WO2017045407A1 - Method of implementing end-to-end conversation encryption, terminal and network element of network side - Google Patents

Method of implementing end-to-end conversation encryption, terminal and network element of network side Download PDF

Info

Publication number
WO2017045407A1
WO2017045407A1 PCT/CN2016/081313 CN2016081313W WO2017045407A1 WO 2017045407 A1 WO2017045407 A1 WO 2017045407A1 CN 2016081313 W CN2016081313 W CN 2016081313W WO 2017045407 A1 WO2017045407 A1 WO 2017045407A1
Authority
WO
WIPO (PCT)
Prior art keywords
media
media channel
call
negotiation
encryption
Prior art date
Application number
PCT/CN2016/081313
Other languages
French (fr)
Chinese (zh)
Inventor
高扬
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017045407A1 publication Critical patent/WO2017045407A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]

Definitions

  • Embodiments of the present invention relate to, but are not limited to, a method, a terminal, and a network side network element for implementing end-to-end call encryption.
  • VoLTE Voice over LTE
  • IMS IP Multimedia Subsystem
  • the current general deployment is to support the establishment of encryption between the terminal and the IMS access side device, such as the Session Border Controller (SBC), while on the network side. There is no encryption between them, so it is easy to be maliciously monitored.
  • SBC Session Border Controller
  • VoLTE As the mainstream technology of voice, and the fact that VoLTE itself is based on IP technology, the problem of malicious monitoring of VoLTE voice will even rise to the level of national security.
  • VoLTE encryption means generally negotiates key parameters through a signaling plane, and then uses these negotiated key parameters to perform call encryption.
  • key parameter encryption the security level is not enough, you need to use the country's own digital certificate.
  • Information such as digital certificates cannot be carried on the signaling plane of VoLTE, which will be an intractable contradiction.
  • An embodiment of the present invention provides a method for implementing end-to-end call encryption, which includes: exchanging digital certificates and performing key parameter negotiation in a reliable transmission mode during a call establishment process;
  • the negotiated key parameters are used for end-to-end encrypted calls.
  • the method further includes establishing the reliable transmission manner, including:
  • the method for establishing the first media channel is an explicit manner, and specifically includes:
  • media negotiation is performed by adding a dedicated encrypted negotiation media line in the session initial description protocol SDP to establish the first media channel.
  • the method for establishing the first media channel is an implicit manner, and specifically includes: establishing the first media channel as a dedicated default connection.
  • the method further includes: turning on the dedicated default connection.
  • the reliable transmission mode is to introduce a media packet in the media channel in the voice media channel, and retransmit the packet loss manner
  • the method further includes: restoring normal media packet processing.
  • the method further includes: during the establishing the call, the session initiator carries the first pre-condition in the media line of the voice media when the session request is initiated;
  • the first precondition is that when the digital certificate is exchanged in the reliable transmission mode and the key parameter negotiation is completed, a ringing prompt is sent to the answering party.
  • the method further includes: during the establishing the call, the session initiator carries the second pre-condition in the media line of the voice media when the session request is initiated;
  • the second precondition is: completing the resource reservation, and performing a ringing prompt to the answering party.
  • the embodiment of the invention further provides a terminal, which includes at least a first processing module and a second processing module, where
  • the first processing module is configured to exchange in a reliable transmission mode during a call setup Digital certificate and key parameter negotiation
  • the second processing module is configured to perform an end-to-end encrypted call by using the negotiated key parameter in the voice media channel.
  • the method further includes: a transceiver module configured to perform media negotiation by adding a dedicated encryption negotiation media line in the SDP to establish a first media channel; or establishing a first media channel, that is, a dedicated encryption negotiation media channel It is a dedicated default connection; or, the media packet in the media channel is analyzed, and the lost packet is retransmitted, and when the digital certificate is exchanged and the key parameter negotiation is performed, the normal media packet processing is resumed;
  • a transceiver module configured to perform media negotiation by adding a dedicated encryption negotiation media line in the SDP to establish a first media channel; or establishing a first media channel, that is, a dedicated encryption negotiation media channel It is a dedicated default connection; or, the media packet in the media channel is analyzed, and the lost packet is retransmitted, and when the digital certificate is exchanged and the key parameter negotiation is performed, the normal media packet processing is resumed;
  • the first processing module is specifically configured to: during the establishing a call, exchange the digital certificate in the first media channel and perform the key parameter negotiation; or use the media packet in the media channel.
  • the method of analyzing and retransmitting the lost packet completes the exchange of the digital certificate and performs key parameter negotiation.
  • the transceiver module is further configured to:
  • the first pre-condition is carried in the media line of the voice media; wherein the first pre-condition is: completing the exchange of the digital certificate and the reliable transmission mode Key parameter negotiation; accordingly,
  • the terminal further includes a ringing processing module configured to initiate a ringing prompt to the answering party when the first precondition is met.
  • the transceiver module is further configured to: when the session request is initiated, the second pre-condition is carried in the media line of the voice media; wherein the second pre-condition is: Complete resource reservation; accordingly,
  • the terminal further includes:
  • a resource reservation module configured to complete resource reservation
  • the ringing module is configured to initiate a ringing prompt to the answering party when the second precondition is met.
  • the embodiment of the invention further provides a network side network element, which includes at least a forwarding module and a media channel processing module;
  • the forwarding module is configured to forward a message during the establishment of the call
  • the media channel processing module is configured to pre-establish a first media channel, where the first media channel is a dedicated media channel for encryption negotiation; and when the call establishment is completed, the pre-established first media channel is turned on.
  • the network side network element is an IP multimedia subsystem IMS access side device.
  • the IMS access side device is a session border controller SBC.
  • the embodiment of the invention further provides a computer readable storage medium storing computer executable instructions for performing any of the above methods for implementing end-to-end call encryption.
  • the technical solution of the present application includes: exchanging digital certificates and performing key parameter negotiation in a reliable transmission mode during the establishment of a call; and performing an end-to-end encrypted call by using the negotiated key parameters in the voice media channel.
  • the digital certificate is exchanged by the reliability transmission mode, and the key parameters are negotiated, and then the end-to-end encrypted call is performed by using the negotiated key parameter in the existing media channel, thus ensuring the VoLTE-based.
  • the security of end-to-end calls while also ensuring national security.
  • FIG. 1 is a schematic flowchart of implementing end-to-end call encryption based on VoLTE in the related art
  • FIG. 2 is a flowchart of a method for implementing end-to-end call encryption according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a first embodiment for implementing end-to-end call encryption according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a second embodiment for implementing end-to-end call encryption according to an embodiment of the present invention
  • FIG. 5 is a schematic flowchart of a third embodiment for implementing end-to-end call encryption according to an embodiment of the present invention
  • FIG. 6 is a schematic flowchart of a fourth embodiment for implementing end-to-end call encryption according to an embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a fifth embodiment for implementing end-to-end call encryption according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a terminal for implementing end-to-end call encryption according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a network side network element for implementing end-to-end call encryption according to an embodiment of the present invention.
  • FIG. 1 is a schematic flowchart of implementing end-to-end call encryption based on VoLTE in the related art, as shown in FIG. 1 , including:
  • Step 100 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP carries a media line (such as m lines) that identifies the voice media for the call.
  • Step 101 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 102 The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
  • Step 103 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 104 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer.
  • Step 105 SBC2 forwards the 200 OK SDP answer message to the IMS.
  • Step 106 The IMS forwards the 200 OK SDP answer message to SBC1.
  • Step 107 SBC1 forwards the 200 OK SDP answer message to UE1. At this point, the media channel for the voice call is established.
  • Step 108 UE1 and UE2 exchange digital certificates in the media channel.
  • the media channels established in the related art are transmitted based on the Real-time Transport Protocol (RTP), and the transmission of the RTP itself is unreliable, so it is unreliable to exchange digital certificates in this channel.
  • RTP Real-time Transport Protocol
  • This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
  • Step 109 UE1 and UE2 negotiate key parameters in the media channel.
  • Step 110 UE1 and UE2 perform an end-to-end encrypted call by using the negotiated key parameters.
  • the SDP Answer can be carried in the called 183 message.
  • the digital certificate and the key parameter involved in the steps 108 and 109 are transmitted in the network. Since the digital certificate is in the form of text, the transmission should be reliable transmission from the perspective of data integrity.
  • different RTP media are in a streaming media format, and a protocol for unreliable transmission may be used. That is to say, it is unreliable to exchange digital certificates directly in the RTP media channel in the related art.
  • SBC1 and SBC2 are optional network elements.
  • FIG. 2 is a flowchart of a method for implementing end-to-end call encryption according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
  • Step 200 During the establishment of the call, the digital certificate is exchanged in the reliable transmission mode and the key parameter negotiation is performed.
  • This step also includes: establishing a reliable transmission method, including but not limited to:
  • the first media channel is established. Since the first media channel is a dedicated media channel that is distinguished from the existing voice media channel for the end-to-end encrypted call, the first media channel can use a reliable transmission protocol. or,
  • a special mode is introduced in the voice media channel, that is, the media packets in the media channel are analyzed, and the lost packets are retransmitted, and the digital certificate is exchanged in this special mode and the key parameters are negotiated. In this way, the reliable transmission of digital certificates and key information is also guaranteed.
  • the method for establishing the first media channel may be an explicit manner, and specifically includes: performing media negotiation by adding a dedicated encrypted negotiation media line (such as m line) in the SDP to establish the first media.
  • the channel is a dedicated media channel for cryptographic negotiation.
  • the media channel of the dedicated encryption negotiation established by the display mode is normally established through media negotiation. Therefore, the current network side network element supports the network side additional requirement, and is convenient for rapid deployment and promotion in the network.
  • this explicit way is convenient for standardization and industrialization, and is convenient for promotion to government and enterprise users, and is not limited to internal use by national security agencies.
  • the method for establishing the first media channel may also be an implicit manner, and specifically includes: pre-establishing the first media channel, that is, the dedicated media channel for encryption negotiation as a dedicated default connection.
  • the establishment of the dedicated default connection is not reflected in the SDP process, but is a dedicated default connection agreed by both parties, UE1 and UE2.
  • the dedicated default connection may use a contracted fixed port such as a TCP connection of port 8080, or a TCP connection to a port associated with the actual media stream, such as audio port +2.
  • the first media channel is established in an implicit manner. Because the media channel of the dedicated encryption negotiation does not have the channel media negotiation established, the network side network element, such as the SBC device, is required to perform the default connection of the dedicated default connection.
  • Step 201 Perform an end-to-end encrypted call in the voice media channel by using the negotiated key parameter.
  • the voice media channel in this step is the media channel established for the voice call established in the existing method shown in FIG. The specific implementation of this step is consistent with the prior art, and details are not described herein again.
  • the step further includes: restoring the normal media packet processing.
  • the digital certificate is exchanged by the reliability transmission method and the key parameters are negotiated, and then the end-to-end encrypted call is performed by using the negotiated key parameter in the existing media channel. It guarantees the security of end-to-end calls based on VoLTE, and also guarantees national security.
  • the method of the embodiment of the present invention further includes:
  • the session initiator such as UE1
  • the session initiator carries the first precondition in the media line of the voice media when the session request is initiated, for example, the first precondition is: when the digital certificate is exchanged in the reliable transmission mode, The key parameter negotiation is completed, and then the ringing prompt is sent to the receiving party such as UE2.
  • the receiving party such as UE2.
  • the corresponding preconditions may be extended in the SDP to carry the first precondition.
  • the method of the embodiment of the present invention further includes:
  • the session initiator such as UE1
  • the session initiator carries the second pre-condition in the media line of the voice media when the session request is initiated.
  • the second pre-condition is: completing the resource reservation, and ringing to the receiving party. prompt.
  • the extension of the corresponding attribute condition in the SDP to carry the first pre-condition is supported by each network element in the network. From the perspective of compatibility, if the purpose of the first pre-condition is reached, and the attribute descriptions are not required to be extended, the related network element upgrades in the network are not required, that is, the embodiments of the present invention are provided. Compatibility of technical solutions.
  • the existing second precondition that is, the resource reservation mechanism is used only on the SDP.
  • the related network elements in the network are not required to be upgraded, and the first precondition is also achieved.
  • the compatibility of the technical solutions provided by the embodiments of the present invention is improved.
  • FIG. 3 is a schematic flowchart of a first embodiment of an end-to-end call encryption according to an embodiment of the present invention.
  • the first embodiment is a manner of establishing a first media channel in a display manner, as shown in FIG. 3, including:
  • Step 300 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP in addition to the media line (m line) carrying the voice media for identifying the call, the SDP carries the media line (m line) of the encryption negotiation dedicated to the identification.
  • Step 301 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 302 The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
