信息,所述角色指示信息用于指示所述装置支持的角色,所述角色为“主动”或“被动”中的至少一种,以便于所述第一终端设备在确定所述第一终端设备支持的角色包括“主动”且所述装置 支持的角色包括“被动”时,从所述第一哈希函数列表中确定目标哈希函数。The device according to claim 34, wherein the sending unit is further configured to send role indication information to the first terminal device, where the role indication information is used to indicate a role supported by the device, the role At least one of "active" or "passive", so that the first terminal device determines that the role supported by the first terminal device includes "active" and the device When the supported role includes "passive", the target hash function is determined from the first hash function list.
  36. 根据权利要求34或35所述的装置,其特征在于,所述目标哈希函数是所述第一终端设备根据自身所支持的哈希函数从所述第一哈希函数列表中确定的。The apparatus according to claim 34 or 35, wherein said target hash function is determined by said first terminal device from said first hash function list according to a hash function supported by itself.
  37. 根据权利要求34或35所述的装置,其特征在于,所述接收单元还用于接收所述第一终端设备发送的第二哈希函数列表,所述第二哈希函数列表包括所述第一终端设备所支持的至少一个哈希函数;The apparatus according to claim 34 or 35, wherein the receiving unit is further configured to receive a second hash function list sent by the first terminal device, where the second hash function list includes the first At least one hash function supported by a terminal device;
    所述处理单元还用于根据所述第二哈希函数列表,确定所述第一哈希函数列表,以使所述第一哈希函数列表所包括的哈希函数属于所述第二哈希函数列表。The processing unit is further configured to determine, according to the second hash function list, the first hash function list, so that the hash function included in the first hash function list belongs to the second hash List of functions.
  38. 根据权利要求34至37中任一项所述的装置,其特征在于,所述接收单元还用于接收所述第一终端设备发送的第一端口号,所述第一端口号是所述第一终端设备所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号;The apparatus according to any one of claims 34 to 37, wherein the receiving unit is further configured to receive a first port number sent by the first terminal device, where the first port number is the first a port number used by a terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection;
    所述发送单元还用于向所述第一终端设备发送第二端口号,所述第二端口号是所述装置所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;The sending unit is further configured to send, to the first terminal device, a second port number, where the second port number is a port number used by the device to establish an SCTP connection based on the DTLS protocol connection;
    所述处理单元还用于根据所述第一端口号和所述第二端口号与所述第一终端设备建立SCTP连接,以在所述DTLS协议连接上,通过所述SCTP连接与第一终端设备之间传输数据。The processing unit is further configured to establish an SCTP connection with the first terminal device according to the first port number and the second port number, to connect to the first terminal by using the SCTP connection on the DTLS protocol connection. Transfer data between devices.
  39. 一种用于传输数据的装置,其特征在于,配置于包括第一终端设备、第二终端设备和所述装置的通信系统中,所述第一终端设备与所述装置之间通过H.323协议通信,所述第二终端设备与所述装置之间通过会话初始化协议SIP通信,所述装置包括:An apparatus for transmitting data, characterized in that, in a communication system including a first terminal device, a second terminal device, and the device, the first terminal device and the device pass H.323 Protocol communication, the second terminal device communicates with the device through a session initiation protocol SIP, and the device includes:
    接收单元,用于接收所述第二终端设备发送的至少一个第一哈希函数,所述第一哈希函数属于所述第二终端设备所支持的哈希函数,并接收所述第一终端设备发送的第二哈希函数列表,所述第二哈希函数列表包括所述第一终端设备所支持的至少一个第二哈希函数;a receiving unit, configured to receive at least one first hash function sent by the second terminal device, where the first hash function belongs to a hash function supported by the second terminal device, and receives the first terminal a second hash function list sent by the device, where the second hash function list includes at least one second hash function supported by the first terminal device;
    发送单元,用于向所述第一终端设备发送记录有所述第一哈希函数的第一哈希函数列表,并向所述第二终端设备发送所述第二哈希函数的部分或全部; a sending unit, configured to send, to the first terminal device, a first hash function list recorded with the first hash function, and send part or all of the second hash function to the second terminal device ;
