CN104683304A - Processing method, equipment and system of secure communication service - Google Patents
Processing method, equipment and system of secure communication service Download PDFInfo
- Publication number
- CN104683304A CN104683304A CN201310631793.2A CN201310631793A CN104683304A CN 104683304 A CN104683304 A CN 104683304A CN 201310631793 A CN201310631793 A CN 201310631793A CN 104683304 A CN104683304 A CN 104683304A
- Authority
- CN
- China
- Prior art keywords
- terminal equipment
- session key
- encryption
- key
- kmc
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
The invention discloses a processing method, equipment and a system of secure communication service. The contents comprise the following steps: introducing an encryption application server and a key management center in an IMS (IP Multimedia Subsystem) network; when a secure communication service establishment request message transmitted by first terminal equipment is received through the encryption application server, a session key request message is transmitted to the key management center and an encrypted session key returned by the key management center is received, transmitting the encrypted session key to the first terminal equipment. The secure communication is used as the service provided for a user by an operator through the encryption application server, and the encrypted session key is acquired by the encryption application server from the key management center and issued to terminal equipment, so the control force of the operator over the secure communication is increased, and the processing efficiency of the system is improved; the management of a whole life cycle of the key by the user is realized by the introduced key management center, so the security for executing the secure communication service among the users is increased.
Description
Technical field
The present invention relates to wireless communication technology field and security technology area, particularly relate to a kind of processing method based on secure traffic in interactive multi-media service IMS operation system, equipment and system.
Background technology
In order to can to IMS(Interactive Multimedia Service, interactive multi-media service) medium surface carrying transmission user service information carry out End to End Encryption protection, 3GPP(3rd Generation Partnership Project, 3G (Third Generation) Moblie standardization body) in TS33.328, propose two kinds of relatively independent medium surface key managing projects, realize the negotiation of medium surface session key, and utilize the session key consulting to obtain, communication system sets up security association between calling and called terminal or between terminal and IMS network, by SRTP(Secure Real-time Transport Protocol, Security Real Time Protocol) or IP Sec(Internet Protocol Security, IP safety) agreement protects user media surface information.
Wherein, it is SDES(Session Description Protocol Security Descriptions for Media Streams respectively that 3GPP proposes two kinds of relatively independent medium surface key managing projects in TS33.328, conversation description protocol media stream security descriptor) and KMS(Key Management Service, cipher key management services).
One, based on the key managing project of SDES.
Particularly; SDES is a kind of simple IKMP of one for the design of protection Media Stream; at existing SDP(Session Initiation Protocol; Session Description Protocol) in increased cryptographic properties newly; the session key produced for carried terminal and parameter information, complete the security parameter configuration of unicast stream media data.
When SDES is applied in IMS system, at SIP(Session Initiation Protocol, session initiation protocol) in process of establishing, the session key for media stream privacy that exchange termination device A and terminal equipment B produce separately.
As shown in Figure 1, be the workflow schematic diagram of SDES key management.On the one hand, when SIP session establishment, the session key K1 being used for mailing to terminal equipment A the media stream privacy of terminal equipment B writes in SDP cryptographic properties by terminal equipment A, and is carried by signaling plane sip message, sends to terminal equipment B.
On the other hand, terminal equipment B after receiving the sip message that terminal equipment A sends, storage key K1, and the session key K2 being used for mailing to terminal equipment B the media stream privacy of terminal equipment A is sent to terminal equipment A by sip response message.
After terminal equipment A reception also storage key K2, terminal equipment A and terminal equipment B just obtains session key K1 and session key K2.
After this, terminal equipment A and terminal equipment B uses session key K1 and session key K2 to carry out encryption and decryption operation to the Media Stream that SRTP agreement carries respectively, thus realizes maintaining secrecy to user data.
But in SDES scheme, session key is transmitted by signaling plane sip message, its fail safe places one's entire reliance upon the safety of SIP signaling.
And the security mechanism of SIP signalling common are two kinds:
One is based on IMS network territory security mechanism, namely the safety relying on IMS network territory completely ensures the fail safe of SIP signalling, but, IMS network is normally at terminal equipment and SBC(Session Border Controller, Session Border Controller) between adopt cryptographic means, protection is encrypted to the SIP signaling on terminal equipment access link, plaintext transmission mode is then adopted in the core network internal SIP signaling of IMS network, so just make assailant utilize the leak of plaintext transmission SIP signaling to obtain in SIP signaling and contain session key, realize the monitoring to medium surface information between terminal equipment, the fail safe of conversing between user is reduced.
Another kind is based on S/MIME(Secure Multipurpose Internet Mail Extensions; Secure Multipurpose Internet Mail Extension) encipherment protection; namely adopting S/MIME agreement to the SDP(Session Description Protocol carried in SIP signaling, Session Description Protocol) message content encrypts end to end.When terminal equipment is without default shared key, utilize public key certificate system, terminal equipment needed the PKI obtaining opposite end from public key certificate system before transmission session key, utilized the content of the PKI of acquisition to SIP signaling to be encrypted rear transmission afterwards.This mode makes key management be separated completely with session management, and the uncontrollable key management of operator, is bypassed at secure context, and cannot meet the demand that operator carries out secure traffic, practical application is restricted.
Two, based on the key managing project of KMS.
Particularly, KMS entity based on GBA(Generic Bootstrapping Architecture, universal guiding structure) mechanism to calling and called terminal authentication, and send the session key of generation to calling and called terminal by the escape way set up after successful authentication.As shown in Figure 2, be the schematic flow sheet of KMS key management.
The unified certification ability that operator can be utilized to provide for upper layer application business based on GBA, KMS sets up the security association between calling and called terminal, the information such as encrypted transmission session key.
But, kernel entity BSF(Bean Scripting Framework due to GBA certification) by operator's management maintenance, the session key between KMS and terminal equipment is safeguarded in responsible generation, therefore, operator is actually responsible for the foundation of secret key safety transmission channel, and the fail safe of the session key transmission that terminal equipment needs depends on operator.Like this, KMS key managing project can not meet the high safety grade demand of terminal equipment to key management, is more unsuitable for operator and carries out secure traffic.
As can be seen here, the mode that the user service information that in current IMS network, medium surface carrying is transmitted carries out End to End Encryption protection both cannot meet user and operator's demand separately, there is again the problem that fail safe is lower.