  • Step 303 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 304 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer. Similarly, in the SDP, in addition to the media line (m line) carrying the voice media for the call, the media line (m line) of the encryption-dedicated encryption for identification is carried.
  • Step 305 SBC2 forwards the 200 OK SDP answer message to the IMS.
  • Step 306 The IMS forwards the 200 OK SDP answer message to SBC1.
  • Step 307 SBC1 forwards the 200 OK SDP answer message to UE1.
  • the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
  • Step 308 UE1 and UE2 exchange digital certificates in the first media channel.
  • This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
  • Step 309 UE1 and UE2 negotiate key parameters in the first media channel.
  • Step 310 UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
  • the SDP Answer can be carried in the called 183 message.
  • the digital certificate involved in steps 308 and 309 and the key parameter are transmitted in the network, and the transmission must be reliable transmission from the perspective of data integrity.
  • Transmission protocols such as Transmission Control Protocol (TCP), Stream Control Transmission Protocol (SCTP), etc. may be employed herein.
  • SBC1 and SBC2 are optional network elements.
  • FIG. 4 is a schematic flowchart of a second embodiment of implementing end-to-end call encryption according to an embodiment of the present invention.
  • the second embodiment is a method for establishing a first media channel in an implicit manner. As shown in FIG. 4, the method includes:
  • Step 400 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP carries a media line (m line) identifying the voice media for the call.
  • Step 401 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 402 The IMS forwards the INVITE SDP offer to the SBC2 of the called user side.
  • Step 403 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 404 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer.
  • Step 405 SBC2 forwards the 200 OK SDP answer message to the IMS.
  • Step 406 If the deployment has SBC2, SBC2 needs to conduct the first media channel of the encryption negotiation of the dedicated default connection.
  • Step 407 The IMS forwards the 200 OK SDP answer message to SBC1.
  • Step 408 SBC1 forwards the 200 OK SDP answer message to UE1.
  • Step 409 If the deployment has SBC1, SBC1 needs to conduct the first media channel of the encryption negotiation of the dedicated default connection.
  • the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
  • Step 410 UE1 and UE2 exchange digital certificates in the first media channel.
  • This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
  • Step 411 UE1 and UE2 negotiate key parameters in the first media channel.
  • Step 412 UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
  • the SDP Answer can be carried in the called 183 message.
  • the establishment of the dedicated default connection is not reflected in the SDP process, but is a dedicated default connection agreed by both parties, UE1 and UE2.
  • the dedicated default connection can use a contracted fixed port such as a TCP connection of port 8080, or a contracted port associated with the actual media stream such as audio. Port +2 TCP connection.
  • SBC1 and SBC2 are optional network elements.
  • FIG. 5 is a schematic flowchart of a third embodiment of implementing end-to-end call encryption according to an embodiment of the present invention.
  • a special mode is introduced in a voice media channel, that is, media packets in a media channel are analyzed.
  • the method of retransmitting the lost packet includes:
  • Step 500 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP carries a media line (m line) identifying the voice media for the call.
  • Step 501 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 502 The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
  • Step 503 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 504 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer.
  • Step 505 SBC2 forwards the 200 OK SDP answer message to the IMS.
  • Step 506 The IMS forwards the 200 OK SDP answer message to SBC1.
  • Step 507 SBC1 forwards the 200 OK SDP answer message to UE1. The call is now established.
  • Step 508 UE1 and UE2 enter a special mode, that is, analyze media packets in the media channel, such as a Real-Time Transport Protocol (RTP) packet, and retransmit the lost packets.
  • RTP Real-Time Transport Protocol
  • Step 509 UE1 and UE2 exchange digital certificates in the media channel in the special mode.
  • This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
  • Step 510 UE1 and UE2 negotiate key parameters in the media channel in the special mode.
  • Step 511 The key parameter negotiation is completed, and UE1 and UE2 exit the special mode to resume normal RTP processing.
  • Step 512 UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
  • the SDP Answer can be carried in the called 183 message.
  • SBC1 and SBC2 are optional network elements.
  • FIG. 6 is a schematic flowchart of a fourth embodiment of implementing end-to-end call encryption according to an embodiment of the present invention.
  • a digital certificate is exchanged in a reliable transmission mode
  • key parameter negotiation is completed, and then the call is answered.
  • UE2 performs a ringing prompt as a precondition, as shown in FIG. 6, including:
  • Step 600 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP carries a media line (m line) for identifying the voice media for the call, and a media line (m line) for identifying the dedicated encrypted negotiation, and carries a precondition, that is, when In the reliable transmission mode, the digital certificate is exchanged and the key parameter negotiation is completed, and then the ringing prompt is sent to the receiving party such as UE2.
  • Step 601 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 602 The IMS forwards the INVITE SDP offer to the SBC2 of the called user side.
  • Step 603 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 604 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer. Similarly, in the SDP, in addition to the media line (m line) carrying the voice media for identifying the call, and the media line (m line) for identifying the dedicated encryption negotiation, the pre-condition is also carried, that is, when in the reliable transmission mode. The digital certificate is exchanged and the key parameter negotiation is completed, and then the ringing prompt is sent to the receiving party such as UE2.
  • the precondition can further carry the conf attribute line.
  • the Conf line indicates that the party that receives the Conf indication during the media negotiation needs to send a message to the other party that the precondition is satisfied when the precondition is satisfied.
  • Step 605 SBC2 forwards the 183 SDP answer message to the IMS.
  • Step 606 The IMS forwards the 183 SDP answer message to SBC1.
  • Step 607 SBC1 forwards 183 SDP answer message to UE1.
  • the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
  • Step 608 UE1 and UE2 exchange digital certificates in the first media channel.
  • This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
  • Step 609 UE1 and UE2 negotiate key parameters in the first media channel.
  • Step 610 Because the key parameter negotiation is completed, the pre-condition of the voice media channel is satisfied, and the UE1 sends an UPDATE, carrying the state that the pre-condition is satisfied.
  • Step 611 SBC1 forwards the UPDATE request to the IMS.
  • Step 612 The IMS forwards the UPDATE request to the SBC2 on the called user side.
  • Step 613 SBC2 forwards the UPDATE request to UE2.
  • Step 614 UE2 accepts the UPDATE message and constructs a 200 OK response to send to SBC2.
  • Step 615 SBC2 forwards the 200 OK message to the IMS.
  • Step 616 The IMS forwards the 200 OK message to SBC1.
  • Step 617 SBC1 forwards the 200 OK message to UE1.
  • Step 618 Because the pre-condition is satisfied, the UE2 rings to prompt the user to receive the call, and simultaneously sends 180 to SBC2.
  • Step 619 SBC2 forwards 180 the message to the IMS.
  • Step 620 The IMS forwards 180 the message to SBC1.
  • Step 621 SBC1 forwards 180 the message to UE1.
  • Step 622 The called user (UE2) goes off-hook, and UE2 sends 200 OK to SBC2.
  • Step 623 SBC2 forwards the 200 OK message to the IMS.
  • Step 624 The IMS forwards the 200 OK message to SBC1.
  • Step 625 SBC1 forwards the 200 OK message to UE1.
  • Step 626 UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
  • step 604 may not carry the conf line, and correspondingly, 610 to 617 may be omitted.
  • SBC1 and SBC2 are optional network elements.
  • the SDP format in 183 is as follows:
  • A conf:encryption e2e sendrecv, indicating that if the peer precondition reaches this state, the peer needs to send a status notification.
  • the SDP format in UPDATE or 200OK is as follows:
  • FIG. 7 is a schematic flowchart of a fifth embodiment of implementing end-to-end call encryption according to an embodiment of the present invention.
  • resource reservation is completed as a pre-condition, as shown in FIG. 7, including:
  • Step 700 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP carries a media line (m line) for identifying the voice media for the call, and a media line (m line) for identifying the dedicated encryption negotiation, and carries the precondition (Precondition), that is, the resource is completed. Reserved.
  • Step 701 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 702 The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
  • Step 703 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 704 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer. Similarly, in the SDP, in addition to the media line (m line) carrying the voice media for identifying the call, and the media line (m line) identifying the dedicated encryption negotiation, the precondition is also carried, that is, the resource reservation is completed.
  • the precondition can further carry the conf attribute line.
  • the Conf line is a prior art, and indicates that the party that receives the Conf indication during the media negotiation needs to send a message to the other party that the precondition is satisfied when the precondition is satisfied.
  • Step 705 SBC2 forwards the 183 SDP answer message to the IMS.
  • Step 706 The IMS forwards the 183 SDP answer message to SBC1.
  • Step 707 SBC1 forwards 183 SDP answer message to UE1.
  • the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
  • Step 708 UE1 and UE2 exchange digital certificates in the first media channel.
  • This step is an optional step, if you do not need to use a digital certificate, such as identification This step can be omitted.
  • Step 709 UE1 and UE2 negotiate key parameters in the first media channel.
  • Step 710 The UE1 resource reservation is completed, and the UE2 resource reservation is completed.
  • Step 711 The UE1 and the UE2 resource reservation are also completed, and the pre-conditions of the voice media channel are satisfied, and the UE1 sends an UPDATE, carrying the state that the pre-condition is satisfied.
  • Step 712 SBC1 forwards the UPDATE request to the IMS.
  • Step 713 The IMS forwards the UPDATE request to the SBC2 on the called user side.
  • Step 714 SBC2 forwards the UPDATE request to UE2.
  • Step 715 UE2 accepts the UPDATE message and constructs a 200 OK response to send to SBC2.
  • Step 716 SBC2 forwards the 200 OK message to the IMS.
  • Step 717 The IMS forwards the 200 OK message to SBC1.
  • Step 718 SBC1 forwards the 200 OK message to UE1.
  • Step 719 The resource reservation of the UE1 is completed, the resource reservation of the UE2 is also completed, and the key negotiation is also completed, that is, all the preconditions are satisfied, and the UE2 ringing prompts the user to receive the call and simultaneously sends 180 to the SBC2.
  • Step 720 SBC2 forwards 180 the message to the IMS.
  • Step 721 The IMS forwards 180 the message to SBC1.
  • Step 722 SBC1 forwards 180 the message to UE1.
  • Step 723 The called user (UE2) goes off-hook, and UE2 sends 200 OK to SBC2.
  • Step 724 SBC2 forwards the 200 OK message to the IMS.
  • Step 725 The IMS forwards the 200 OK message to SBC1.
  • Step 726 SBC1 forwards the 200 OK message to UE1.
  • Step 727 UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
  • the embodiment of the invention further provides a computer readable storage medium storing computer executable instructions for performing any of the above methods for implementing end-to-end call encryption.
  • FIG. 8 is a schematic structural diagram of a terminal for implementing an end-to-end call encryption according to an embodiment of the present invention. As shown in FIG. 8, the method includes at least a first processing module 80 and a second processing module 81.
  • the first processing module 80 is configured to exchange digital certificates and perform key parameter negotiation in a reliable transmission mode during the establishment of the call;
  • the second processing module 81 is configured to perform an end-to-end encrypted call using the negotiated key parameters in the voice media channel.
  • the terminal of the present invention further includes a transceiver module 82 configured to perform media negotiation by adding a dedicated encryption negotiation media line (m line) in the SDP to establish a first media channel; or pre-establishing a first media channel, that is, dedicated The media channel of the encryption negotiation is a dedicated default connection; or, the media packet in the media channel is analyzed, and the lost packet is retransmitted, and the normal media packet processing is resumed when the digital certificate is exchanged and the key parameter negotiation is performed;
  • m line dedicated encryption negotiation media line
  • the first processing module 80 is specifically configured to: during the establishment of the call, exchange digital certificates in the first media channel and perform key parameter negotiation; or analyze the media packets in the media channel, and retransmit the lost packets. The way to complete the exchange of digital certificates and key parameter negotiation.
  • transceiver module 82 is further configured to:
  • the first precondition is carried in the media line of the voice media when the session request is initiated.
  • the first precondition is: performing the exchange of the digital certificate and performing the key parameter negotiation in the reliable transmission mode. at this time,
  • the terminal of the present invention further includes a ringing processing module 83 configured to initiate a ringing prompt to the answering party when the first precondition is satisfied.
  • the transceiver module 82 is further configured to: when the session request is initiated, the second pre-condition is carried in the media line of the voice media; wherein the second pre-condition is: completing the resource reservation. at this time,
  • the terminal of the present invention further includes a resource reservation module 84 configured to complete reservation of resources.
  • the ringing processing module 83 is configured to initiate a ringing prompt to the answering party when the second precondition is met.
  • FIG. 9 is a schematic structural diagram of a network side network element for implementing end-to-end call encryption according to an embodiment of the present invention. As shown in FIG. 9, the method includes at least a forwarding module 90 and a media channel processing module 91.
  • the forwarding module 90 is configured to forward the message during the establishment of the call
  • the media channel processing module 91 is configured to pre-establish a first media channel, that is, a dedicated encryption negotiation media channel, as a dedicated default connection, and when the call establishment is completed, turn on the pre-established first media channel.
  • the network side network element may be an IMS access side device such as an SBC.
  • the method for implementing the end-to-end call encryption, the terminal, and the network side network element include: exchanging digital certificates and performing key parameter negotiation in a reliable transmission mode during the establishment of a call; in the voice media channel End-to-end encrypted calls using negotiated key parameters.
  • the digital certificate is exchanged by the reliability transmission mode, and the key parameters are negotiated, and then the end-to-end encrypted call is performed by using the negotiated key parameter in the existing media channel, thus ensuring the VoLTE-based.
  • the security of end-to-end calls while also ensuring national security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method of implementing end-to-end conversation encryption, terminal and network element of network side, the method comprising: exchanging a digital certificate and negotiating a key parameter in a reliable transmission mode during establishment of conversation; and performing the end-to-end encrypted conversation in a voice media channel by using the negotiated key parameter. An embodiment of the present invention ensures the security of VoLTE-based end-to-end conversation and at the same time guarantees the national security, by means of exchanging the digital certificate and negotiating the key parameter in the reliable transmission mode and then performing the end-to-end encrypted conversation in the existing media channel by using negotiated key parameter.