    所述接收单元还用于接收所述第一终端设备发送的目标第一哈希函数和第一指纹信息,并接收所述第二终端设备发送的目标第二哈希函数和第二指纹信息其中,所述目标第一哈希函数是所述第一终端设备从所述第一哈希函数列表中确定的,且所述目标第一哈希函数属于所述第一终端设备支持的哈希函数,所述第一指纹信息是与所述目标第一哈希函数相对应的指纹信息,所述目标第一哈希函数和第一指纹信息用于对所述第一终端设备进行认证,所述目标第二哈希函数是所述第二终端设备从所述第二哈希函数的部分或全部中确定的,且所述目标第二哈希函数属于所述第二终端设备支持的哈希函数,所述第二指纹信息是与所述目标第二哈希函数相对应的指纹信息,所述目标第二哈希函数和第二指纹信息用于对所述第二终端设备进行认证;The receiving unit is further configured to receive the target first hash function and the first fingerprint information sent by the first terminal device, and receive the target second hash function and the second fingerprint information sent by the second terminal device. The target first hash function is determined by the first terminal device from the first hash function list, and the target first hash function belongs to a hash function supported by the first terminal device The first fingerprint information is fingerprint information corresponding to the target first hash function, and the target first hash function and the first fingerprint information are used to authenticate the first terminal device, a target second hash function is determined by the second terminal device from part or all of the second hash function, and the target second hash function belongs to a hash function supported by the second terminal device The second fingerprint information is fingerprint information corresponding to the target second hash function, and the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
    所述发送单元还用于向所述第二终端设备发送所述目标第一哈希函数和所述第一指纹信息,并向所述第一终端设备发送所述目标第二哈希函数和所述第二指纹信息,以便于所述第一终端设备和所述第二终端设备根据所述目标第一哈希函数、所述第一指纹信息、所述目标第二哈希函数和所述第二指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接传输数据。The sending unit is further configured to send the target first hash function and the first fingerprint information to the second terminal device, and send the target second hash function and the location to the first terminal device Determining the second fingerprint information, so that the first terminal device and the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the The second fingerprint information is subjected to an authentication process to establish a packet transport layer security protocol DTLS protocol connection, and the data is transmitted through the DTLS protocol connection.
  40. 根据权利要求39所述的装置,其特征在于,所述接收单元还用于接收所述第一终端设备发送的第一角色指示信息及所述第二终端设备发送的第二角色指示信息,所述第一角色指示信息用于指示所述第一终端设备支持的角色,所述第二角色指示信息用于指示所述第二终端设备支持的角色,所述角色为“主动”和“被动”中的至少一种;The device according to claim 39, wherein the receiving unit is further configured to receive first role indication information sent by the first terminal device and second role indication information sent by the second terminal device, where The first role indication information is used to indicate a role supported by the first terminal device, and the second role indication information is used to indicate a role supported by the second terminal device, where the role is “active” and “passive”. At least one of them;
    所述发送单元还用于向所述第二终端设备发送所述第一角色指示信息,并向所述第一终端设备发送所述第二角色指示信息,以便于所述第一终端设备和所述第二终端设备根据所述第一哈希函数、所述第一指纹信息、所述第二哈希函数、所述第二指纹信息、所述第一终端设备支持的角色和所述第二终端设备支持的角色进行认证处理。The sending unit is further configured to send the first role indication information to the second terminal device, and send the second role indication information to the first terminal device, so as to facilitate the first terminal device and the The second terminal device according to the first hash function, the first fingerprint information, the second hash function, the second fingerprint information, a role supported by the first terminal device, and the second The role supported by the terminal device is authenticated.
  41. 根据权利要求39或40所述的装置,其特征在于,所述接收单元还用于接收所述第一终端设备发送的第一端口号及所述第二终端设备发送的第二端口号,所述第一端口号是所述第一终端设备所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连 接的端口号;The device according to claim 39 or 40, wherein the receiving unit is further configured to receive a first port number sent by the first terminal device and a second port number sent by the second terminal device, where The first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, and the second port number is used by the second terminal device Used to establish an SCTP connection based on the DTLS protocol connection Port number