Summary of the invention
Embodiments provide a kind of processing method of secure traffic, equipment and system; what the user service information for solving the carrying of medium surface in current IMS network transmission carried out that the mode of End to End Encryption protection exists both cannot meet user and operator's demand separately, makes again the problem that medium surface data transmission security is lower.
A processing method for secure traffic, comprising:
The secure traffic that encryption application server EAS receives the transmission of first terminal equipment sets up request message, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key;
The described parameter information being used for obtaining session key is carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by described EAS, wherein, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request;
Described EAS receives the session key after the encryption that described KMC returns, and the described session key after encryption is sent to described first terminal equipment, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
The identification information of described first terminal equipment and the identification information of described second terminal equipment is contained in the described parameter information for obtaining session key;
Described EAS is before being carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by the described parameter information being used for obtaining session key, described method also comprises:
Described EAS, according to the identification information of the identification information of described first terminal equipment and described second terminal equipment, determines described first terminal equipment and the KMC KMC belonging to described second terminal equipment.
Described method also comprises:
Described EAS by encryption after session key send to described second terminal equipment, make described second terminal equipment can utilize described session key realize with described first terminal equipment between secure communication.
Session key after encryption is sent to described first terminal equipment and/or the second terminal equipment by described EAS, comprising:
Session key after encryption is sent to described first terminal equipment and/or the second terminal equipment by IMS network signaling by described EAS.
Session key after session key after described encryption contains the session key after utilizing the first Protective Key encryption and utilizes the second Protective Key encryption;
Described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key, comprising:
Described KMC is according to the identification information of the described first terminal equipment comprised in the described parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the first Protective Key encryption; And
According to the identification information of described second terminal equipment comprised in the described parameter information for obtaining session key; determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; and utilize described second Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the second Protective Key encryption.
A processing method for secure traffic, comprising:
First terminal equipment sends secure traffic to encryption application server EAS and sets up request message, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key;
Described first terminal equipment receives the session key after the encryption of described EAS transmission, wherein, session key after described encryption is that the described parameter information being used for obtaining session key is carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by described EAS, obtain after the session key produced being encrypted according to the described parameter information for obtaining session key by described KMC, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request.
Described method also comprises:
During the session key of described first terminal equipment after receiving the encryption that described EAS sends, the session key after described encryption is sent to described second terminal equipment.
Session key after described encryption is sent to described second terminal equipment by described first terminal equipment, comprising:
Session key after described encryption is sent to described second terminal equipment by IMS network signaling by described first terminal equipment;
Or,
Session key after described encryption is sent to described second terminal equipment by what set up with the medium surface data transmission channel of the second terminal equipment by described first terminal equipment.
Described method also comprises:
During the session key of described first terminal equipment after receiving the encryption that described EAS sends; utilize the first Protective Key produced when logging in described KMC to be decrypted the session key after described encryption, obtaining described KMC is the session key carrying out secure traffic generation between described first terminal equipment and described second terminal equipment.
A processing method for secure traffic, comprising:
KMC KMC receives the session key request message that encryption application server EAS sends, wherein, described session key request message is that the secure traffic needing between first terminal equipment and the second terminal equipment to set up produces session key for characterizing the described KMC of request, the parameter information for obtaining session key is contained in described session key request message, the described parameter information for obtaining session key be described first terminal equipment that described EAS receives send need the secure traffic setting up secure traffic to set up in request message between described first terminal equipment and described second terminal equipment to carry for characterizing, and
The session key after encryption is returned to described EAS, so that the described session key after encryption is sent to described first terminal equipment by described EAS, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
The identification information of described first terminal equipment comprised in the described parameter information for obtaining session key and the identification information of the second terminal equipment;
Described KMC returns the session key after encryption to described EAS, comprising:
Described KMC generates the session key being used for needing for performing secure traffic between described first terminal equipment and described second terminal equipment;
Described KMC is according to the identification information of the described first terminal equipment comprised in the parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the first Protective Key encryption; And
According to the identification information of described second terminal equipment comprised in the parameter information for obtaining session key, determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; And utilize described second Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the second Protective Key encryption;
Described KMC using described utilize first Protective Key encryption after session key and described utilize second Protective Key encryption after session key as encryption after session key, send to described EAS by key response message.
For an encryption application server for secure traffic, comprising:
Receiver module, the secure traffic sent for receiving first terminal equipment sets up request message, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key;
Sending module, for the described parameter information being used for obtaining session key being carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment, wherein, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request;
Processing module, for receiving the session key after encryption that described KMC returns, and the described session key after encryption is sent to described first terminal equipment, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
The identification information of described first terminal equipment and the identification information of described second terminal equipment is contained in the described parameter information for obtaining session key;
Described encryption application server also comprises:
Determination module, for before the described parameter information being used for obtaining session key being carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment, according to the identification information of described first terminal equipment and the identification information of described second terminal equipment, determine described first terminal equipment and the KMC KMC belonging to described second terminal equipment.
Described processing module, also for by encryption after session key send to described second terminal equipment, make described second terminal equipment can utilize described session key realize with described first terminal equipment between secure communication.
Described processing module, specifically for sending to described first terminal equipment and/or the second terminal equipment by IMS network signaling by the session key after encryption.
Session key after session key after described encryption contains the session key after utilizing the first Protective Key encryption and utilizes the second Protective Key encryption;
Described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key, comprising:
Described KMC is according to the identification information of the described first terminal equipment comprised in the described parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the first Protective Key encryption; And
According to the identification information of described second terminal equipment comprised in the described parameter information for obtaining session key; determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; and utilize described second Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the second Protective Key encryption.
Perform a terminal equipment for secure traffic, comprising:
Request message sending module, request message is set up for sending secure traffic to encryption application server EAS, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key;
Session key receiver module, for receive described EAS send encryption after session key, wherein, session key after described encryption is that the described parameter information being used for obtaining session key is carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by described EAS, obtain after the session key produced being encrypted according to the described parameter information for obtaining session key by described KMC, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request.
Described terminal equipment also comprises:
Processing module, during for session key after receiving the encryption that described EAS sends, sends to described second terminal equipment by the session key after described encryption.
Described processing module, specifically for sending to described second terminal equipment by IMS network signaling by the session key after described encryption;
Or,
By set up and medium surface data transmission channel between described second terminal equipment the session key after described encryption is sent to described second terminal equipment.