Description

实现端到端通话加密的方法、终端及网络侧网元Method, terminal and network side network element for implementing end-to-end call encryption 技术领域Technical field
本发明实施例涉及但不限于一种实现端到端通话加密的方法、终端及网络侧网元。Embodiments of the present invention relate to, but are not limited to, a method, a terminal, and a network side network element for implementing end-to-end call encryption.
背景技术Background technique
VoLTE即Voice over LTE,是一种IP数据传输技术,基于IP多媒体子系统(IMS,IP Multimedia Subsystem)实现。VoLTE无需2G/3G网络,全部业务承载于4G网络上。虽然IMS本身提供了一套复杂和较为安全的认证、鉴权机制,但是,随着恶意监听越来越普遍,VoLTE现有的安全机制并不能满足需求。VoLTE, Voice over LTE, is an IP data transmission technology based on IP Multimedia Subsystem (IMS). VoLTE does not require a 2G/3G network, and all services are carried on a 4G network. Although IMS itself provides a complex and relatively secure authentication and authentication mechanism, with the increasing popularity of malicious interception, VoLTE's existing security mechanisms are not sufficient.
对于IMS的媒体面加密技术(可参见3GPP TS33.328),目前一般的部署是支持终端与IMS接入侧设备如会话边界控制器(SBC,Session Border Controller)之间建立加密,而在网络侧之间是不加密的,这样也是容易被恶意监听的。For the IMS media plane encryption technology (see 3GPP TS33.328), the current general deployment is to support the establishment of encryption between the terminal and the IMS access side device, such as the Session Border Controller (SBC), while on the network side. There is no encryption between them, so it is easy to be maliciously monitored.
随着VoLTE作为语音的主流技术的推广,而VoLTE本身又基于IP技术这样的一个事实,VoLTE语音被恶意监听的问题甚至会上升到国家安全的层面。With the promotion of VoLTE as the mainstream technology of voice, and the fact that VoLTE itself is based on IP technology, the problem of malicious monitoring of VoLTE voice will even rise to the level of national security.
目前,常用的VoLTE加密手段,一般是通过信令面协商密钥参数,然后再利用这些协商的密钥参数进行通话加密。但是,从国家安全的角度看,仅仅使用密钥参数加密,安全等级是不够的,还需要使用国家自己发布的数字证书。而数字证书等信息是无法在VoLTE的信令面携带的,这将是一个难以解决的矛盾。At present, the commonly used VoLTE encryption means generally negotiates key parameters through a signaling plane, and then uses these negotiated key parameters to perform call encryption. However, from the perspective of national security, only using key parameter encryption, the security level is not enough, you need to use the country's own digital certificate. Information such as digital certificates cannot be carried on the signaling plane of VoLTE, which will be an intractable contradiction.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
本发明实施例提供了一种实现端到端通话加密的方法,包括:在建立通话过程中,在可靠传输方式下交换数字证书并进行密钥参数协商; An embodiment of the present invention provides a method for implementing end-to-end call encryption, which includes: exchanging digital certificates and performing key parameter negotiation in a reliable transmission mode during a call establishment process;
在语音媒体通道中,利用协商的密钥参数进行端到端的加密通话。In the voice media channel, the negotiated key parameters are used for end-to-end encrypted calls.
可选地,该方法之前还包括建立所述可靠传输方式,包括:Optionally, the method further includes establishing the reliable transmission manner, including:
建立第一媒体通道,所述第一媒体通道为专用的加密协商的媒体通道;或者,Establishing a first media channel, where the first media channel is a dedicated media channel for encryption negotiation; or
在所述语音媒体通道内引入对媒体通道内的媒体包进行分析,并对丢包进行重传的方式,以交换所述数字证书并进行所述密钥参数协商。Introducing, in the voice media channel, a media packet in the media channel, and retransmitting the lost packet, exchanging the digital certificate and performing the key parameter negotiation.
可选地,所述建立第一媒体通道的方法为显式方式,具体包括:Optionally, the method for establishing the first media channel is an explicit manner, and specifically includes:
在所述建立通话的过程中,通过在会话初始描述协议SDP增加专用的加密协商的媒体行,进行媒体协商,以建立所述第一媒体通道。In the process of establishing a call, media negotiation is performed by adding a dedicated encrypted negotiation media line in the session initial description protocol SDP to establish the first media channel.
可选地,所述建立第一媒体通道的方法为隐式方式,具体包括:建立所述第一媒体通道为专用默认连接。Optionally, the method for establishing the first media channel is an implicit manner, and specifically includes: establishing the first media channel as a dedicated default connection.
可选地,所述在可靠传输方式下交换数字证书并进行密钥参数协商之前,还包括:导通所述专用默认连接。Optionally, before the digital certificate is exchanged and the key parameter negotiation is performed in the reliable transmission mode, the method further includes: turning on the dedicated default connection.
可选地,当所述可靠传输方式为在所述语音媒体通道内引入对媒体通道内的媒体包进行分析,并对丢包进行重传的方式时,Optionally, when the reliable transmission mode is to introduce a media packet in the media channel in the voice media channel, and retransmit the packet loss manner,
所述在语音媒体通道中,利用协商的密钥参数进行端到端的加密通话之前,该方法还包括:恢复正常的媒体包处理。In the voice media channel, before the end-to-end encrypted call is performed by using the negotiated key parameter, the method further includes: restoring normal media packet processing.
可选地,该方法还包括:在所述建立通话过程中,会话发起方在发起会话请求时,在语音媒体的媒体行中携带第一前置条件;Optionally, the method further includes: during the establishing the call, the session initiator carries the first pre-condition in the media line of the voice media when the session request is initiated;
其中,所述第一前置条件为:当在所述可靠传输方式下交换数字证书并进行密钥参数协商完成,向接听方进行振铃提示。The first precondition is that when the digital certificate is exchanged in the reliable transmission mode and the key parameter negotiation is completed, a ringing prompt is sent to the answering party.
可选地,该方法还包括:在所述建立通话过程中,会话发起方在发起会话请求时,在语音媒体的媒体行中携带第二前置条件;Optionally, the method further includes: during the establishing the call, the session initiator carries the second pre-condition in the media line of the voice media when the session request is initiated;
其中,所述第二前置条件为:完成资源预留,向接听方进行振铃提示。The second precondition is: completing the resource reservation, and performing a ringing prompt to the answering party.
本发明实施例还提供了一种终端,至少包括第一处理模块,第二处理模块,其中,The embodiment of the invention further provides a terminal, which includes at least a first processing module and a second processing module, where
所述第一处理模块,设置为在建立通话过程中,在可靠传输方式下交换 数字证书并进行密钥参数协商;The first processing module is configured to exchange in a reliable transmission mode during a call setup Digital certificate and key parameter negotiation;
所述第二处理模块,设置为在语音媒体通道中,利用所述协商的密钥参数进行端到端的加密通话。The second processing module is configured to perform an end-to-end encrypted call by using the negotiated key parameter in the voice media channel.
可选地,还包括收发模块,设置为在通过在SDP增加专用的加密协商的媒体行,进行媒体协商,以建立第一媒体通道;或者,建立第一媒体通道即专用的加密协商的媒体通道为专用默认连接;或者,对媒体通道内的媒体包进行分析,并对丢包进行重传,并在完成交换数字证书并进行密钥参数协商时,恢复正常的媒体包处理;Optionally, the method further includes: a transceiver module configured to perform media negotiation by adding a dedicated encryption negotiation media line in the SDP to establish a first media channel; or establishing a first media channel, that is, a dedicated encryption negotiation media channel It is a dedicated default connection; or, the media packet in the media channel is analyzed, and the lost packet is retransmitted, and when the digital certificate is exchanged and the key parameter negotiation is performed, the normal media packet processing is resumed;
相应地,Correspondingly,
所述第一处理模块具体设置为:在所述建立通话过程中,在第一媒体通道交换所述数字证书并进行所述密钥参数协商;或者,采用对所述媒体通道内的媒体包进行分析,并对丢包进行重传的方式,完成所述交换数字证书并进行密钥参数协商。The first processing module is specifically configured to: during the establishing a call, exchange the digital certificate in the first media channel and perform the key parameter negotiation; or use the media packet in the media channel. The method of analyzing and retransmitting the lost packet completes the exchange of the digital certificate and performs key parameter negotiation.
可选地,所述收发模块还设置为:Optionally, the transceiver module is further configured to:
在所述建立通话过程中,发起会话请求时,在语音媒体的媒体行中携带第一前置条件;其中,所述第一前置条件为:在所述可靠传输方式下完成交换数字证书和密钥参数协商;相应地,During the establishment of the call, when the session request is initiated, the first pre-condition is carried in the media line of the voice media; wherein the first pre-condition is: completing the exchange of the digital certificate and the reliable transmission mode Key parameter negotiation; accordingly,
所述终端还包括振铃处理模块,设置为在满足第一前置条件时,发起向接听方进行振铃提示。The terminal further includes a ringing processing module configured to initiate a ringing prompt to the answering party when the first precondition is met.
可选地,所述收发模块还设置为:在所述建立通话过程中,发起会话请求时,在语音媒体的媒体行中携带第二前置条件;其中,所述第二前置条件为:完成资源预留;相应地,Optionally, the transceiver module is further configured to: when the session request is initiated, the second pre-condition is carried in the media line of the voice media; wherein the second pre-condition is: Complete resource reservation; accordingly,
所述终端还包括:The terminal further includes:
资源预留模块,设置为完成资源的预留;a resource reservation module, configured to complete resource reservation;
振铃模块,设置为在满足所述第二前置条件时,发起向接听方进行振铃提示。The ringing module is configured to initiate a ringing prompt to the answering party when the second precondition is met.
本发明实施例又提供了一种网络侧网元,至少包括转发模块,媒体通道处理模块;其中, The embodiment of the invention further provides a network side network element, which includes at least a forwarding module and a media channel processing module;
所述转发模块,设置为转发建立通话过程中的消息;The forwarding module is configured to forward a message during the establishment of the call;
所述媒体通道处理模块,设置为预先建立第一媒体通道,所述第一媒体通道为专用的加密协商的媒体通道;并在通话建立完成时,导通预先建立的第一媒体通道。The media channel processing module is configured to pre-establish a first media channel, where the first media channel is a dedicated media channel for encryption negotiation; and when the call establishment is completed, the pre-established first media channel is turned on.
可选地,所述网络侧网元为IP多媒体子系统IMS接入侧设备。Optionally, the network side network element is an IP multimedia subsystem IMS access side device.
可选地,所述IMS接入侧设备为会话边界控制器SBC。Optionally, the IMS access side device is a session border controller SBC.
本发明实施例再提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行上述任一实现端到端通话加密的方法。The embodiment of the invention further provides a computer readable storage medium storing computer executable instructions for performing any of the above methods for implementing end-to-end call encryption.
本申请技术方案包括:在建立通话过程中,在可靠传输方式下交换数字证书并进行密钥参数协商;在语音媒体通道中,利用协商的密钥参数进行端到端的加密通话。本发明实施例通过可靠性传输方式交换数字证书并进行密钥参数的协商,然后再在现有的媒体通道中,利用协商的密钥参数进行端到端的加密通话,这样,保证了基于VoLTE的端到端通话的安全性,同时也保障了国家安全性。The technical solution of the present application includes: exchanging digital certificates and performing key parameter negotiation in a reliable transmission mode during the establishment of a call; and performing an end-to-end encrypted call by using the negotiated key parameters in the voice media channel. In the embodiment of the present invention, the digital certificate is exchanged by the reliability transmission mode, and the key parameters are negotiated, and then the end-to-end encrypted call is performed by using the negotiated key parameter in the existing media channel, thus ensuring the VoLTE-based. The security of end-to-end calls, while also ensuring national security.
本发明实施例的其它特征和优点将在随后的说明书中阐述,并且,部分地从说明书中变得显而易见,或者通过实施本发明而了解。本发明的目的和其他优点可通过在说明书、权利要求书以及附图中所特别指出的结构来实现和获得。Other features and advantages of the embodiments of the invention will be set forth in the description in the description which The objectives and other advantages of the invention may be realized and obtained by means of the structure particularly pointed in the appended claims.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
此处所说明的附图用来提供对本发明实施例的进一步理解,构成本申请的一部分,本发明的示意性实施例及其说明用于解释本发明,并不构成对本发明的不当限定。在附图中:The drawings are intended to provide a further understanding of the embodiments of the present invention, and are intended to be a part of the present invention, and the description of the present invention is not intended to limit the invention. In the drawing:
图1为相关技术中基于VoLTE的实现端到端通话加密的流程示意图;FIG. 1 is a schematic flowchart of implementing end-to-end call encryption based on VoLTE in the related art;
图2为本发明实施例实现端到端通话加密的方法的流程图;2 is a flowchart of a method for implementing end-to-end call encryption according to an embodiment of the present invention;
图3为本发明实施例中实现端到端通话加密的第一实施例的流程示意图; 3 is a schematic flowchart of a first embodiment for implementing end-to-end call encryption according to an embodiment of the present invention;
图4为本发明实施例中实现端到端通话加密的第二实施例的流程示意图;4 is a schematic flowchart of a second embodiment for implementing end-to-end call encryption according to an embodiment of the present invention;
图5为本发明实施例中实现端到端通话加密的第三实施例的流程示意图;FIG. 5 is a schematic flowchart of a third embodiment for implementing end-to-end call encryption according to an embodiment of the present invention;
图6为本发明实施例中实现端到端通话加密的第四实施例的流程示意图;FIG. 6 is a schematic flowchart of a fourth embodiment for implementing end-to-end call encryption according to an embodiment of the present invention;
图7为本发明实施例中实现端到端通话加密的第五实施例的流程示意图;FIG. 7 is a schematic flowchart of a fifth embodiment for implementing end-to-end call encryption according to an embodiment of the present invention;
图8为本发明实施例实现端到端通话加密的终端的组成结构示意图;FIG. 8 is a schematic structural diagram of a terminal for implementing end-to-end call encryption according to an embodiment of the present invention;
图9为本发明实施例实现端到端通话加密的网络侧网元的组成结构示意图。FIG. 9 is a schematic structural diagram of a network side network element for implementing end-to-end call encryption according to an embodiment of the present invention.
本发明的较佳实施方式Preferred embodiment of the invention
为使本发明的目的、技术方案和优点更加清楚明白,下文中将结合附图对本发明的实施例进行详细说明。需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互任意组合。The embodiments of the present invention will be described in detail below with reference to the accompanying drawings. It should be noted that, in the case of no conflict, the features in the embodiments and the embodiments in the present application may be arbitrarily combined with each other.