    所述发送单元还用于向所述第二终端设备转发所述第一端口号,并向所述第一终端设备转发所述第二端口号,以便于所述第一终端设备和所述第二终端设备根据所述第一端口号和所述第二端口号建立SCTP连接,并通过所述SCTP连接传输数据。The sending unit is further configured to forward the first port number to the second terminal device, and forward the second port number to the first terminal device, so that the first terminal device and the first The second terminal device establishes an SCTP connection according to the first port number and the second port number, and transmits data through the SCTP connection.
  42. 一种用于传输数据的装置,其特征在于,配置于包括所述装置、第二终端设备和网关设备的通信系统中,所述装置与所述网关设备之间通过H.323协议通信,所述第二终端设备与所述网关设备之间通过会话初始化协议SIP通信,所述装置包括:An apparatus for transmitting data, configured to be in a communication system including the apparatus, a second terminal device, and a gateway device, where the device communicates with the gateway device by using an H.323 protocol. The second terminal device communicates with the gateway device through a session initiation protocol SIP, and the device includes:
    接收单元,用于接收所述网关设备发送的第一哈希函数列表,其中,所述第一哈希函数列表中记录有所述第二终端设备发送给所述网关设备的至少一个第一哈希函数,所述第一哈希函数属于所述第二终端设备所支持的哈希函数;a receiving unit, configured to receive a first hash function list sent by the gateway device, where the first hash function list records at least one first port that is sent by the second terminal device to the gateway device a hash function, the first hash function belongs to a hash function supported by the second terminal device;
    处理单元,用于从所述第一哈希函数列表中确定目标第一哈希函数,并确定与所述目标第一哈希函数相对应的第一指纹信息,其中,所述目标第一哈希函数属于所述装置支持的哈希函数,所述目标第一哈希函数和所述第一指纹信息用于针对所述装置的认证;a processing unit, configured to determine a target first hash function from the first hash function list, and determine first fingerprint information corresponding to the target first hash function, where the target first The hash function belongs to a hash function supported by the device, and the target first hash function and the first fingerprint information are used for authentication of the device;
    发送单元,用于向所述网关设备发送所述目标第一哈希函数和所述第一指纹信息,以便于所述网关设备将所述目标第一哈希函数和所述第一指纹信息发送给所述第二终端设备,用于向所述网关设备发送第二哈希函数列表,所述第二哈希函数列表包括所述装置所支持的至少一个第二哈希函数;a sending unit, configured to send the target first hash function and the first fingerprint information to the gateway device, so that the gateway device sends the target first hash function and the first fingerprint information And the second terminal device is configured to send, to the gateway device, a second hash function list, where the second hash function list includes at least one second hash function supported by the device;
    所述接收单元还用于接收所述网关设备发送的目标第二哈希函数和第二指纹信息,其中,所述目标第二哈希函数是所述第二终端设备从所述网关设备发送的所述第二哈希函数的部分或全部中确定的,且所述目标第二哈希函数属于所述第二终端设备支持的哈希函数,所述第二指纹信息是与所述目标第二哈希函数相对应的指纹信息,所述目标第二哈希函数和所述第二指纹信息用于对所述第二终端设备进行认证;The receiving unit is further configured to receive a target second hash function and second fingerprint information that are sent by the gateway device, where the target second hash function is sent by the second terminal device from the gateway device. Determining part or all of the second hash function, and the target second hash function belongs to a hash function supported by the second terminal device, and the second fingerprint information is the second target Fingerprint information corresponding to the hash function, the target second hash function and the second fingerprint information are used to authenticate the second terminal device;
    所述处理单元还用于根据所述目标第一哈希函数、所述第一指纹信息、所述目标第二哈希函数和所述第二指纹信息与所述第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接与第二终端设备之间传输数据。 The processing unit is further configured to perform authentication processing with the second terminal device according to the target first hash function, the first fingerprint information, the target second hash function, and the second fingerprint information, The data packet transmission layer security protocol DTLS protocol is established, and the data is transmitted between the second terminal device through the DTLS protocol connection.