Described terminal equipment also comprises:
Deciphering module; during for session key after receiving the encryption that described EAS sends; utilize the first Protective Key produced when logging in described KMC to be decrypted the session key after described encryption, obtaining described KMC is the session key carrying out secure traffic generation between described first terminal equipment and described second terminal equipment.
For a KMC for secure traffic, comprising:
Key request receiver module, for receiving the session key request message that encryption application server EAS sends, wherein, described session key request message is that the secure traffic needing between first terminal equipment and the second terminal equipment to set up produces session key for characterizing the described KMC of request, the parameter information for obtaining session key is contained in described session key request message, the described parameter information for obtaining session key be described first terminal equipment that described EAS receives send need the secure traffic setting up secure traffic to set up in request message between described first terminal equipment and described second terminal equipment to carry for characterizing, and
Key sending module, for returning the session key after encryption to described EAS, so that the described session key after encryption is sent to described first terminal equipment by described EAS, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
The identification information of described first terminal equipment comprised in the described parameter information for obtaining session key and the identification information of the second terminal equipment;
Described key sending module, specifically for generating the session key being used for needing for performing secure traffic between described first terminal equipment and described second terminal equipment, according to the identification information of the described first terminal equipment comprised in the parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the first Protective Key encryption; And
According to the identification information of described second terminal equipment comprised in the parameter information for obtaining session key, determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; And utilize described second Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the second Protective Key encryption;
Using described utilize first Protective Key encryption after session key and described utilize second Protective Key encryption after session key as encryption after session key, send to described EAS by key response message.
A treatment system for secure traffic, described system comprises: above-mentioned encryption application server, above-mentioned terminal equipment and above-mentioned KMC.
Beneficial effect of the present invention is as follows:
The embodiment of the present invention introduces encryption application server and KMC in the ims network, by encryption application server receive first terminal equipment send need the secure traffic setting up secure traffic to set up request message for characterizing between first terminal equipment and the second terminal equipment, secure traffic is set up the parameter information being used for obtaining session key comprised in request message to be carried in session key request message and to send to first terminal equipment and the KMC belonging to the second terminal equipment, request KMC is that the secure traffic needing between first terminal equipment and the second terminal equipment to set up produces session key, and during session key after receiving the encryption that KMC returns, session key after this encryption is sent to first terminal equipment, make first terminal equipment can utilize this session key realize with the second terminal equipment between secure communication.Like this, secure communication is made to be supplied to a kind of business realizing of user as operator by encryption application server, and encrypt application server and obtain the session key after encryption from KMC, be handed down to terminal equipment, not only increase the control of operator to secure communication, also improve the treatment effeciency of system, the KMC simultaneously introduced achieves the management of user to key Life cycle, adds the fail safe that between user, secure traffic performs.
Accompanying drawing explanation
Fig. 1 is the workflow schematic diagram of SDES key management;
Fig. 2 is the schematic flow sheet of KMS key management;
The schematic flow sheet of the processing method of a kind of secure traffic that Fig. 3 provides for the embodiment of the present invention one;
The schematic flow sheet of the processing method of a kind of secure traffic that Fig. 4 provides for the embodiment of the present invention two;
The schematic flow sheet of the processing method of a kind of secure traffic that Fig. 5 provides for the embodiment of the present invention three;
The schematic flow sheet of the processing method of a kind of secure traffic that Fig. 6 provides for the embodiment of the present invention four;
The structural representation of a kind of encryption application server for secure traffic that Fig. 7 provides for the embodiment of the present invention five;
A kind of structural representation performing the terminal equipment of secure traffic that Fig. 8 provides for the embodiment of the present invention six;
The structural representation of a kind of KMC for secure traffic that Fig. 9 provides for the embodiment of the present invention seven;
The structural representation of the treatment system of a kind of secure traffic that Figure 10 provides for the embodiment of the present invention eight.
Embodiment
In order to realize object of the present invention, embodiments provide a kind of processing method of secure traffic, equipment and system, introduce encryption application server and KMC in the ims network, by encryption application server receive first terminal equipment send need the secure traffic setting up secure traffic to set up request message for characterizing between first terminal equipment and the second terminal equipment, secure traffic is set up the parameter information being used for obtaining session key comprised in request message to be carried in session key request message and to send to first terminal equipment and the KMC belonging to the second terminal equipment, request KMC is that the secure traffic needing between first terminal equipment and the second terminal equipment to set up produces session key, and during session key after receiving the encryption that KMC returns, session key after this encryption is sent to first terminal equipment, make first terminal equipment can utilize this session key realize with the second terminal equipment between secure communication.
Like this, secure communication is made to be supplied to a kind of business realizing of user as operator by encryption application server, and encrypt application server and obtain the session key after encryption from KMC, be handed down to terminal equipment, not only increase the control of operator to secure communication, also improve the treatment effeciency of system, the KMC simultaneously introduced achieves the management of user to key Life cycle, adds the fail safe that between user, secure traffic performs.
It should be noted that, the system architecture of embodiment of the present invention application includes but not limited to that IMS core network (such as: contain SBC(Session Border Controller, Session Border Controller), P-CSCF(Proxy Call Session Control Function, Proxy Call Session Control Function), S-CSCF(Serving Call Session Control Function, service call conversation control function), HSS(Home Subscriber Server, home subscriber server), MGCF(Media Gateway Control Function, MGCF), MGW(Media Gateway, media gateway) etc. network element device, in addition, when containing SIP(Session Initiation Protocol in system architecture, session initiation protocol) server time, also can use the technical scheme that the embodiment of the present invention provides, realize providing secure traffic by SIP system for user, be not specifically limited here.
Encryption application server (the EAS related in each embodiment of the present invention, Encryption Application Server), for providing secure traffic (wherein, secure traffic includes but not limited to encrypted speech talk business, encrypted video talk business, encryption conference call service, Encrypted short message business, encrypt file transport service, privacy enhanced mail business etc.) for terminal equipment.The function that EAS possesses comprises: on the one hand, EAS compatibility has AS(Application Server in IMS network system, application server) session service logic sets out function, can from the kernel entity S-CSCF of IMS network receiving terminal apparatus initiate business request information, trigger secure traffic and be responsible for various chain of command call treatment and connection control, and charging is carried out to the business performed; On the other hand, EAS passes through safe interface and the KMC (KMC of setting, Key Management Center) communicate, the transmission of information in the registration of terminal equipment on KMC, identification authentication, key management etc. can be completed, the Signalling exchange between support terminal equipment and KMC according to business processing logic.