图1为相关技术中基于VoLTE的实现端到端通话加密的流程示意图,如图1所示,包括:FIG. 1 is a schematic flowchart of implementing end-to-end call encryption based on VoLTE in the related art, as shown in FIG. 1 , including:
步骤100:UE1向SBC1发送邀请INVITE呼叫请求,其中携带的会话描述协议(SDP)。从媒体协商角度看,该SDP为Offer,即INVITE SDP offer。Step 100: The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
本步骤中,在SDP中携带有标识通话用的语音媒体的媒体行(如m行)。In this step, the SDP carries a media line (such as m lines) that identifies the voice media for the call.
步骤101:SBC1转发INVITE SDP offer到IMS。Step 101: SBC1 forwards the INVITE SDP offer to the IMS.
步骤102:IMS转发INVITE SDP offer到被叫用户侧的SBC2。Step 102: The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
步骤103:SBC2转发INVITE SDP offer到UE2。Step 103: SBC2 forwards the INVITE SDP offer to UE2.
步骤104:UE2处理收到的INVITE SDP offer,并构造SDP并发送给SBC2,从媒体协商角度看,该SDP为Answer,即UE2返回的是200OK SDP answer。Step 104: UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer.
步骤105:SBC2转发200OK SDP answer消息到IMS。 Step 105: SBC2 forwards the 200 OK SDP answer message to the IMS.
步骤106:IMS转发200OK SDP answer消息到SBC1。Step 106: The IMS forwards the 200 OK SDP answer message to SBC1.
步骤107:SBC1转发200OK SDP answer消息到UE1。此时建立好用于语音通话的媒体通道。Step 107: SBC1 forwards the 200 OK SDP answer message to UE1. At this point, the media channel for the voice call is established.
步骤108:UE1与UE2在媒体通道内交换数字证书。现有相关技术中建立的媒体通道是基于实时传输协议(RTP,Real-time Transport Protocol)传输的,而RTP本身传输是不可靠的,所以在这个通道内交换数字证书是不可靠的。Step 108: UE1 and UE2 exchange digital certificates in the media channel. The media channels established in the related art are transmitted based on the Real-time Transport Protocol (RTP), and the transmission of the RTP itself is unreliable, so it is unreliable to exchange digital certificates in this channel.
本步骤为可选步骤,如果不需要使用数字证书的情况,比如进行身份认证,可以省略本步骤。This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
步骤109:UE1与UE2在媒体通道内协商密钥参数。Step 109: UE1 and UE2 negotiate key parameters in the media channel.
步骤110:UE1与UE2使用协商的密钥参数,进行端到端的加密通话。Step 110: UE1 and UE2 perform an end-to-end encrypted call by using the negotiated key parameters.
本领域技术人员知道,如果上述流程中存在183消息等流程,SDP Answer可以在被叫的183消息中携带。Those skilled in the art know that if there are 183 messages and the like in the above process, the SDP Answer can be carried in the called 183 message.
需要说明的是,步骤108和步骤109中涉及的数字证书并密钥参数在网络中的传输,由于数字证书是文本形式的,因此从数据完整性的角度考虑,该传输应该是可靠传输。而在现有相关技术中,不同的RTP媒体是流媒体格式的,可以使用不可靠传输的协议,也就是说,现有相关技术中的直接在RTP媒体通道内交换数字证书是不可靠。It should be noted that the digital certificate and the key parameter involved in the steps 108 and 109 are transmitted in the network. Since the digital certificate is in the form of text, the transmission should be reliable transmission from the perspective of data integrity. In the related related art, different RTP media are in a streaming media format, and a protocol for unreliable transmission may be used. That is to say, it is unreliable to exchange digital certificates directly in the RTP media channel in the related art.
需要说明的是,一般的IMS商用部署都会存在SBC,但是,从技术方案的角度考虑,SBC1、SBC2是可选网元。It should be noted that the general IMS commercial deployment will have an SBC, but from the technical solution point of view, SBC1 and SBC2 are optional network elements.
从图1所示的现有基于媒体面的端到端通话加密实现来看,基于媒体面的端到端通话中,由于在正常的RTP媒体通道内进行数字证书的交换可能失败,这样会带来不能使用加密通话的问题,也就是说,VoLTE通话安全性低,不能保证基于VoLTE的端到端通话的安全性,甚至带来国家安全性问题。From the implementation of the existing media-based end-to-end call encryption shown in Figure 1, in the end-to-end call based on the media plane, since the exchange of digital certificates in the normal RTP media channel may fail, this will bring The problem of encrypted calls cannot be used. That is to say, VoLTE calls are low in security, and the security of end-to-end calls based on VoLTE cannot be guaranteed, and even national security issues are brought about.
图2为本发明实施例实现端到端通话加密的方法的流程图,如图2所示,包括:2 is a flowchart of a method for implementing end-to-end call encryption according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
步骤200:在建立通话过程中,在可靠传输方式下交换数字证书并进行密钥参数协商。 Step 200: During the establishment of the call, the digital certificate is exchanged in the reliable transmission mode and the key parameter negotiation is performed.
本步骤之前还包括:建立可靠传输方式,具体包括但不限于:This step also includes: establishing a reliable transmission method, including but not limited to:
建立第一媒体通道,由于第一媒体通道是区别于现有用于端到端的加密通话的语音媒体通道的专用的加密协商的媒体通道,因此,第一媒体通道可以使用可靠传输的协议。或者,The first media channel is established. Since the first media channel is a dedicated media channel that is distinguished from the existing voice media channel for the end-to-end encrypted call, the first media channel can use a reliable transmission protocol. or,
在语音媒体通道内引入一种特殊模式,即对媒体通道内的媒体包进行分析,并对丢包进行重传,并在此特殊模式下交换数字证书并进行密钥参数协商。这样,也保证了数字证书并密钥信息的可靠传输。A special mode is introduced in the voice media channel, that is, the media packets in the media channel are analyzed, and the lost packets are retransmitted, and the digital certificate is exchanged in this special mode and the key parameters are negotiated. In this way, the reliable transmission of digital certificates and key information is also guaranteed.
其中,among them,
建立第一媒体通道的方法可以是显式方式,具体包括:预先在建立通话的过程中,通过在SDP增加专用的加密协商的媒体行(如m行),进行媒体协商,以建立第一媒体通道即专用的加密协商的媒体通道。这种显示方式建立的专用的加密协商的媒体通道通过媒体协商正常建立,因此,目前的网络侧网元都支持即没有网络侧附加要求,便于在网络内迅速部署和推广。并且这种显式方式便于标准化、产业化,方便向政企用户推广,而不仅仅是局限于国家安全机构内部使用。The method for establishing the first media channel may be an explicit manner, and specifically includes: performing media negotiation by adding a dedicated encrypted negotiation media line (such as m line) in the SDP to establish the first media. The channel is a dedicated media channel for cryptographic negotiation. The media channel of the dedicated encryption negotiation established by the display mode is normally established through media negotiation. Therefore, the current network side network element supports the network side additional requirement, and is convenient for rapid deployment and promotion in the network. And this explicit way is convenient for standardization and industrialization, and is convenient for promotion to government and enterprise users, and is not limited to internal use by national security agencies.
建立第一媒体通道的方法也可以是隐式方式,具体包括:预先建立第一媒体通道即专用的加密协商的媒体通道为专用默认连接。该专用默认连接的建立,不在SDP过程中体现,而是由通话双方即UE1和UE2约定的专用默认连接。该专用默认连接可以使用约定的固定端口如端口8080的TCP连接,也可以是约定的与实际媒体流关联的端口如audio端口+2的TCP连接。使用隐式方式建立第一媒体通道,因为专用的加密协商的媒体通道没有通道媒体协商建立,所以需要网络侧网元如SBC一类的设备,对专用默认连接进行默认导通。The method for establishing the first media channel may also be an implicit manner, and specifically includes: pre-establishing the first media channel, that is, the dedicated media channel for encryption negotiation as a dedicated default connection. The establishment of the dedicated default connection is not reflected in the SDP process, but is a dedicated default connection agreed by both parties, UE1 and UE2. The dedicated default connection may use a contracted fixed port such as a TCP connection of port 8080, or a TCP connection to a port associated with the actual media stream, such as audio port +2. The first media channel is established in an implicit manner. Because the media channel of the dedicated encryption negotiation does not have the channel media negotiation established, the network side network element, such as the SBC device, is required to perform the default connection of the dedicated default connection.
步骤201:在语音媒体通道中,利用协商的密钥参数进行端到端的加密通话。本步骤中的语音媒体通道就是图1所示的现有方法中建立的用于语音通话的媒体通道。本步骤的具体实现与现有技术一致,这里不再赘述。Step 201: Perform an end-to-end encrypted call in the voice media channel by using the negotiated key parameter. The voice media channel in this step is the media channel established for the voice call established in the existing method shown in FIG. The specific implementation of this step is consistent with the prior art, and details are not described herein again.
当步骤200中的可靠传输方式为在语音媒体通道内引入对媒体通道内的媒体包进行分析,并对丢包进行重传的方式时,本步骤之前还包括:恢复正常的媒体包处理。 When the reliable transmission mode in the step 200 is to introduce the media packet in the media channel in the voice media channel and retransmit the packet, the step further includes: restoring the normal media packet processing.
本发明图2所示的方法中,通过可靠性传输方式交换数字证书并进行密钥参数的协商,然后再在现有的媒体通道中,利用协商的密钥参数进行端到端的加密通话,这样,保证了基于VoLTE的端到端通话的安全性,同时也保障了国家安全性。In the method shown in FIG. 2, the digital certificate is exchanged by the reliability transmission method and the key parameters are negotiated, and then the end-to-end encrypted call is performed by using the negotiated key parameter in the existing media channel. It guarantees the security of end-to-end calls based on VoLTE, and also guarantees national security.
进一步地,本发明实施例方法还包括:Further, the method of the embodiment of the present invention further includes:
在建立通话过程中,会话发起方如UE1在发起会话请求时,在语音媒体的媒体行中携带第一前置条件,如第一前置条件为:当在可靠传输方式下交换数字证书并进行密钥参数协商完成,再向接听方如UE2进行振铃提示。这样,如果数字证书的认证、密钥参数的协商等环节出现问题而无法建立加密通话时,由于此时用户并未处于摘机状态,因此,避免了对用户体验差的影响。其中,可以在SDP中扩展对应的属性条件来携带第一前置条件。During the establishment of the call, the session initiator, such as UE1, carries the first precondition in the media line of the voice media when the session request is initiated, for example, the first precondition is: when the digital certificate is exchanged in the reliable transmission mode, The key parameter negotiation is completed, and then the ringing prompt is sent to the receiving party such as UE2. In this way, if there is a problem in the authentication of the digital certificate, the negotiation of the key parameters, and the inability to establish an encrypted call, since the user is not in the off-hook state at this time, the influence on the user experience is avoided. The corresponding preconditions may be extended in the SDP to carry the first precondition.
或者,进一步地,本发明实施例方法还包括:Or, further, the method of the embodiment of the present invention further includes:
在建立通话过程中,会话发起方如UE1在发起会话请求时,在语音媒体的媒体行中携带第二前置条件,如第二前置条件为:完成资源预留,向接听方进行振铃提示。这里需要说明的是,在SDP中扩展对应的属性条件来携带第一前置条件,是需要网络中的各网元支持的。从兼容性的角度来看,如果即能达到第一前置条件的目的,同时又不需要扩展这些属性描述,就不需要网络中的各相关网元升级,也就是提高了本发明实施例提供的技术方案的兼容性。因此,本发明实施例的仅在SDP上使用现有的第二前提条件即资源预留机制,一方面,不需要网络中的各相关网元升级,同时也达到了第一前置条件的目的,更好地提升了本发明实施例提供的技术方案的兼容性。During the establishment of the call, the session initiator, such as UE1, carries the second pre-condition in the media line of the voice media when the session request is initiated. For example, the second pre-condition is: completing the resource reservation, and ringing to the receiving party. prompt. It should be noted that the extension of the corresponding attribute condition in the SDP to carry the first pre-condition is supported by each network element in the network. From the perspective of compatibility, if the purpose of the first pre-condition is reached, and the attribute descriptions are not required to be extended, the related network element upgrades in the network are not required, that is, the embodiments of the present invention are provided. Compatibility of technical solutions. Therefore, in the embodiment of the present invention, the existing second precondition, that is, the resource reservation mechanism is used only on the SDP. On the one hand, the related network elements in the network are not required to be upgraded, and the first precondition is also achieved. The compatibility of the technical solutions provided by the embodiments of the present invention is improved.
下面结合具体实施例对本发明实施例提供的技术方案进行详细描述。The technical solutions provided by the embodiments of the present invention are described in detail below with reference to specific embodiments.
图3为本发明实施例中实现端到端通话加密的第一实施例的流程示意图,第一实施例为显示方式建立第一媒体通道的方式,如图3所示,包括:FIG. 3 is a schematic flowchart of a first embodiment of an end-to-end call encryption according to an embodiment of the present invention. The first embodiment is a manner of establishing a first media channel in a display manner, as shown in FIG. 3, including:
步骤300:UE1向SBC1发送邀请INVITE呼叫请求,其中携带的会话描述协议(SDP)。从媒体协商角度看,该SDP为Offer,即INVITE SDP offer。Step 300: The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
本步骤中,SDP中除了携带有标识通话用的语音媒体的媒体行(m行),还携带有标识专用的加密协商的媒体行(m行)。 In this step, in addition to the media line (m line) carrying the voice media for identifying the call, the SDP carries the media line (m line) of the encryption negotiation dedicated to the identification.
步骤301:SBC1转发INVITE SDP offer到IMS。Step 301: SBC1 forwards the INVITE SDP offer to the IMS.
步骤302:IMS转发INVITE SDP offer到被叫用户侧的SBC2。Step 302: The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
步骤303:SBC2转发INVITE SDP offer到UE2。Step 303: SBC2 forwards the INVITE SDP offer to UE2.
步骤304:UE2处理收到的INVITE SDP offer,并构造SDP并发送给SBC2,从媒体协商角度看,该SDP为Answer,即UE2返回的是200OK SDP answer。同样,在SDP中除了携带有标识通话用的语音媒体的媒体行(m行),还携带有标识专用的加密协商的媒体行(m行)。Step 304: UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer. Similarly, in the SDP, in addition to the media line (m line) carrying the voice media for the call, the media line (m line) of the encryption-dedicated encryption for identification is carried.
步骤305:SBC2转发200OK SDP answer消息到IMS。Step 305: SBC2 forwards the 200 OK SDP answer message to the IMS.
步骤306:IMS转发200OK SDP answer消息到SBC1。Step 306: The IMS forwards the 200 OK SDP answer message to SBC1.
步骤307:SBC1转发200OK SDP answer消息到UE1。此时通话建立完成,除了建立了用于语音通话的语音媒体通道,还建立了专用的加密协商的第一媒体通道。Step 307: SBC1 forwards the 200 OK SDP answer message to UE1. At this time, the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
步骤308:UE1与UE2在第一媒体通道内交换数字证书。Step 308: UE1 and UE2 exchange digital certificates in the first media channel.
本步骤为可选步骤,如果不需要使用数字证书的情况,比如进行身份认证,可以省略本步骤。This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