  43. 根据权利要求42所述的装置,其特征在于,所述发送单元还用于向所述网关设备发送第一端口号,所述第一端口号是所述装置所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号,以便于所述网关设备将所述第一端口号发送给所述第二终端设备;The apparatus according to claim 42, wherein the sending unit is further configured to send a first port number to the gateway device, where the first port number is used by the device for establishing The flow control connection protocol of the DTLS protocol is connected to the port number of the SCTP connection, so that the gateway device sends the first port number to the second terminal device;
    所述接收单元还用于接收所述网关设备发送的第二端口号,所述第二端口号是所述第二终端设备发送给所述网关设备的,且所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;The receiving unit is further configured to receive a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, and the second port number is the a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
    所述处理单元还用于根据所述第一端口号和所述第二端口号与所述第二终端设备建立SCTP连接,以在所述DTLS协议连接上,通过所述SCTP连接与第二终端设备之间传输数据。The processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to connect to the second terminal by using the SCTP connection on the DTLS protocol connection. Transfer data between devices.
  44. 根据权利要求42或43所述的装置,其特征在于,所述发送单元还用于向所述网关设备发送第一角色指示信息,所述第一角色指示信息用于指示所述装置支持的角色,所述角色为“主动”和“被动”中的至少一种,以便于所述网关设备将所述第一角色指示信息发送给所述第二终端设备;The device according to claim 42 or 43, wherein the sending unit is further configured to send first role indication information to the gateway device, where the first role indication information is used to indicate a role supported by the device. The role is at least one of "active" and "passive", so that the gateway device sends the first role indication information to the second terminal device;
    所述接收单元还用于接收所述网关设备发送的第二角色指示信息,所述第二角色指示信息是所述第二终端设备发送给所述网关设备的,且所述第二角色指示信息用于指示所述第二终端设备支持的角色;以及The receiving unit is further configured to receive the second role indication information that is sent by the gateway device, where the second role indication information is sent by the second terminal device to the gateway device, and the second role indication information is a role for indicating support by the second terminal device;
    所述处理单元具体用于根据所述目标第一哈希函数、所述第一指纹信息、所述目标第二哈希函数、所述第二指纹信息、所述装置支持的角色和所述第二终端设备支持的角色与所述第二终端设备进行认证处理。The processing unit is specifically configured to: according to the target first hash function, the first fingerprint information, the target second hash function, the second fingerprint information, a role supported by the device, and the first The role supported by the second terminal device performs authentication processing with the second terminal device.
  45. 一种用于传输数据的装置,其特征在于,配置于包括第一终端设备、第二终端设备和所述装置的通信系统中,所述第一终端设备与所述装置之间通过H.323协议通信,所述第二终端设备与所述装置之间通过会话初始化协议SIP通信,所述装置包括:An apparatus for transmitting data, characterized in that, in a communication system including a first terminal device, a second terminal device, and the device, the first terminal device and the device pass H.323 Protocol communication, the second terminal device communicates with the device through a session initiation protocol SIP, and the device includes:
    接收单元,用于接收所述第一终端设备发送的哈希函数列表,所述哈希函数列表包括所述第一终端设备所支持的至少一个哈希函数;a receiving unit, configured to receive a hash function list sent by the first terminal device, where the hash function list includes at least one hash function supported by the first terminal device;
    处理单元,用于根据所述哈希函数列表与所述第二终端设备进行协商处理,以从所述哈希函数列表中确定至少一个备选哈希函数,其中,所述备选哈希函数属于所述第二终端设备支持的哈希函数;a processing unit, configured to perform a negotiation process with the second terminal device according to the hash function list, to determine at least one candidate hash function from the hash function list, wherein the candidate hash function a hash function supported by the second terminal device;
    发送单元,用于向所述第一终端设备发送所述备选哈希函数,以便于所 述第一终端设备从所述备选哈希函数中确定目标哈希函数,并确定与所述目标哈希函数相对应的指纹信息;a sending unit, configured to send the candidate hash function to the first terminal device, so as to facilitate Determining, by the first terminal device, a target hash function from the candidate hash function, and determining fingerprint information corresponding to the target hash function;
    所述接收单元还用于接收所述第一终端设备发送的所述目标哈希函数和所述指纹信息;The receiving unit is further configured to receive the target hash function and the fingerprint information sent by the first terminal device;