The KMC (KMC) related in each embodiment of the present invention, key for needing secure traffic manages, and specifically includes but not limited to: generate the key management in interior Life cycle such as key, injection key, distributed key, storage key, filing key, key derivation, more new key and destruction key.KMC is communicated with EAS by safe interface, can by the password request message of EAS reception from terminal equipment, complete the operations such as the registration of terminal equipment, identification authentication, key distribution, control command can also be issued to the crypto module in terminal equipment by EAS, realize the Long-distance Control to the crypto module in terminal equipment, such as: KMC realizes the management containing crypto module in terminal equipment, can crypto module in remote destroying terminal equipment.
In addition, in order to promote the degree of belief of user to operator's security service service, the voluntarily deployment of user to KMC is realized.
The terminal equipment related in each embodiment of the present invention, this terminal equipment contains IP communication module and crypto communications module.Wherein, IP communication module supports SIP communication protocol, has IMS communication capacity, and support terminal is in functions such as the logins/logoffs of IMS system, authentication, Call-Control1 and process; Crypto module is responsible for terminal key and is managed and perform enciphering and deciphering algorithm, at chain of command, realize carrying out Signalling exchange with KMC and obtain session key, at medium surface, utilize the security association of Session key establishment and the opposite equip. obtained, realize the secrecy transmission of communication service.
Below in conjunction with Figure of description, each embodiment of the present invention is described in detail.
Embodiment one:
As shown in Figure 3, the schematic flow sheet of the processing method of a kind of secure traffic provided for the embodiment of the present invention one, described method can be as described below.
The secure traffic that step 101:EAS receives the transmission of first terminal equipment sets up request message.
Wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key.
In a step 101, first terminal equipment is when calling the second terminal equipment, send secure traffic to IMS network and set up request message, and by IMS network core net, this secure traffic request message is transmitted to EAS, inform EAS first terminal equipment will and the second terminal equipment between set up secure traffic.
It should be noted that, the secure traffic that now first terminal equipment sends sets up the call setup request message realization that request message can be initiated by first terminal equipment, that is, when first terminal equipment makes a call the second terminal equipment, send call setup message to IMS network, now this call setup message possesses two functions: 1, establish call connection between request and the second terminal equipment; 2, secure traffic is triggered while establishing call connection.
Or, the secure traffic that now first terminal sends set up request message first terminal equipment make a call set up request message after random to trigger.
Such as, first terminal equipment is after successfully setting up call link with the second terminal equipment, and in the process of call business process, send secure traffic to IMS network and set up request message, and by IMS network core net, this secure traffic request message is transmitted to EAS, inform that EAS first terminal equipment needs to carry out secure traffic between the second terminal equipment.
That is, the call connection between terminal equipment is set up and is triggered can perform simultaneously with secure traffic, performs when also can be difference, first trigger secure traffic, establish call connection again, or first establish call connection, then trigger secure traffic can.
Encryption application server, when the secure traffic receiving the transmission of first terminal equipment sets up request message, starts follow-up secure traffic handling process.
Step 102: the described parameter information being used for obtaining session key is carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by described EAS.
Wherein, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request.
The identification information of described first terminal equipment and the identification information of described second terminal equipment is contained in the described parameter information for obtaining session key.
It should be noted that, for obtain session key parameter information at least contain the identification information of first terminal equipment, the identification information, random number etc. of the second terminal equipment.
In a step 102, EAS, according to the identification information of the identification information of described first terminal equipment and described second terminal equipment, determines first terminal equipment and the KMC KMC belonging to the second terminal equipment.
It should be noted that, the KMC belonging to calling and called terminal equipment of this call setup is same KMC, and namely first terminal equipment and the registration of the second terminal equipment log in same KMC.
Here, the calling and called terminal equipment of same group user group is combined into a user domain, contains at least one KMC in same user domain.
That is, EAS is according to the identification information of the identification information of first terminal equipment and the second terminal equipment, determine first terminal equipment and the user domain belonging to the second terminal equipment, and select a KMC at least one KMC comprised in this user domain.
The described parameter information being used for obtaining session key is carried in session key request message the KMC KMC sending to and determine by EAS.
Particularly, EAS sends session key request message by safe interface to the KMC determined, asks the KMC determined to be that the secure traffic needing between first terminal equipment and the second terminal equipment to set up produces session key.
Step 103: described EAS receives the session key after the encryption that described KMC returns, and the described session key after encryption is sent to described first terminal equipment.
Make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication.
Wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
In step 103, the session key after encryption is sent to the mode of described first terminal equipment by described EAS, comprising:
Session key after encryption is sent to described first terminal equipment by IMS network signaling by described EAS.
Particularly, the session key after encryption is sent to described first terminal equipment by the SIP signaling in IMS network by described EAS.
Such as: SIP signaling is including but not limited to MESSAGE message, OPTIONS, INFO etc.
Or the session key after encryption is sent to described first terminal equipment by the call treatment message in IMS network by described EAS.
Such as: call setup response message, session progress message etc.
Particularly, when call setup between first terminal equipment and the second terminal equipment and secure traffic set up synchronization implementation, EAS is after sending session key request message to KMC, the call setup request message of calling second terminal equipment first terminal equipment can initiated is transmitted to the second terminal equipment, attempts to establish call connection with the second terminal equipment.
Simultaneously, EAS is when receiving the session key of the encryption that KMC sends, determine whether the call setup response message receiving the second terminal equipment, and when receiving the call setup response message of the second terminal equipment, utilize the call setup response message received that the session key after encryption is sent to described first terminal equipment.
It should be noted that, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key, and embodiment includes but not limited to:
First, KMC, after the session key request message receiving EAS transmission, generates the session key for setting up secure traffic between first terminal equipment and the second terminal equipment.
It should be noted that, KMC is after the session key request message receiving EAS transmission, the session key generated can be random generation, also can be according to determining for the parameter information obtaining session key of carrying in this session key request message, such as: session key utilizing the random number information for obtaining in the parameter information of session key to generate etc., does not limit here.
Secondly, in order to ensure the fail safe that session key transmits in a communication link, KMC is encrypted the session key generated.