步骤309:UE1与UE2在第一媒体通道内协商密钥参数。Step 309: UE1 and UE2 negotiate key parameters in the first media channel.
步骤310:UE1与UE2在语音媒体通道,使用协商的密钥参数,进行端到端的加密通话。Step 310: UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
本领域技术人员知道,如果上述流程中存在183消息等流程,SDP Answer可以在被叫的183消息中携带。Those skilled in the art know that if there are 183 messages and the like in the above process, the SDP Answer can be carried in the called 183 message.
其中,步骤308和步骤309中涉及的数字证书并密钥参数在网络中的传输,从数据完整性的角度考虑,该传输必须是可靠传输。这里可以采用如传输控制协议(TCP)、流控制传输协议(SCTP)等传输协议。Wherein, the digital certificate involved in steps 308 and 309 and the key parameter are transmitted in the network, and the transmission must be reliable transmission from the perspective of data integrity. Transmission protocols such as Transmission Control Protocol (TCP), Stream Control Transmission Protocol (SCTP), etc. may be employed herein.
需要说明的是,一般的IMS商用部署都会存在SBC,但是,从技术方案的角度考虑,SBC1、SBC2是可选网元。It should be noted that the general IMS commercial deployment will have an SBC, but from the technical solution point of view, SBC1 and SBC2 are optional network elements.
这里举例说明SDP格式如下:Here is an example of the SDP format as follows:
v=0 V=0
o=originator 2890844526 2890842808 IN IP4 controller.example.como=originator 2890844526 2890842808 IN IP4 controller.example.com
s=-s=-
c=IN IP4 controller.example.comc=IN IP4 controller.example.com
m=application 49153 TCPm=application 49153 TCP
a=setup:activea=setup:active
a=connection:newa=connection:new
m=audio 49170 RTP/AVP 0m=audio 49170 RTP/AVP 0
其中,如加粗斜体行所示,m=application 49153 TCP,用于表示对应专用的加密协商的第一媒体通道;m=audio,用于表示对应需要加密的语音媒体通道。For example, as shown in the bold italicized line, m=application 49153 TCP, which is used to indicate the first media channel corresponding to the dedicated encryption negotiation; m=audio, which is used to indicate the corresponding voice media channel that needs to be encrypted.
如果存在多个实际的媒体行,比如多个audio、video等,则需要将加密协商的第一媒体通道与需要加密的语音媒体通道进行关联,具体可以在a行中增加id索引,比如:If there are multiple actual media lines, such as multiple audio and video, you need to associate the first media channel of the encryption negotiation with the voice media channel that needs to be encrypted. You can add an id index to the a line, for example:
m=application 49153 TCP cfwm=application 49153 TCP cfw
a=setup:activea=setup:active
a=connection:newa=connection:new
a=id:H839quwhjdhegvdgaa=id:H839quwhjdhegvdga
m=audio 49170 RTP/AVP 0m=audio 49170 RTP/AVP 0
a=id:H839quwhjdhegvdgaa=id:H839quwhjdhegvdga
如加粗斜体行所示,表示加密协商的通道(m=application 49153 TCP cfw)与语音通道(m=audio 49170 RTP/AVP 0)的id相同(a=id:H839quwhjdhegvdga)。即加密协商的通道(m=application 49153 TCP cfw)将为语音通道(m=audio 49170 RTP/AVP 0)提供加密参数的协商。As shown in the bold italicized line, the channel indicating the encryption negotiation (m=application 49153 TCP cfw) is the same as the id of the voice channel (m=audio 49170 RTP/AVP 0) (a=id:H839quwhjdhegvdga). That is, the channel for encryption negotiation (m=application 49153 TCP cfw) will provide negotiation of encryption parameters for the voice channel (m=audio 49170 RTP/AVP 0).
图4为本发明实施例中实现端到端通话加密的第二实施例的流程示意图,第二实施例为隐式方式建立第一媒体通道的方式,如图4所示,包括:4 is a schematic flowchart of a second embodiment of implementing end-to-end call encryption according to an embodiment of the present invention. The second embodiment is a method for establishing a first media channel in an implicit manner. As shown in FIG. 4, the method includes:
步骤400:UE1向SBC1发送邀请INVITE呼叫请求,其中携带的会话描述协议(SDP)。从媒体协商角度看,该SDP为Offer,即INVITE SDP offer。 Step 400: The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
本步骤中,在SDP中携带有标识通话用的语音媒体的媒体行(m行)。In this step, the SDP carries a media line (m line) identifying the voice media for the call.
步骤401:SBC1转发INVITE SDP offer到IMS。Step 401: SBC1 forwards the INVITE SDP offer to the IMS.
步骤402:IMS转发INVITE SDP offer到被叫用户侧的SBC2。Step 402: The IMS forwards the INVITE SDP offer to the SBC2 of the called user side.
步骤403:SBC2转发INVITE SDP offer到UE2。Step 403: SBC2 forwards the INVITE SDP offer to UE2.
步骤404:UE2处理收到的INVITE SDP offer,并构造SDP并发送给SBC2,从媒体协商角度看,该SDP为Answer,即UE2返回的是200OK SDP answer。Step 404: UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer.
步骤405:SBC2转发200OK SDP answer消息到IMS。Step 405: SBC2 forwards the 200 OK SDP answer message to the IMS.
步骤406:如果部署存在SBC2,SBC2需要导通专用默认连接的加密协商的第一媒体通道。Step 406: If the deployment has SBC2, SBC2 needs to conduct the first media channel of the encryption negotiation of the dedicated default connection.
步骤407:IMS转发200OK SDP answer消息到SBC1。Step 407: The IMS forwards the 200 OK SDP answer message to SBC1.
步骤408:SBC1转发200OK SDP answer消息到UE1。Step 408: SBC1 forwards the 200 OK SDP answer message to UE1.
步骤409:如果部署存在SBC1,SBC1需要导通专用默认连接的加密协商的第一媒体通道。Step 409: If the deployment has SBC1, SBC1 needs to conduct the first media channel of the encryption negotiation of the dedicated default connection.
此时通话建立完成,除了建立了用于语音通话的语音媒体通道,还建立了专用的加密协商的第一媒体通道。At this time, the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
步骤410:UE1与UE2在第一媒体通道内交换数字证书。Step 410: UE1 and UE2 exchange digital certificates in the first media channel.
本步骤为可选步骤,如果不需要使用数字证书的情况,比如进行身份认证,可以省略本步骤。This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
步骤411:UE1与UE2在第一媒体通道内协商密钥参数。Step 411: UE1 and UE2 negotiate key parameters in the first media channel.
步骤412:UE1与UE2在语音媒体通道,使用协商的密钥参数,进行端到端的加密通话。Step 412: UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
本领域技术人员知道,如果上述流程中存在183消息等流程,SDP Answer可以在被叫的183消息中携带。Those skilled in the art know that if there are 183 messages and the like in the above process, the SDP Answer can be carried in the called 183 message.
其中,专用默认连接的建立,不在SDP过程中体现,而是由通话双方即UE1和UE2约定的专用默认连接。该专用默认连接可以使用约定的固定端口如端口8080的TCP连接,也可以是约定的与实际媒体流关联的端口如audio 端口+2的TCP连接。The establishment of the dedicated default connection is not reflected in the SDP process, but is a dedicated default connection agreed by both parties, UE1 and UE2. The dedicated default connection can use a contracted fixed port such as a TCP connection of port 8080, or a contracted port associated with the actual media stream such as audio. Port +2 TCP connection.
需要说明的是,一般的IMS商用部署都会存在SBC,但是,从技术方案的角度考虑,SBC1、SBC2是可选网元。It should be noted that the general IMS commercial deployment will have an SBC, but from the technical solution point of view, SBC1 and SBC2 are optional network elements.
图5为本发明实施例中实现端到端通话加密的第三实施例的流程示意图,第三实施例为在语音媒体通道内引入一种特殊模式,即对媒体通道内的媒体包进行分析,并对丢包进行重传的方式,如图5所示,包括:FIG. 5 is a schematic flowchart of a third embodiment of implementing end-to-end call encryption according to an embodiment of the present invention. In a third embodiment, a special mode is introduced in a voice media channel, that is, media packets in a media channel are analyzed. The method of retransmitting the lost packet, as shown in Figure 5, includes:
步骤500:UE1向SBC1发送邀请INVITE呼叫请求,其中携带的会话描述协议(SDP)。从媒体协商角度看,该SDP为Offer,即INVITE SDP offer。Step 500: The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
本步骤中,在SDP中携带有标识通话用的语音媒体的媒体行(m行)。In this step, the SDP carries a media line (m line) identifying the voice media for the call.
步骤501:SBC1转发INVITE SDP offer到IMS。Step 501: SBC1 forwards the INVITE SDP offer to the IMS.
步骤502:IMS转发INVITE SDP offer到被叫用户侧的SBC2。Step 502: The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
步骤503:SBC2转发INVITE SDP offer到UE2。Step 503: SBC2 forwards the INVITE SDP offer to UE2.
步骤504:UE2处理收到的INVITE SDP offer,并构造SDP并发送给SBC2,从媒体协商角度看,该SDP为Answer,即UE2返回的是200OK SDP answer。Step 504: UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer.
步骤505:SBC2转发200OK SDP answer消息到IMS。Step 505: SBC2 forwards the 200 OK SDP answer message to the IMS.
步骤506:IMS转发200OK SDP answer消息到SBC1。Step 506: The IMS forwards the 200 OK SDP answer message to SBC1.
步骤507:SBC1转发200OK SDP answer消息到UE1。此时通话建立完成。Step 507: SBC1 forwards the 200 OK SDP answer message to UE1. The call is now established.
步骤508:UE1与UE2进入特殊模式,即对媒体通道内的媒体包如实时传输协议(RTP)包进行分析,并对丢包进行重传。Step 508: UE1 and UE2 enter a special mode, that is, analyze media packets in the media channel, such as a Real-Time Transport Protocol (RTP) packet, and retransmit the lost packets.
步骤509:UE1与UE2在特殊模式下,在媒体通道内交换数字证书。Step 509: UE1 and UE2 exchange digital certificates in the media channel in the special mode.
本步骤为可选步骤,如果不需要使用数字证书的情况,比如进行身份认证,可以省略本步骤。This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
步骤510:UE1与UE2在在特殊模式下,在媒体通道内协商密钥参数。Step 510: UE1 and UE2 negotiate key parameters in the media channel in the special mode.
步骤511:密钥参数协商完成,UE1与UE2退出特殊模式,恢复正常的RTP处理。 Step 511: The key parameter negotiation is completed, and UE1 and UE2 exit the special mode to resume normal RTP processing.
步骤512:UE1与UE2在语音媒体通道,使用协商的密钥参数,进行端到端的加密通话。Step 512: UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
本领域技术人员知道,如果上述流程中存在183消息等流程,SDP Answer可以在被叫的183消息中携带。Those skilled in the art know that if there are 183 messages and the like in the above process, the SDP Answer can be carried in the called 183 message.
需要说明的是,一般的IMS商用部署都会存在SBC,但是,从技术方案的角度考虑,SBC1、SBC2是可选网元。It should be noted that the general IMS commercial deployment will have an SBC, but from the technical solution point of view, SBC1 and SBC2 are optional network elements.
图6为本发明实施例中实现端到端通话加密的第四实施例的流程示意图,第四实施例中,将当在可靠传输方式下交换数字证书并进行密钥参数协商完成,再向接听方如UE2进行振铃提示作为前置条件,如图6所示,包括:FIG. 6 is a schematic flowchart of a fourth embodiment of implementing end-to-end call encryption according to an embodiment of the present invention. In the fourth embodiment, when a digital certificate is exchanged in a reliable transmission mode, key parameter negotiation is completed, and then the call is answered. For example, UE2 performs a ringing prompt as a precondition, as shown in FIG. 6, including:
步骤600:UE1向SBC1发送邀请INVITE呼叫请求,其中携带的会话描述协议(SDP)。从媒体协商角度看,该SDP为Offer,即INVITE SDP offer。Step 600: The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
本步骤中,SDP中除了携带有标识通话用的语音媒体的媒体行(m行),以及标识专用的加密协商的媒体行(m行),还携带有前置条件(Precondition),即当在可靠传输方式下交换数字证书并进行密钥参数协商完成,再向接听方如UE2进行振铃提示。In this step, the SDP carries a media line (m line) for identifying the voice media for the call, and a media line (m line) for identifying the dedicated encrypted negotiation, and carries a precondition, that is, when In the reliable transmission mode, the digital certificate is exchanged and the key parameter negotiation is completed, and then the ringing prompt is sent to the receiving party such as UE2.
步骤601:SBC1转发INVITE SDP offer到IMS。Step 601: SBC1 forwards the INVITE SDP offer to the IMS.
步骤602:IMS转发INVITE SDP offer到被叫用户侧的SBC2。Step 602: The IMS forwards the INVITE SDP offer to the SBC2 of the called user side.
步骤603:SBC2转发INVITE SDP offer到UE2。Step 603: SBC2 forwards the INVITE SDP offer to UE2.
步骤604:UE2处理收到的INVITE SDP offer,并构造SDP并发送给SBC2,从媒体协商角度看,该SDP为Answer,即UE2返回的是200OK SDP answer。同样,在SDP中除了携带有标识通话用的语音媒体的媒体行(m行),以及标识专用的加密协商的媒体行(m行),还携带有前置条件,即当在可靠传输方式下交换数字证书并进行密钥参数协商完成,再向接听方如UE2进行振铃提示。Step 604: UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer. Similarly, in the SDP, in addition to the media line (m line) carrying the voice media for identifying the call, and the media line (m line) for identifying the dedicated encryption negotiation, the pre-condition is also carried, that is, when in the reliable transmission mode. The digital certificate is exchanged and the key parameter negotiation is completed, and then the ringing prompt is sent to the receiving party such as UE2.
其中,前置条件可以进一步携带conf属性行。其中,Conf行表示媒体协商中收到Conf指示的一方在前提条件满足时,需要向另一方发送消息通知前提条件已满足。The precondition can further carry the conf attribute line. The Conf line indicates that the party that receives the Conf indication during the media negotiation needs to send a message to the other party that the precondition is satisfied when the precondition is satisfied.
步骤605:SBC2转发183 SDP answer消息到IMS。 Step 605: SBC2 forwards the 183 SDP answer message to the IMS.
步骤606:IMS转发183 SDP answer消息到SBC1。Step 606: The IMS forwards the 183 SDP answer message to SBC1.
步骤607:SBC1转发183 SDP answer消息到UE1。此时通话建立完成,除了建立了用于语音通话的语音媒体通道,还建立了专用的加密协商的第一媒体通道。Step 607: SBC1 forwards 183 SDP answer message to UE1. At this time, the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
步骤608:UE1与UE2在第一媒体通道内交换数字证书。Step 608: UE1 and UE2 exchange digital certificates in the first media channel.
本步骤为可选步骤,如果不需要使用数字证书的情况,比如进行身份认证,可以省略本步骤。This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
步骤609:UE1与UE2在第一媒体通道内协商密钥参数。Step 609: UE1 and UE2 negotiate key parameters in the first media channel.
步骤610:因为密钥参数协商完成,语音媒体通道的前置条件满足,UE1发送UPDATE,携带前置条件满足的状态。Step 610: Because the key parameter negotiation is completed, the pre-condition of the voice media channel is satisfied, and the UE1 sends an UPDATE, carrying the state that the pre-condition is satisfied.
步骤611:SBC1转发UPDATE请求到IMS。Step 611: SBC1 forwards the UPDATE request to the IMS.
步骤612:IMS转发UPDATE请求到被叫用户侧的SBC2。Step 612: The IMS forwards the UPDATE request to the SBC2 on the called user side.
步骤613:SBC2转发UPDATE请求到UE2。Step 613: SBC2 forwards the UPDATE request to UE2.
步骤614:UE2受理该UPDATE消息,并构造200OK响应发送到SBC2。Step 614: UE2 accepts the UPDATE message and constructs a 200 OK response to send to SBC2.
步骤615:SBC2转发200OK消息到IMS。Step 615: SBC2 forwards the 200 OK message to the IMS.
步骤616:IMS转发200OK消息到SBC1。Step 616: The IMS forwards the 200 OK message to SBC1.
步骤617:SBC1转发200OK消息到UE1。Step 617: SBC1 forwards the 200 OK message to UE1.
需要说明的是,上述步骤610~步骤617可以省略。It should be noted that the above steps 610 to 617 may be omitted.
步骤618:因为前置条件满足,UE2振铃提示用户接收到呼叫,同时发送180到SBC2。Step 618: Because the pre-condition is satisfied, the UE2 rings to prompt the user to receive the call, and simultaneously sends 180 to SBC2.
步骤619:SBC2转发180消息到IMS。Step 619: SBC2 forwards 180 the message to the IMS.
步骤620:IMS转发180消息到SBC1。Step 620: The IMS forwards 180 the message to SBC1.