    所述发送单元还用于向所述第二终端发送所述目标哈希函数和所述指纹信息,以便于所述第一终端设备和所述第二终端设备根据所述目标哈希函数和所述指纹信息进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接传输数据。The sending unit is further configured to send the target hash function and the fingerprint information to the second terminal, so that the first terminal device and the second terminal device are configured according to the target hash function and the The fingerprint information is subjected to an authentication process to establish a packet transport layer security protocol DTLS protocol connection, and the data is transmitted through the DTLS protocol connection.
  46. 根据权利要求45所述的装置,其特征在于,所述发送单元还用于向所述第二终端设备发送待验证哈希函数,所述待验证哈希函数是所述哈希函数列表中的任一哈希函数;The apparatus according to claim 45, wherein the sending unit is further configured to send a to-be-verified hash function to the second terminal device, where the to-be-verified hash function is in the hash function list Any hash function;
    所述接收单元还用于接收所述第二终端设备发送的验证消息,所述验证消息用于指示所述待验证哈希函数是否属于所述第二终端设备支持的哈希函数;The receiving unit is further configured to receive a verification message sent by the second terminal device, where the verification message is used to indicate whether the to-be-verified hash function belongs to a hash function supported by the second terminal device;
    所述处理单元具体用于在根据所述验证消息,确定所述待验证哈希函数属于所述第二终端设备支持的哈希函数时,将所述待验证哈希函数确定为备选哈希函数。The processing unit is specifically configured to determine, according to the verification message, that the to-be-verified hash function belongs to a hash function supported by the second terminal device, and determine the to-be-verified hash function as an alternate hash. function.
  47. 根据权利要求46所述的装置,其特征在于,所述处理单元具体用于在确定所述验证消息携带有所述待验证哈希函数时,确定所述待验证哈希函数属于所述第二终端设备支持的哈希函数,并将所述待验证哈希函数确定为备选哈希函数。The device according to claim 46, wherein the processing unit is configured to determine that the to-be-verified hash function belongs to the second when determining that the verification message carries the to-be-verified hash function A hash function supported by the terminal device, and determining the to-be-verified hash function as an alternate hash function.
  48. 根据权利要求45至47中任一项所述的装置,其特征在于,所述接收单元还用于接收所述第一终端设备发送的第一端口号及所述第二终端设备发送的第二端口号,所述第一端口号是所述第一终端设备所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;The device according to any one of claims 45 to 47, wherein the receiving unit is further configured to receive a first port number sent by the first terminal device and a second port number sent by the second terminal device a port number, where the first port number is a port number used by the first terminal device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection, and the second port number is the second port number a port number used by the terminal device to establish an SCTP connection based on the DTLS protocol connection;
    所述发送单元还用于向所述第二终端设备转发所述第一端口号,并向所述第一终端设备转发所述第二端口号,以便于所述第一终端设备和所述第二终端设备根据所述第一端口号和所述第二端口号建立SCTP连接,并通过所述SCTP连接传输数据。 The sending unit is further configured to forward the first port number to the second terminal device, and forward the second port number to the first terminal device, so that the first terminal device and the first The second terminal device establishes an SCTP connection according to the first port number and the second port number, and transmits data through the SCTP connection.
  49. 一种用于传输数据的装置,其特征在于,配置于包括所述装置、第二终端设备和网关设备的通信系统中,所述装置与所述网关设备之间通过H.323协议通信,所述第二终端设备与所述网关设备之间通过会话初始化协议SIP通信,所述装置包括:An apparatus for transmitting data, configured to be in a communication system including the apparatus, a second terminal device, and a gateway device, where the device communicates with the gateway device by using an H.323 protocol. The second terminal device communicates with the gateway device through a session initiation protocol SIP, and the device includes:
    发送单元,用于向所述网关设备发送哈希函数列表,所述哈希函数列表包括所述装置所支持的至少一个哈希函数,以便于所述网关设备根据所述哈希函数列表与所述第二终端设备进行协商处理,以从所述哈希函数列表中确定至少一个备选哈希函数,其中,所述备选哈希函数属于所述第二终端设备支持的哈希函数;a sending unit, configured to send a hash function list to the gateway device, where the hash function list includes at least one hash function supported by the device, so that the gateway device according to the hash function list and the Determining, by the second terminal device, a negotiation process to determine at least one candidate hash function from the hash function list, wherein the candidate hash function belongs to a hash function supported by the second terminal device;