Because KMC is that user disposes, so the terminal equipment that uses of user is when communicating, first can register and log in KMC, and when logging in, KMC generates a Protective Key for this terminal equipment, KMC is at the local identification information of storage terminal equipment and the corresponding relation of this Protective Key, when so subsequent terminal equipment initiates secure traffic, KMC just can utilize this Protective Key to be encrypted the session key generated, the fail safe of session key in communication link process can either be ensured, during session key after terminal can also be made to receive encryption, accurate deciphering, obtain real session key, improve the efficiency of secure traffic, ensure the safety of communication.
Now, described KMC is according to the identification information of the described first terminal equipment comprised in the described parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the first Protective Key encryption; And according to the identification information of described second terminal equipment comprised in the described parameter information for obtaining session key; determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; and utilize described second Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the second Protective Key encryption.
Finally, by contain utilize first Protective Key encryption after session key and utilize second Protective Key encryption after session key encryption after session key send to EAS.
Particularly, the session key after encryption is sent to EAS by session key response message by KMC.
Wherein, (session key namely after encryption is a packet to session key after can containing encryption in described session key response message; just this session key is divided into two parts; the session key that part content utilizes the first Protective Key encryption to generate obtains; the session key that another part utilizes the second Protective Key encryption to generate obtains); also the session key after can containing the session key after utilizing the first Protective Key encryption and utilizing the second Protective Key encryption, does not limit here.
Particularly; when the session key after utilizing the first Protective Key encryption and the session key after utilizing the second Protective Key encryption are sent to EAS by session key response message by KMC; what illustrate that KMC sends to EAS is two different pieces of information bags; a packet is the session key after utilizing the first Protective Key encryption, and another packet is the session key after utilizing the second Protective Key encryption.
Alternatively, KMC is when obtaining the session key after utilizing the first Protective Key encryption and the session key after utilizing the second Protective Key encryption, the corresponding relation of the session key after setting up first terminal device identification corresponding to the first Protective Key and utilizing the first Protective Key to encrypt, and the corresponding relation of session key after setting up the second Terminal Equipment Identifier corresponding to the second Protective Key and utilizing the second Protective Key to encrypt, and send utilize first Protective Key encryption after session key and utilize second Protective Key encryption after session key to EAS while, the corresponding relation of foundation is also sent to EAS, make like this EAS by encryption after session key be transmitted to first terminal equipment after, utilize this corresponding relation, determine the session key after the encryption corresponding with the identification information of self fast, accelerate the speed of system business process like this, improve the efficiency of system job.
In another embodiment of the present invention, described EAS by encryption after session key send to described second terminal equipment, make described second terminal equipment can utilize described session key realize with described first terminal equipment between secure communication.
That is, after the session key of EAS after the encryption receiving KMC transmission, send the session key after described encryption to first terminal equipment and the second terminal equipment simultaneously.
Such as, when call setup between first terminal equipment and the second terminal equipment and secure traffic set up synchronization implementation, EAS is after sending session key request message to KMC, the call setup request message of calling second terminal equipment first terminal equipment can initiated is transmitted to the second terminal equipment, attempts to establish call connection with the second terminal equipment.
Simultaneously, EAS receive KMC send encryption after session key time, determine whether the call setup response message receiving the second terminal equipment, and when receiving the call setup response message of the second terminal equipment, send the session key after encryption to first terminal equipment and the second terminal equipment simultaneously.
After session key after first terminal equipment and the second terminal equipment receive the encryption of EAS transmission; the Protective Key self logging in KMC generation is utilized to be decrypted the session key after encryption respectively; obtain the session key that KMC produces; and after medium surface transmission channel between first terminal equipment and the second terminal equipment sets up, in the medium surface transmission channel set up, utilize session key transmission of traffic.
It should be noted that, after session key after to obtain KMC be the encryption performing secure traffic between first terminal equipment and the second terminal equipment at EAS, the number of times of the session key after sending encryption to first terminal equipment is not limited to once, can repeatedly, to ensure the correctness transmitted.
It should be noted that, when supposing that the session key after the encryption that the KMC that EAS receives returns belongs to a packet, the session key after the encryption comprising a packet is sent to first terminal equipment and the second terminal equipment by EAS respectively; Suppose that the session key after the encryption that the KMC that EAS receives returns belongs to two packets, namely a packet is the session key utilizing the first Protective Key to be encrypted, when another packet is the session key utilizing the second Protective Key to be encrypted, the session key after the encryption containing two packets can be sent to first terminal equipment and the second terminal equipment by EAS respectively; EAS can also determine the terminal equipment that different pieces of information bag is corresponding respectively; to the Packet Generation of the session key utilizing the first Protective Key to be encrypted be contained to first terminal equipment; by containing the Packet Generation of the session key utilizing the second Protective Key to be encrypted to the second terminal equipment, be not specifically limited here.
By the scheme of the embodiment of the present invention one, introduce encryption application server and KMC in the ims network, by encryption application server receive first terminal equipment send need the secure traffic setting up secure traffic to set up request message for characterizing between first terminal equipment and the second terminal equipment, secure traffic is set up the parameter information being used for obtaining session key comprised in request message to be carried in session key request message and to send to first terminal equipment and the KMC belonging to the second terminal equipment, request KMC is that the secure traffic needing between first terminal equipment and the second terminal equipment to set up produces session key, and during session key after receiving the encryption that KMC returns, session key after this encryption is sent to first terminal equipment, make first terminal equipment can utilize this session key realize with the second terminal equipment between secure communication.
Like this, secure communication is made to be supplied to a kind of business realizing of user as operator by encryption application server, and encrypt application server and obtain the session key after encryption from KMC, be handed down to terminal equipment, not only increase the control of operator to secure communication, also improve the treatment effeciency of system, the KMC simultaneously introduced achieves the management of user to key Life cycle, adds the fail safe that between user, secure traffic performs.
Embodiment two:
As shown in Figure 4, the schematic flow sheet of the processing method of a kind of secure traffic provided for the embodiment of the present invention two, the embodiment of the present invention two is and the invention of the embodiment of the present invention one under same inventive concept, and the embodiment of the present invention two stands in the detailed description of terminal equipment angle to the processing method of the secure traffic that the present invention relates to.Described method can be as described below.
Step 201: first terminal equipment sends secure traffic to encryption application server EAS and sets up request message.
Wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key.
In step 201, first terminal equipment is when calling the second terminal equipment, send secure traffic to IMS network and set up request message, and by IMS network core net, this secure traffic request message is transmitted to EAS, inform EAS first terminal equipment will and the second terminal equipment between set up secure traffic.