步骤621:SBC1转发180消息到UE1。Step 621: SBC1 forwards 180 the message to UE1.
步骤622:被叫用户(UE2)摘机,UE2发送200OK到SBC2。Step 622: The called user (UE2) goes off-hook, and UE2 sends 200 OK to SBC2.
步骤623:SBC2转发200OK消息到IMS。Step 623: SBC2 forwards the 200 OK message to the IMS.
步骤624:IMS转发200OK消息到SBC1。 Step 624: The IMS forwards the 200 OK message to SBC1.
步骤625:SBC1转发200OK消息到UE1。Step 625: SBC1 forwards the 200 OK message to UE1.
步骤626:UE1与UE2在语音媒体通道,使用协商的密钥参数,进行端到端的加密通话。Step 626: UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
需要说明的是,由于密钥参数协商是端到端的,UE2是可以自行知道密钥协商完成的,因此,步骤604中的183可以不携带conf行,相应的,610~步骤617可以省略。It should be noted that, since the key parameter negotiation is end-to-end, UE2 can know that the key negotiation is completed. Therefore, 183 in step 604 may not carry the conf line, and correspondingly, 610 to 617 may be omitted.
需要说明的是,一般的IMS商用部署都会存在SBC,但是,从技术方案的角度考虑,SBC1、SBC2是可选网元。It should be noted that the general IMS commercial deployment will have an SBC, but from the technical solution point of view, SBC1 and SBC2 are optional network elements.
这里举例说明SDP涉及前置条件(Precondition)部分的格式如下:Here is an example of the format of the Precondition part of the SDP:
INVITE请求中的SDP:SDP in the INVITE request:
m=audio 20000 RTP/AVP 0m=audio 20000 RTP/AVP 0
a=curr:encryption e2e nonea=curr:encryption e2e none
a=des:encryption mandatory e2e sendrecva=des:encryption mandatory e2e sendrecv
其中,a=curr:encryption e2e none,用于标识当前前置条件未满足;a=des:encryption mandatory e2e sendrecv,用于表示希望达到的前置条件,即密钥参数协商完成。The a=curr:encryption e2e none is used to identify that the current precondition is not met; a=des:encryption mandatory e2e sendrecv, which is used to indicate the precondition to be reached, that is, the key parameter negotiation is completed.
183中的SDP格式如下:The SDP format in 183 is as follows:
m=audio 20000 RTP/AVP 0m=audio 20000 RTP/AVP 0
a=curr:encryption e2e nonea=curr:encryption e2e none
a=des:encryption mandatory e2e sendrecva=des:encryption mandatory e2e sendrecv
a=conf:encryption e2e sendrecva=conf:encryption e2e sendrecv
其中,a=conf:encryption e2e sendrecv,表示如果对端前置条件达到此状态,对端需要发送状态通知。A=conf:encryption e2e sendrecv, indicating that if the peer precondition reaches this state, the peer needs to send a status notification.
UPDATE或200OK中的SDP格式如下:The SDP format in UPDATE or 200OK is as follows:
m=audio 20000 RTP/AVP 0m=audio 20000 RTP/AVP 0
a=curr:encryption e2e sendrecv a=curr:encryption e2e sendrecv
a=des:encryption mandatory e2e sendrecva=des:encryption mandatory e2e sendrecv
其中,a=curr:encryption e2e sendrecv,用于标识当前前置条件已经满足。Where a=curr:encryption e2e sendrecv is used to identify that the current precondition has been met.
图7为本发明实施例中实现端到端通话加密的第五实施例的流程示意图,第五实施例中,将完成资源预留作为前置条件,如图7所示,包括:FIG. 7 is a schematic flowchart of a fifth embodiment of implementing end-to-end call encryption according to an embodiment of the present invention. In the fifth embodiment, resource reservation is completed as a pre-condition, as shown in FIG. 7, including:
步骤700:UE1向SBC1发送邀请INVITE呼叫请求,其中携带的会话描述协议(SDP)。从媒体协商角度看,该SDP为Offer,即INVITE SDP offer。Step 700: The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
本步骤中,SDP中除了携带有标识通话用的语音媒体的媒体行(m行),以及标识专用的加密协商的媒体行(m行),还携带有前置条件(Precondition),即完成资源预留。In this step, the SDP carries a media line (m line) for identifying the voice media for the call, and a media line (m line) for identifying the dedicated encryption negotiation, and carries the precondition (Precondition), that is, the resource is completed. Reserved.
步骤701:SBC1转发INVITE SDP offer到IMS。Step 701: SBC1 forwards the INVITE SDP offer to the IMS.
步骤702:IMS转发INVITE SDP offer到被叫用户侧的SBC2。Step 702: The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
步骤703:SBC2转发INVITE SDP offer到UE2。Step 703: SBC2 forwards the INVITE SDP offer to UE2.
步骤704:UE2处理收到的INVITE SDP offer,并构造SDP并发送给SBC2,从媒体协商角度看,该SDP为Answer,即UE2返回的是200OK SDP answer。同样,在SDP中除了携带有标识通话用的语音媒体的媒体行(m行),以及标识专用的加密协商的媒体行(m行),还携带有前置条件,即完成资源预留。Step 704: UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer. Similarly, in the SDP, in addition to the media line (m line) carrying the voice media for identifying the call, and the media line (m line) identifying the dedicated encryption negotiation, the precondition is also carried, that is, the resource reservation is completed.
其中,前置条件可以进一步携带conf属性行。其中,Conf行是现有技术,表示媒体协商中收到Conf指示的一方在前提条件满足时,需要向另一方发送消息通知前提条件已满足。The precondition can further carry the conf attribute line. The Conf line is a prior art, and indicates that the party that receives the Conf indication during the media negotiation needs to send a message to the other party that the precondition is satisfied when the precondition is satisfied.
步骤705:SBC2转发183 SDP answer消息到IMS。Step 705: SBC2 forwards the 183 SDP answer message to the IMS.
步骤706:IMS转发183 SDP answer消息到SBC1。Step 706: The IMS forwards the 183 SDP answer message to SBC1.
步骤707:SBC1转发183 SDP answer消息到UE1。此时通话建立完成,除了建立了用于语音通话的语音媒体通道,还建立了专用的加密协商的第一媒体通道。Step 707: SBC1 forwards 183 SDP answer message to UE1. At this time, the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
步骤708:UE1与UE2在第一媒体通道内交换数字证书。Step 708: UE1 and UE2 exchange digital certificates in the first media channel.
本步骤为可选步骤,如果不需要使用数字证书的情况,比如进行身份认 证,可以省略本步骤。This step is an optional step, if you do not need to use a digital certificate, such as identification This step can be omitted.
步骤709:UE1与UE2在第一媒体通道内协商密钥参数。Step 709: UE1 and UE2 negotiate key parameters in the first media channel.
步骤710:UE1资源预留完成,UE2资源预留完成。Step 710: The UE1 resource reservation is completed, and the UE2 resource reservation is completed.
步骤711:因为密钥参数协商完成,UE1和UE2资源预留也完成,语音媒体通道的前置条件满足,UE1发送UPDATE,携带前置条件满足的状态。Step 711: The UE1 and the UE2 resource reservation are also completed, and the pre-conditions of the voice media channel are satisfied, and the UE1 sends an UPDATE, carrying the state that the pre-condition is satisfied.
步骤712:SBC1转发UPDATE请求到IMS。Step 712: SBC1 forwards the UPDATE request to the IMS.
步骤713:IMS转发UPDATE请求到被叫用户侧的SBC2。Step 713: The IMS forwards the UPDATE request to the SBC2 on the called user side.
步骤714:SBC2转发UPDATE请求到UE2。Step 714: SBC2 forwards the UPDATE request to UE2.
步骤715:UE2受理该UPDATE消息,并构造200OK响应发送到SBC2。Step 715: UE2 accepts the UPDATE message and constructs a 200 OK response to send to SBC2.
步骤716:SBC2转发200OK消息到IMS。Step 716: SBC2 forwards the 200 OK message to the IMS.
步骤717:IMS转发200OK消息到SBC1。Step 717: The IMS forwards the 200 OK message to SBC1.
步骤718:SBC1转发200OK消息到UE1。Step 718: SBC1 forwards the 200 OK message to UE1.
步骤719:UE1的资源预留完成,UE2的资源预留也完成,同时密钥协商也完成,即所有的前置条件满足,UE2振铃提示用户接收到呼叫,同时发送180到SBC2。Step 719: The resource reservation of the UE1 is completed, the resource reservation of the UE2 is also completed, and the key negotiation is also completed, that is, all the preconditions are satisfied, and the UE2 ringing prompts the user to receive the call and simultaneously sends 180 to the SBC2.
步骤720:SBC2转发180消息到IMS。Step 720: SBC2 forwards 180 the message to the IMS.
步骤721:IMS转发180消息到SBC1。Step 721: The IMS forwards 180 the message to SBC1.
步骤722:SBC1转发180消息到UE1。Step 722: SBC1 forwards 180 the message to UE1.
步骤723:被叫用户(UE2)摘机,UE2发送200OK到SBC2。Step 723: The called user (UE2) goes off-hook, and UE2 sends 200 OK to SBC2.
步骤724:SBC2转发200OK消息到IMS。Step 724: SBC2 forwards the 200 OK message to the IMS.
步骤725:IMS转发200OK消息到SBC1。Step 725: The IMS forwards the 200 OK message to SBC1.
步骤726:SBC1转发200OK消息到UE1。Step 726: SBC1 forwards the 200 OK message to UE1.
步骤727:UE1与UE2在语音媒体通道,使用协商的密钥参数,进行端到端的加密通话。Step 727: UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
本实施例的具体实现,从信令上,仅体现资源预留的前置条件的属性行,不需要体现如图6所示的第六实施例中的扩展的针对密钥协商的前置条件的 属性行。The specific implementation of this embodiment, from the signaling, only the attribute line of the pre-condition of resource reservation, does not need to embody the extended pre-condition for key agreement in the sixth embodiment as shown in FIG. 6 of Property line.
本发明实施例再提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行上述任一实现端到端通话加密的方法。The embodiment of the invention further provides a computer readable storage medium storing computer executable instructions for performing any of the above methods for implementing end-to-end call encryption.
图8为本发明实施例实现端到端通话加密的终端的组成结构示意图,如图8所示,至少包括第一处理模块80,第二处理模块81,其中,FIG. 8 is a schematic structural diagram of a terminal for implementing an end-to-end call encryption according to an embodiment of the present invention. As shown in FIG. 8, the method includes at least a first processing module 80 and a second processing module 81.
第一处理模块80,设置为在建立通话过程中,在可靠传输方式下交换数字证书并进行密钥参数协商;The first processing module 80 is configured to exchange digital certificates and perform key parameter negotiation in a reliable transmission mode during the establishment of the call;
第二处理模块81,设置为在语音媒体通道中,利用协商的密钥参数进行端到端的加密通话。The second processing module 81 is configured to perform an end-to-end encrypted call using the negotiated key parameters in the voice media channel.
具体地,specifically,
本发明终端还包括收发模块82,设置为在通过在SDP增加专用的加密协商的媒体行(m行),进行媒体协商,以建立第一媒体通道;或者,预先建立第一媒体通道即专用的加密协商的媒体通道为专用默认连接;或者,对媒体通道内的媒体包进行分析,并对丢包进行重传,并在完成交换数字证书并进行密钥参数协商时恢复正常的媒体包处理;The terminal of the present invention further includes a transceiver module 82 configured to perform media negotiation by adding a dedicated encryption negotiation media line (m line) in the SDP to establish a first media channel; or pre-establishing a first media channel, that is, dedicated The media channel of the encryption negotiation is a dedicated default connection; or, the media packet in the media channel is analyzed, and the lost packet is retransmitted, and the normal media packet processing is resumed when the digital certificate is exchanged and the key parameter negotiation is performed;
此时,at this time,
第一处理模块80具体设置为:在建立通话过程中,在第一媒体通道交换数字证书并进行密钥参数协商;或者,采用对媒体通道内的媒体包进行分析,并对丢包进行重传的方式,完成交换数字证书并进行密钥参数协商。The first processing module 80 is specifically configured to: during the establishment of the call, exchange digital certificates in the first media channel and perform key parameter negotiation; or analyze the media packets in the media channel, and retransmit the lost packets. The way to complete the exchange of digital certificates and key parameter negotiation.
进一步地,收发模块82还设置为:Further, the transceiver module 82 is further configured to:
在建立通话过程中,发起会话请求时,在语音媒体的媒体行中携带第一前置条件;其中,第一前置条件为:在可靠传输方式下完成交换数字证书并进行密钥参数协商。此时,The first precondition is carried in the media line of the voice media when the session request is initiated. The first precondition is: performing the exchange of the digital certificate and performing the key parameter negotiation in the reliable transmission mode. at this time,
本发明终端还包括振铃处理模块83,设置为在满足第一前置条件时,发起向接听方进行振铃提示。The terminal of the present invention further includes a ringing processing module 83 configured to initiate a ringing prompt to the answering party when the first precondition is satisfied.
进一步地,further,
收发模块82还设置为:在建立通话过程中,发起会话请求时,在语音媒体的媒体行中携带第二前置条件;其中,第二前置条件为:完成资源预留。 此时,The transceiver module 82 is further configured to: when the session request is initiated, the second pre-condition is carried in the media line of the voice media; wherein the second pre-condition is: completing the resource reservation. at this time,
本发明终端还包括资源预留模块84,设置为完成资源的预留。The terminal of the present invention further includes a resource reservation module 84 configured to complete reservation of resources.
振铃处理模块83设置为:在满足第二前置条件时,发起向接听方进行振铃提示。The ringing processing module 83 is configured to initiate a ringing prompt to the answering party when the second precondition is met.
图9为本发明实施例实现端到端通话加密的网络侧网元的组成结构示意图,如图9所示,至少包括转发模块90,媒体通道处理模块91;其中,FIG. 9 is a schematic structural diagram of a network side network element for implementing end-to-end call encryption according to an embodiment of the present invention. As shown in FIG. 9, the method includes at least a forwarding module 90 and a media channel processing module 91.
转发模块90,设置为转发建立通话过程中的消息;The forwarding module 90 is configured to forward the message during the establishment of the call;
媒体通道处理模块91,设置为预先建立第一媒体通道即专用的加密协商的媒体通道为专用默认连接,并在通话建立完成时,导通预先建立的第一媒体通道。The media channel processing module 91 is configured to pre-establish a first media channel, that is, a dedicated encryption negotiation media channel, as a dedicated default connection, and when the call establishment is completed, turn on the pre-established first media channel.
其中,网络侧网元可以是IMS接入侧设备如SBC。The network side network element may be an IMS access side device such as an SBC.
以上所述,仅为本发明的较佳实例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内,所做的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
工业实用性Industrial applicability
本发明实施例提出的实现端到端通话加密的方法、终端及网络侧网元,包括:在建立通话过程中,在可靠传输方式下交换数字证书并进行密钥参数协商;在语音媒体通道中,利用协商的密钥参数进行端到端的加密通话。本发明实施例通过可靠性传输方式交换数字证书并进行密钥参数的协商,然后再在现有的媒体通道中,利用协商的密钥参数进行端到端的加密通话,这样,保证了基于VoLTE的端到端通话的安全性,同时也保障了国家安全性。 The method for implementing the end-to-end call encryption, the terminal, and the network side network element, which are provided by the embodiment of the present invention, include: exchanging digital certificates and performing key parameter negotiation in a reliable transmission mode during the establishment of a call; in the voice media channel End-to-end encrypted calls using negotiated key parameters. In the embodiment of the present invention, the digital certificate is exchanged by the reliability transmission mode, and the key parameters are negotiated, and then the end-to-end encrypted call is performed by using the negotiated key parameter in the existing media channel, thus ensuring the VoLTE-based. The security of end-to-end calls, while also ensuring national security.