    接收单元,用于接收所述网关设备发送的所述备选哈希函数;a receiving unit, configured to receive the candidate hash function sent by the gateway device;
    处理单元,用于从所述备选哈希函数中确定目标哈希函数,并确定与所述目标哈希函数相对应的指纹信息;a processing unit, configured to determine a target hash function from the candidate hash function, and determine fingerprint information corresponding to the target hash function;
    所述发送单元还用于向所述网关设备发送所述目标哈希函数和所述指纹信息,以便于所述网关设备向所述第二终端转发所述目标哈希函数和所述指纹信息;The sending unit is further configured to send the target hash function and the fingerprint information to the gateway device, so that the gateway device forwards the target hash function and the fingerprint information to the second terminal;
    所述处理单元还用于根据所述目标哈希函数和所述指纹信息,与所述第二终端设备进行认证处理,以建立数据包传输层安全性协议DTLS协议连接,并通过所述DTLS协议连接传输数据。The processing unit is further configured to perform an authentication process with the second terminal device according to the target hash function and the fingerprint information, to establish a data packet transport layer security protocol DTLS protocol connection, and pass the DTLS protocol. Connection transfer data.
  50. 根据权利要求49所述的装置,其特征在于,所述发送单元还用于向所述网关设备发送第一端口号,以便于所述网关设备向所述第二终端设备转发所述第一端口号,所述第一端口号是所述装置所使用的用于建立基于所述DTLS协议连接的流控制传输协议SCTP连接的端口号;The apparatus according to claim 49, wherein the sending unit is further configured to send the first port number to the gateway device, so that the gateway device forwards the first port to the second terminal device No., the first port number is a port number used by the device to establish a flow control transport protocol SCTP connection based on the DTLS protocol connection;
    所述接收单元还用于接收所述网关设备发送的第二端口号,所述第二端口号是所述第二终端设备发送给所述网关设备的,所述第二端口号是所述第二终端设备所使用的用于建立基于所述DTLS协议连接的SCTP连接的端口号;The receiving unit is further configured to receive a second port number sent by the gateway device, where the second port number is sent by the second terminal device to the gateway device, and the second port number is the a port number used by the second terminal device to establish an SCTP connection based on the DTLS protocol connection;
    所述处理单元还用于根据所述第一端口号和所述第二端口号与所述第二终端设备建立SCTP连接,以通过所述SCTP连接传输数据。The processing unit is further configured to establish an SCTP connection with the second terminal device according to the first port number and the second port number, to transmit data by using the SCTP connection.
  51. 一种用于传输数据的系统,其特征在于,所述系统包括第一终端设备、第二终端设备和网关设备,所述第一终端设备与所述网关设备之间通过H.323协议通信,所述第二终端设备与所述网关设备之间通过会话初始化协 议SIP通信,其中A system for transmitting data, wherein the system includes a first terminal device, a second terminal device, and a gateway device, where the first terminal device communicates with the gateway device by using an H.323 protocol, Session initiation protocol between the second terminal device and the gateway device SIP communication, where
    所述网关设备为根据权利要求39至41中任一项所述的装置;The gateway device is the device according to any one of claims 39 to 41;
    所述第一终端设备为根据权利要求42至44中任一项所述的装置。The first terminal device is the device according to any one of claims 42 to 44.
  52. 一种用于传输数据的系统,其特征在于,所述系统包括第一终端设备、第二终端设备和网关设备,所述第一终端设备与所述网关设备之间通过H.323协议通信,所述第二终端设备与所述网关设备之间通过会话初始化协议SIP通信,其中A system for transmitting data, wherein the system includes a first terminal device, a second terminal device, and a gateway device, where the first terminal device communicates with the gateway device by using an H.323 protocol, The second terminal device communicates with the gateway device through a session initiation protocol SIP, wherein
    所述网关设备为根据权利要求45至48中任一项所述的装置;The gateway device is the device according to any one of claims 45 to 48;
    所述第一终端设备为根据权利要求49至50中任一项所述的装置。 The first terminal device is the device according to any one of claims 49 to 50.
PCT/CN2016/071359 2015-01-23 2016-01-19 Method, apparatus, and system for data transmission WO2016116034A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510036840.8 2015-01-23
CN201510036840.8A CN105871790B (en) 2015-01-23 2015-01-23 It is used for transmission the methods, devices and systems of data