It should be noted that, the secure traffic that now first terminal equipment sends sets up the call setup request message realization that request message can be initiated by first terminal equipment, that is, when first terminal equipment makes a call the second terminal equipment, send call setup message to IMS network, now this call setup message possesses two functions: 1, establish call connection between request and the second terminal equipment; 2, secure traffic is triggered while establishing call connection.
Or, the secure traffic that now first terminal sends set up request message first terminal equipment make a call set up request message after random to trigger.
Such as, first terminal equipment is after successfully setting up call link with the second terminal equipment, and in the process of call business process, the EAS to network side sends secure traffic and sets up request message, inform that EAS first terminal equipment needs to carry out secure communication between the second terminal equipment.
That is, call setup between terminal equipment connects and secure traffic triggers and can perform simultaneously, perform when also can be difference, first trigger secure traffic, establish call connection again, or first establish call connection, then trigger secure traffic can, be not specifically limited here.
Make to encrypt application server when the secure traffic receiving the transmission of first terminal equipment sets up request message, start follow-up secure traffic handling process.
Step 202: described first terminal equipment receives the session key after the encryption of described EAS transmission.
Wherein, session key after described encryption is that the described parameter information being used for obtaining session key is carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by described EAS, obtain after the session key produced being encrypted according to the described parameter information for obtaining session key by described KMC, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request.
In step 202., how encryption application server obtains the session key after encryption, is described in detail, does not repeat here in the embodiment of the present invention one.
Step 203: during the session key of described first terminal equipment after receiving the encryption that described EAS sends; utilize the first Protective Key produced when logging in described KMC to be decrypted the session key after described encryption, obtaining described KMC is the session key carrying out secure traffic generation between described first terminal equipment and described second terminal equipment.
Wherein, the session key after the session key after described encryption contains the session key after utilizing the first Protective Key encryption and utilizes the second Protective Key encryption.
In step 203, because the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key, embodiment includes but not limited to:
First, KMC, after the session key request message receiving EAS transmission, generates the session key for setting up secure traffic between first terminal equipment and the second terminal equipment.
It should be noted that, KMC is after the session key request message receiving EAS transmission, the session key generated can be random generation, also can be according to determining for the parameter information obtaining session key of carrying in this session key request message, such as: session key utilizing the random number information for obtaining in the parameter information of session key to generate etc., does not limit here.
Secondly, in order to ensure the fail safe that session key transmits in a communication link, KMC is encrypted the session key generated.
Because KMC is that user disposes, so the terminal equipment that uses of user is when communicating, first can register and log in KMC, and when logging in, KMC generates a Protective Key for this terminal equipment, KMC is at the local identification information of storage terminal equipment and the corresponding relation of this Protective Key, when so subsequent terminal equipment initiates secure traffic, KMC just can utilize this Protective Key to be encrypted the session key generated, the fail safe of session key in communication link process can either be ensured, during session key after terminal can also be made to receive encryption, accurate deciphering, obtain real session key, improve the efficiency of secure traffic, ensure the safety of communication.
Now, described KMC is according to the identification information of the described first terminal equipment comprised in the described parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the first Protective Key encryption; And according to the identification information of described second terminal equipment comprised in the described parameter information for obtaining session key; determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; and utilize described second Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the second Protective Key encryption.
Finally, by contain utilize first Protective Key encryption after session key and utilize second Protective Key encryption after session key encryption after session key send to EAS.
Wherein, (session key namely after encryption is a packet to session key after can containing encryption in described session key response message; just this session key is divided into two parts; the session key that part content utilizes the first Protective Key encryption to generate obtains; the session key that another part utilizes the second Protective Key encryption to generate obtains); also the session key after can containing the session key after utilizing the first Protective Key encryption and utilizing the second Protective Key encryption, does not limit here.
Particularly; when the session key after utilizing the first Protective Key encryption and the session key after utilizing the second Protective Key encryption are sent to EAS by session key response message by KMC; what illustrate that KMC sends to EAS is two different pieces of information bags; a packet is the session key after utilizing the first Protective Key encryption, and another packet is the session key after utilizing the second Protective Key encryption.
Alternatively, KMC is when obtaining the session key after utilizing the first Protective Key encryption and the session key after utilizing the second Protective Key encryption, the corresponding relation of the session key after setting up first terminal device identification corresponding to the first Protective Key and utilizing the first Protective Key to encrypt, and the corresponding relation of session key after setting up the second Terminal Equipment Identifier corresponding to the second Protective Key and utilizing the second Protective Key to encrypt, and send utilize first Protective Key encryption after session key and utilize second Protective Key encryption after session key to EAS while, the corresponding relation of foundation is also sent to EAS, make like this EAS by encryption after session key be transmitted to first terminal equipment after, utilize this corresponding relation, determine the session key after the encryption corresponding with the identification information of self fast, accelerate the speed of system business process like this, improve the efficiency of system job.
Therefore; when the session key after the encryption that first terminal equipment receives belongs to a packet; the first Protective Key that first terminal equipment utilization produces when logging in described KMC is decrypted the session key after described encryption, and obtaining described KMC is the session key carrying out secure traffic generation between described first terminal equipment and described second terminal equipment.
When the session key after the encryption that first terminal equipment receives contains two packets, namely the session key after the session key after the encryption received contains the session key after utilizing the first Protective Key encryption and utilizes the second Protective Key encryption, now, first terminal equipment can only by the first Protective Key to utilize first Protective Key encryption after session key be decrypted, obtaining described KMC is the session key carrying out secure traffic generation between described first terminal equipment and described second terminal equipment, carry out secure communication with the second terminal equipment prepare for follow-up.
Alternatively, when the session key after the encryption that first terminal equipment receives contains the session key after utilizing the first Protective Key encryption and the session key after utilizing the second Protective Key to encrypt, corresponding relation between the identification information of the terminal equipment can also set up according to KMC and the session key after encrypting, determine first terminal device identification corresponding utilize first Protective Key encryption after session key, and utilize the first Protective Key to utilize first Protective Key encryption after session key be decrypted, obtaining described KMC is the session key carrying out secure traffic generation between described first terminal equipment and described second terminal equipment.
Step 204: during the session key of described first terminal equipment after receiving the encryption that described EAS sends, the session key after described encryption is sent to described second terminal equipment.
In step 204, the session key after described encryption sends to the mode of described second terminal equipment to include but not limited to by described first terminal equipment:
First kind of way:
Session key after described encryption is sent to described second terminal equipment by IMS network signaling by described first terminal equipment.