Claims (16)

  1. 一种实现端到端通话加密的方法,包括:在建立通话过程中,在可靠传输方式下交换数字证书并进行密钥参数协商;A method for implementing end-to-end call encryption includes: exchanging digital certificates and performing key parameter negotiation in a reliable transmission mode during a call establishment process;
    在语音媒体通道中,利用协商的密钥参数进行端到端的加密通话。In the voice media channel, the negotiated key parameters are used for end-to-end encrypted calls.
  2. 根据权利要求1所述的方法,该方法之前还包括建立所述可靠传输方式,包括:The method of claim 1 further comprising establishing the reliable transmission method, comprising:
    建立第一媒体通道,所述第一媒体通道为专用的加密协商的媒体通道;或者,Establishing a first media channel, where the first media channel is a dedicated media channel for encryption negotiation; or
    在所述语音媒体通道内引入对媒体通道内的媒体包进行分析,并对丢包进行重传的方式,以交换所述数字证书并进行所述密钥参数协商。Introducing, in the voice media channel, a media packet in the media channel, and retransmitting the lost packet, exchanging the digital certificate and performing the key parameter negotiation.
  3. 根据权利要求2所述的方法,其中,所述建立第一媒体通道的方法为显式方式,具体包括:The method of claim 2, wherein the method of establishing the first media channel is an explicit manner, and specifically includes:
    在所述建立通话的过程中,通过在会话初始描述协议SDP增加专用的加密协商的媒体行,进行媒体协商,以建立所述第一媒体通道。In the process of establishing a call, media negotiation is performed by adding a dedicated encrypted negotiation media line in the session initial description protocol SDP to establish the first media channel.
  4. 根据权利要求2所述的方法,其中,所述建立第一媒体通道的方法为隐式方式,具体包括:建立所述第一媒体通道为专用默认连接。The method of claim 2, wherein the method of establishing the first media channel is an implicit manner, specifically comprising: establishing the first media channel as a dedicated default connection.
  5. 根据权利要求4所述的方法,所述在可靠传输方式下交换数字证书并进行密钥参数协商之前,还包括:导通所述专用默认连接。The method according to claim 4, before the exchanging the digital certificate in the reliable transmission mode and performing the key parameter negotiation, further comprising: turning on the dedicated default connection.
  6. 根据权利要求2所述的方法,其中,当所述可靠传输方式为在所述语音媒体通道内引入对媒体通道内的媒体包进行分析,并对丢包进行重传的方式时,The method according to claim 2, wherein when the reliable transmission mode is to introduce a method for analyzing a media packet in a media channel in the voice media channel and retransmitting the lost packet,
    所述在语音媒体通道中,利用协商的密钥参数进行端到端的加密通话之前,该方法还包括:恢复正常的媒体包处理。In the voice media channel, before the end-to-end encrypted call is performed by using the negotiated key parameter, the method further includes: restoring normal media packet processing.
  7. 根据权利要求1~6任一项所述的方法,在所述建立通话过程中,该方法还包括:会话发起方在发起会话请求时,在语音媒体的媒体行中携带第一前置条件;The method according to any one of claims 1 to 6, wherein, in the establishing a call, the method further comprises: the session initiator carrying the first precondition in the media line of the voice media when the session request is initiated;
    其中,所述第一前置条件为:当在所述可靠传输方式下交换数字证书并 进行密钥参数协商完成,向接听方进行振铃提示。Wherein the first precondition is: when the digital certificate is exchanged in the reliable transmission mode The key parameter negotiation is completed, and a ringing prompt is sent to the answering party.
  8. 根据权利要求1~6任一项所述的方法,在所述建立通话过程中,该方法还包括:会话发起方在发起会话请求时,在语音媒体的媒体行中携带第二前置条件;The method according to any one of claims 1 to 6, wherein in the establishing a call, the method further comprises: the session initiator carrying the second precondition in the media line of the voice media when the session request is initiated;
    其中,所述第二前置条件为:完成资源预留,向接听方进行振铃提示。The second precondition is: completing the resource reservation, and performing a ringing prompt to the answering party.
  9. 一种终端,包括第一处理模块,第二处理模块,其中,A terminal includes a first processing module and a second processing module, where
    所述第一处理模块,设置为在建立通话过程中,在可靠传输方式下交换数字证书并进行密钥参数协商;The first processing module is configured to exchange digital certificates and perform key parameter negotiation in a reliable transmission mode during the establishment of a call;
    所述第二处理模块,设置为在语音媒体通道中,利用所述协商的密钥参数进行端到端的加密通话。The second processing module is configured to perform an end-to-end encrypted call by using the negotiated key parameter in the voice media channel.
  10. 根据权利要求9所述的终端,还包括收发模块,设置为在通过在SDP增加专用的加密协商的媒体行,进行媒体协商,以建立第一媒体通道;或者,建立第一媒体通道即专用的加密协商的媒体通道为专用默认连接;或者,对媒体通道内的媒体包进行分析,并对丢包进行重传,并在完成交换数字证书并进行密钥参数协商时,恢复正常的媒体包处理;The terminal according to claim 9, further comprising a transceiver module configured to perform media negotiation to establish a first media channel by adding a dedicated encryption negotiation media line in the SDP; or establishing a first media channel, that is, dedicated The media channel of the encryption negotiation is a dedicated default connection; or, the media packet in the media channel is analyzed, and the packet is retransmitted, and the normal media packet processing is resumed when the digital certificate is exchanged and the key parameters are negotiated. ;
    相应地,Correspondingly,
    所述第一处理模块具体设置为:在所述建立通话过程中,在第一媒体通道交换所述数字证书并进行所述密钥参数协商;或者,采用对所述媒体通道内的媒体包进行分析,并对丢包进行重传的方式,完成所述交换数字证书并进行密钥参数协商。The first processing module is specifically configured to: during the establishing a call, exchange the digital certificate in the first media channel and perform the key parameter negotiation; or use the media packet in the media channel. The method of analyzing and retransmitting the lost packet completes the exchange of the digital certificate and performs key parameter negotiation.
  11. 根据权利要求10所述的终端,其中,所述收发模块还设置为:The terminal according to claim 10, wherein the transceiver module is further configured to:
    在所述建立通话过程中,发起会话请求时,在语音媒体的媒体行中携带第一前置条件;其中,所述第一前置条件为:在所述可靠传输方式下完成交换数字证书和密钥参数协商;相应地,During the establishment of the call, when the session request is initiated, the first pre-condition is carried in the media line of the voice media; wherein the first pre-condition is: completing the exchange of the digital certificate and the reliable transmission mode Key parameter negotiation; accordingly,
    所述终端还包括振铃处理模块,设置为在满足第一前置条件时,发起向接听方进行振铃提示。The terminal further includes a ringing processing module configured to initiate a ringing prompt to the answering party when the first precondition is met.
  12. 根据权利要求10所述的终端,其中,所述收发模块还设置为:在所述建立通话过程中,发起会话请求时,在语音媒体的媒体行中携带第二前置 条件;其中,所述第二前置条件为:完成资源预留;相应地,The terminal according to claim 10, wherein the transceiver module is further configured to: carry a second pre-position in a media line of the voice media when the session request is initiated during the establishing a call a condition; wherein the second precondition is: completing resource reservation; correspondingly,
    所述终端还包括:The terminal further includes:
    资源预留模块,设置为完成资源的预留;a resource reservation module, configured to complete resource reservation;
    振铃模块,设置为在满足所述第二前置条件时,发起向接听方进行振铃提示。The ringing module is configured to initiate a ringing prompt to the answering party when the second precondition is met.
  13. 一种网络侧网元,包括转发模块,媒体通道处理模块;其中,A network side network element, including a forwarding module and a media channel processing module;
    所述转发模块,设置为转发建立通话过程中的消息;The forwarding module is configured to forward a message during the establishment of the call;
    所述媒体通道处理模块,设置为预先建立第一媒体通道,所述第一媒体通道为专用的加密协商的媒体通道;并在通话建立完成时,导通预先建立的第一媒体通道。The media channel processing module is configured to pre-establish a first media channel, where the first media channel is a dedicated media channel for encryption negotiation; and when the call establishment is completed, the pre-established first media channel is turned on.
  14. 根据权利要求13所述的网络侧网元,其中,所述网络侧网元为IP多媒体子系统IMS接入侧设备。The network side network element according to claim 13, wherein the network side network element is an IP multimedia subsystem IMS access side device.
  15. 根据权利要求14所述的网络侧网元,其中,所述IMS接入侧设备为会话边界控制器SBC。The network side network element according to claim 14, wherein the IMS access side device is a session border controller SBC.
  16. 一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令用于执行权1~权8任一项的实现端到端通话加密的方法。 A computer readable storage medium storing computer executable instructions for performing the method of implementing end-to-end call encryption according to any one of rights 1 to 8.
PCT/CN2016/081313 2015-09-17 2016-05-06 Method of implementing end-to-end conversation encryption, terminal and network element of network side WO2017045407A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510593385.1A CN106549906A (en) 2015-09-17 2015-09-17 Realize method, terminal and the network side element of end-to-end call encryption
CN201510593385.1 2015-09-17