Publications (1)

Publication Number Publication Date
WO2016116034A1 true WO2016116034A1 (en) 2016-07-28

Family

ID=56416440

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/071359 WO2016116034A1 (en) 2015-01-23 2016-01-19 Method, apparatus, and system for data transmission

Country Status (2)

Country Link
CN (1) CN105871790B (en)
WO (1) WO2016116034A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1652499A (en) * 2004-02-07 2005-08-10 华为技术有限公司 Method for implementing information transmission
CN1783776A (en) * 2004-11-29 2006-06-07 中兴通讯股份有限公司 Method for producing shared secrete between nodes in H.323 multimedia communications system
CN1881869A (en) * 2005-11-01 2006-12-20 华为技术有限公司 Method for realizing encryption communication
US20100329453A1 (en) * 2009-06-30 2010-12-30 Cisco Technology, Inc. Rounding for security

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103369707B (en) * 2012-03-27 2016-12-14 华为终端有限公司 Wireless network establishment of connection method and terminal unit
CN103428818B (en) * 2012-05-24 2017-02-15 华为技术有限公司 Terminal device discovery method, device and system
CN104125654A (en) * 2013-04-23 2014-10-29 腾讯科技(深圳)有限公司 Data transmission method and devices for wifi network and terminal devices

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1652499A (en) * 2004-02-07 2005-08-10 华为技术有限公司 Method for implementing information transmission
CN1783776A (en) * 2004-11-29 2006-06-07 中兴通讯股份有限公司 Method for producing shared secrete between nodes in H.323 multimedia communications system
CN1881869A (en) * 2005-11-01 2006-12-20 华为技术有限公司 Method for realizing encryption communication
US20100329453A1 (en) * 2009-06-30 2010-12-30 Cisco Technology, Inc. Rounding for security

Also Published As

Publication number Publication date
CN105871790A (en) 2016-08-17
CN105871790B (en) 2019-02-01

Similar Documents

Publication Publication Date Title
US9628585B2 (en) Systems and methods for cross-layer secure connection set up
US9198040B2 (en) Deploying wireless docking as a service
US9237169B2 (en) Network stream identification for open FaceTime
US20150082021A1 (en) Mobile proxy for webrtc interoperability
KR20140138069A (en) Proxy Based Communication Mechanism in a Docking Architecture
US9338410B2 (en) Remote streaming
WO2010020169A1 (en) Media bypass method, system and apparatus
TW200835234A (en) Access terminal conditionally opening a data session
WO2011095007A1 (en) Method and system for radio terminal to actively establish video conference
WO2014075561A1 (en) Sip based inter-mtc device secure communications method, device, and system
KR20100027156A (en) A method for releasing the high rate packet data session
WO2018129876A1 (en) Method for transmitting multimedia data, server and terminal
US20090113063A1 (en) Authentication method and apparatus for integrating ticket-granting service into session initiation protocol
JP5002830B2 (en) COMMUNICATION MODULE, COMMUNICATION METHOD, COMMUNICATION PROGRAM, COMMUNICATION TERMINAL, AND COMMUNICATION CONTROL DEVICE
EP3817321B1 (en) Method and device for providing multimedia service in electronic device
JP4472566B2 (en) Communication system and call control method
WO2020029954A1 (en) Method and apparatus for service request, negotiation and response, and network device and system
JP5303403B2 (en) Terminal device, communication method, and program
CN114710568B (en) Audio and video data communication method, device and storage medium
WO2016116034A1 (en) Method, apparatus, and system for data transmission
CN111683217B (en) Video call method, system, equipment, network module and readable storage medium
CN112398718A (en) Network transmission method and device, electronic equipment and storage medium
JP2004363993A (en) Communication terminal
CN108616494B (en) Safe call method, device and terminal based on multiple PDN connections
WO2014071886A1 (en) Information configuration method, device and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16739781

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16739781

Country of ref document: EP

Kind code of ref document: A1