Particularly, whether set up regardless of the medium surface data transmission channel between first terminal equipment and the second terminal equipment, first terminal, when receiving the session key that EAS sends, utilizes IMS network signaling that the session key after described encryption is sent to described second terminal equipment.
It should be noted that, IMS network signaling is including but not limited to SIP signaling, call treatment message etc.
Session key after described encryption is sent to described second terminal equipment by SIP signaling by described first terminal equipment.
Such as: SIP signaling is including but not limited to MESSAGE message, OPTIONS, INFO etc.
Session key after described encryption is sent to described second terminal equipment by Temporary Response acknowledge message PRACK by described first terminal equipment.
Particularly, in order to save system signaling expense, the mode of signaling piggyback can be adopted, namely during the session key of described first terminal equipment after the encryption receiving the call setup response message transmission that EAS sent by the second terminal equipment, after call setup response message is correctly processed, when returning provisional confirmation message PRACK to the second terminal equipment, the session key after described encryption is carried in provisional confirmation message PRACK and sends to described second terminal equipment.
The second way:
Session key after described encryption is sent to described second terminal equipment by what set up with the medium surface data transmission channel of the second terminal equipment by described first terminal equipment.
Particularly, described first terminal equipment is when receiving the session key that EAS sends, and after the medium surface transmission channel determining between the second terminal equipment set up, utilize the medium surface transmission channel set up that the session key after described encryption is sent to described second terminal equipment.
Particularly, when the session key after the encryption that first terminal equipment receives belongs to a packet, the session key after the encryption comprising a packet is sent to the second terminal equipment by first terminal equipment; When the session key after the encryption that first terminal equipment receives belongs to two packets, namely a packet is the session key utilizing the first Protective Key to be encrypted, when another packet is the session key utilizing the second Protective Key to be encrypted, the session key after the encryption containing two packets can be sent to the second terminal equipment by first terminal equipment simultaneously; First terminal equipment EAS can determine the terminal equipment that different pieces of information bag is corresponding respectively, by containing the Packet Generation of the session key utilizing the second Protective Key to be encrypted to the second terminal equipment, is not specifically limited here.
It should be noted that, in the embodiment of the present invention two, step 203 and step 204 do not perform the differentiation of sequencing, can implement, first can also perform step 204 according to the order described in the embodiment of the present invention, performing step 203 again, also can be that step 203 and step 204 are implemented simultaneously.
Embodiment three:
As shown in Figure 5, a kind of schematic flow sheet of processing method of secure traffic that provides of the embodiment of the present invention three.The embodiment of the present invention three is the inventions belonged to the embodiment of the present invention one ~ embodiment two under same inventive concept, and the embodiment of the present invention three stands in the detailed description of KMC side to each step in the embodiment of the present invention one.Described method can be as described below.
Step 301: KMC KMC receives the session key request message that encryption application server EAS sends.
Wherein, described session key request message is that the secure traffic needing between first terminal equipment and the second terminal equipment to set up produces session key for characterizing the described KMC of request.
The parameter information for obtaining session key is contained in described session key request message.
The described parameter information for obtaining session key be described first terminal equipment that described EAS receives send need the secure traffic setting up secure traffic to set up in request message between described first terminal equipment and described second terminal equipment to carry for characterizing.
Step 302:KMC returns the session key after encryption to described EAS.
So that described EAS by encryption after described session key send to described first terminal equipment, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication.
Wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
The identification information of described first terminal equipment comprised in the described parameter information for obtaining session key and the identification information of the second terminal equipment.
In step 302, the mode that described KMC returns the session key after encryption to described EAS includes but not limited to:
First, described KMC generates the session key being used for needing for performing secure traffic between described first terminal equipment and described second terminal equipment.
It should be noted that, KMC is after the session key request message receiving EAS transmission, the session key generated can be random generation, also can be according to determining for the parameter information obtaining session key of carrying in this session key request message, such as: session key utilizing the random number information for obtaining in the parameter information of session key to generate etc., does not limit here.
Secondly, in order to ensure the fail safe that session key transmits in a communication link, KMC is encrypted the session key generated.
Because KMC is that user disposes, so the terminal equipment that uses of user is when communicating, first can register and log in KMC, and when logging in, KMC generates a Protective Key for this terminal equipment, KMC is at the local identification information of storage terminal equipment and the corresponding relation of this Protective Key, when so subsequent terminal equipment initiates secure traffic, KMC just can utilize this Protective Key to be encrypted the session key generated, the fail safe of session key in communication link process can either be ensured, during session key after terminal can also be made to receive encryption, accurate deciphering, obtain real session key, improve the efficiency of secure traffic, ensure the safety of communication.
Now, described KMC is according to the identification information of the described first terminal equipment comprised in the parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the first Protective Key encryption; And according to the identification information of described second terminal equipment comprised in the parameter information for obtaining session key, determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; And utilize described second Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the second Protective Key encryption.
Finally, described KMC using described utilize first Protective Key encryption after session key and described utilize second Protective Key encryption after session key as encryption after session key, send to described EAS by key response message.
Embodiment four:
As shown in Figure 6, a kind of schematic flow sheet of processing method of secure traffic that provides of the embodiment of the present invention four.The embodiment of the present invention four is and the invention of the embodiment of the present invention one ~ embodiment of the present invention three under same inventive concept, and the embodiment of the present invention four needs to perform secure traffic for terminal equipment A and terminal equipment B and is described in detail technical solutions according to the invention.Described method can be as described below.
It should be noted that, terminal equipment A and terminal equipment B needs the time performing secure traffic can be when terminal equipment A and terminal equipment B call setup, also can be after terminal equipment A and terminal equipment B call setup, not limit here.
Step 1: when user initiates secure communication calling by terminal equipment A to terminal equipment B, make a call to IMS network and set up request message.
Wherein, described call setup request message can be INVITE, for informing that IMS core net needs to set up encryption session with terminal equipment B and is connected.
The identification information (or telephone number information) of terminal equipment A and the identification information (or telephone number information) of terminal equipment B is contained in described call setup request message.
Now, session key request message is also carried in described call setup request message.
In another embodiment of the present invention, that terminal equipment A sends and between terminal equipment B call setup request message, can also just for informing that IMS core net needs to set up session connection with terminal equipment B; Meanwhile, terminal equipment A sends session key request message by IMS signaling (such as: MESSAGE message), and described session key request message is used for informing IMS network terminal equipment A and needs to set up encryption session between terminal equipment B and be connected.