Publications (1)

Publication Number Publication Date
WO2017045407A1 true WO2017045407A1 (en) 2017-03-23

Family

ID=58288112

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/081313 WO2017045407A1 (en) 2015-09-17 2016-05-06 Method of implementing end-to-end conversation encryption, terminal and network element of network side

Country Status (2)

Country Link
CN (1) CN106549906A (en)
WO (1) WO2017045407A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630512A (en) * 2021-08-04 2021-11-09 宁波菊风系统软件有限公司 Rich media call mobile terminal system and use method thereof
CN115022024A (en) * 2022-05-31 2022-09-06 中国电信股份有限公司 Method and device for encrypted call, storage medium and electronic equipment

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109788473B (en) * 2017-11-13 2022-01-25 中国移动通信有限公司研究院 VoLTE call encryption method, network equipment and terminal
US11663091B2 (en) * 2018-12-17 2023-05-30 Sap Se Transparent database session recovery with client-side caching
CN112953963B (en) * 2021-03-15 2023-04-07 北京中联环信科技有限公司 System and method for encrypting media stream content
CN115842808A (en) * 2021-08-04 2023-03-24 中国移动通信有限公司研究院 Call interaction method, device, network node and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183935A (en) * 2007-12-17 2008-05-21 华为技术有限公司 Cipher key negotiation method, device and system of RTP packet
CN102137393A (en) * 2010-12-28 2011-07-27 华为技术有限公司 Method and device for encrypting end-to-end
CN103036872A (en) * 2012-11-19 2013-04-10 华为技术有限公司 Method, equipment and system for encryption and decryption of data transmission
CN104486077A (en) * 2014-11-20 2015-04-01 中国科学院信息工程研究所 End-to-end secret key negotiation method for VoIP (Voice Over Internet Protocol) real-time data safety transmission
US9077754B2 (en) * 2013-04-06 2015-07-07 Citrix Systems, Inc. Systems and methods for nextproto negotiation extension handling using mixed mode

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100466805C (en) * 2005-02-05 2009-03-04 华为技术有限公司 Method for end-to-end enciphoring voice telecommunication
CN1905436B (en) * 2005-07-28 2010-05-05 北京航空航天大学 Method for ensuring data exchange safety
US20120130905A1 (en) * 2010-11-09 2012-05-24 The Regents Of The University Of California Transaction verification on rfid enabled payment and transaction instruments

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183935A (en) * 2007-12-17 2008-05-21 华为技术有限公司 Cipher key negotiation method, device and system of RTP packet
CN102137393A (en) * 2010-12-28 2011-07-27 华为技术有限公司 Method and device for encrypting end-to-end
CN103036872A (en) * 2012-11-19 2013-04-10 华为技术有限公司 Method, equipment and system for encryption and decryption of data transmission
US9077754B2 (en) * 2013-04-06 2015-07-07 Citrix Systems, Inc. Systems and methods for nextproto negotiation extension handling using mixed mode
CN104486077A (en) * 2014-11-20 2015-04-01 中国科学院信息工程研究所 End-to-end secret key negotiation method for VoIP (Voice Over Internet Protocol) real-time data safety transmission

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630512A (en) * 2021-08-04 2021-11-09 宁波菊风系统软件有限公司 Rich media call mobile terminal system and use method thereof
CN113630512B (en) * 2021-08-04 2023-10-13 宁波菊风系统软件有限公司 Rich media call mobile terminal system and application method thereof
CN115022024A (en) * 2022-05-31 2022-09-06 中国电信股份有限公司 Method and device for encrypted call, storage medium and electronic equipment
CN115022024B (en) * 2022-05-31 2023-09-29 中国电信股份有限公司 Method and device for encrypting call, storage medium and electronic equipment

Also Published As

Publication number Publication date
CN106549906A (en) 2017-03-29

Similar Documents

Publication Publication Date Title
WO2017045407A1 (en) Method of implementing end-to-end conversation encryption, terminal and network element of network side
US9351203B2 (en) Voice call continuity in hybrid networks
EP3284233B1 (en) In-session communication for service application
EP2219338A1 (en) A method and equipment for uploading the real-time media content
US20090041006A1 (en) Method and system for providing internet key exchange
TW200904100A (en) Signaling of early media capabilities in IMS terminals
US10638524B2 (en) Method and system for providing mission critical service (MCX) in wireless communication network
KR101705440B1 (en) Hybrid cloud media architecture for media communications
CN108833943B (en) Code stream encryption negotiation method and device and conference terminal
US9525710B2 (en) Seamless switch over from centralized to decentralized media streaming
WO2008089694A1 (en) A method, a system and an equipment for obtaining the media stream protecting key in ims network
US10595203B2 (en) Enhanced establishment of IMS session with secure media
US9071690B2 (en) Call transfer processing in SIP mode
US10313400B2 (en) Method of selecting a network resource
WO2011131051A1 (en) Method and device for security communication negotiation
US11218515B2 (en) Media protection within the core network of an IMS network
WO2017000481A1 (en) Dialing method and apparatus for voice call
WO2018072202A1 (en) Method for switching call service of terminal and apparatus
CN114040385A (en) VoLTE-based encrypted call system and method
Gongjian The study and implementation of voip intelligent voice communication system based on SIP protocol
US11463485B2 (en) Method, system and entity for a media transfer session in an IMS infrastructure
WO2015117486A1 (en) Automatic packet capture method and apparatus
WO2024108900A1 (en) Electronic signature verification method and apparatus
CN108616494A (en) Safety call method, device and terminal based on more PDN connections
CN117750537A (en) Communication method, electronic device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16845521

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16845521

Country of ref document: EP

Kind code of ref document: A1