Step 2:EAS is when receiving call setup request message, according to the identification information of terminal equipment A and the identification information of terminal equipment B, determine terminal equipment A and the user domain belonging to terminal equipment B, and send session key request message to the KMC of in this user domain.
Step 3:KMC is that terminal equipment A and terminal equipment B produce a session key, and sends key response message to EAS.
Wherein, the session key after encryption is contained in described key response message.
In order to ensure that session key is not revealed in transmitting procedure, the Protective Key produced when KMC utilizes terminal equipment A and terminal equipment B to log in KMC is respectively encrypted protection to session key.
Step 4:EAS sets up request message to terminal equipment B forwarded call after sending session key request message to KMC immediately.
Like this while session key request, walk abreast and carry out call proceeding, to improve treatment effeciency.
In another embodiment of the present invention, after EAS sends session key request message to KMC, wait for that KMC returns response message.
After the session key response message receiving KMC transmission, then set up request message to terminal equipment B forwarded call, continue call proceeding.
The session progress message that step 5:EAS receiving terminal apparatus B returns.
Described session progress message is that terminal equipment B returns receiving after call setup request message processes.
In another embodiment of the present invention, if EAS is when receiving session progress message, not yet receive the session key response message that KMC sends, now EAS needs the feedback waiting for KMC.
The session key of the encryption received in the key response message of KMC feedback is carried in session progress message and sends to terminal equipment A by step 6:EAS.
Now, in another embodiment of the present invention, the secret communication key received in the session key response message of KMC feedback utilizes IMS signaling to send to terminal equipment A and terminal equipment B by EAS.
Step 7: after the session key of terminal equipment A after receiving encryption, utilizes the first Protective Key produced when logging in KMC to be decrypted, and obtaining KMC is the session key that this call produces.
In another embodiment of the present invention, the session key after the encryption received is sent to terminal equipment B by following several mode by terminal equipment A:
First kind of way:
Session key after described encryption is sent to described second terminal equipment by IMS network signaling by described first terminal equipment.
Particularly, whether set up regardless of the medium surface data transmission channel between first terminal equipment and the second terminal equipment, first terminal, when receiving the session key that EAS sends, utilizes IMS network signaling that the session key after described encryption is sent to described second terminal equipment.
Or the session key after described encryption is sent to described second terminal equipment by Temporary Response acknowledge message PRACK183 by described first terminal equipment.
Such as, in order to save system signaling expense, the mode of signaling piggyback can be adopted, namely during the session key of described first terminal equipment after the encryption receiving the call setup response message transmission that EAS sent by the second terminal equipment, after call setup response message is correctly processed, when returning provisional confirmation message PRACK to the second terminal equipment, the session key after described encryption is carried in provisional confirmation message PRACK and sends to described second terminal equipment.
The second way:
Described first terminal equipment by set up and medium surface data transmission channel between described second terminal equipment the session key after described encryption is sent to described second terminal equipment.
Particularly, described first terminal equipment is when receiving the session key that EAS sends, and after the medium surface transmission channel determining between the second terminal equipment set up, utilize the medium surface transmission channel set up that the session key after described encryption is sent to described second terminal equipment.
Step 8: after the session key of terminal equipment B after receiving encryption, utilizes the second Protective Key produced when logging in KMC to be decrypted, and obtaining KMC is the session key that this call produces.
Step 9: terminal equipment A and terminal equipment B, when call link has been set up, utilizes the session key obtained to be encrypted communicating data, realizes the call encryption between terminal equipment A and terminal equipment B.
It should be noted that, the embodiment of the present invention four is the rough descriptions to secure traffic handling process, the ins and outs related to, and can adopt in the embodiment of the present invention one ~ enforcement three and describe described technical scheme, be not described in detail here.
Embodiment five:
As shown in Figure 7, the structural representation of a kind of encryption application server for secure traffic provided for the embodiment of the present invention five.The embodiment of the present invention five is the inventions belonged to the embodiment of the present invention one ~ embodiment four under same inventive concept, and described encryption application server comprises: receiver module 11, sending module 12 and processing module 13, wherein:
Receiver module 11, the secure traffic sent for receiving first terminal equipment sets up request message, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key;
Sending module 12, for the described parameter information being used for obtaining session key being carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment, wherein, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request;
Processing module 13, for receiving the session key after encryption that described KMC returns, and the described session key after encryption is sent to described first terminal equipment, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
Particularly, the identification information of described first terminal equipment and the identification information of described second terminal equipment is contained in the described parameter information for obtaining session key.
Described encryption application server also comprises: determination module 14, wherein:
Determination module 14, for before the described parameter information being used for obtaining session key being carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment, according to the identification information of described first terminal equipment and the identification information of described second terminal equipment, determine described first terminal equipment and the KMC KMC belonging to described second terminal equipment.
Particularly, described processing module 13, also for by encryption after session key send to described second terminal equipment, make described second terminal equipment can utilize described session key realize with described first terminal equipment between secure communication.
Described processing module 13, specifically for sending to described first terminal equipment and/or the second terminal equipment by IMS network signaling by the session key after encryption.
Particularly, the session key after the session key after described encryption contains the session key after utilizing the first Protective Key encryption and utilizes the second Protective Key encryption;
Described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key, comprising:
Described KMC is according to the identification information of the described first terminal equipment comprised in the described parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the first Protective Key encryption; And
According to the identification information of described second terminal equipment comprised in the described parameter information for obtaining session key; determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; and utilize described second Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the second Protective Key encryption.
It should be noted that, the encryption application server described in the embodiment of the present invention five can be hard-wired physical entity unit, also can be the logical block of software simulating, be not specifically limited here.
Embodiment six:
As shown in Figure 8, be a kind of structural representation performing the terminal equipment of secure traffic that the embodiment of the present invention six provides.The embodiment of the present invention six is and the invention of the embodiment of the present invention one to the embodiment of the present invention four under same inventive concept, and described terminal equipment comprises: request message sending module 21 and session key receiver module 22, wherein:
Request message sending module 21, request message is set up for sending secure traffic to encryption application server EAS, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key;
Session key receiver module 22, for receive described EAS send encryption after session key, wherein, session key after described encryption is that the described parameter information being used for obtaining session key is carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by described EAS, obtain after the session key produced being encrypted according to the described parameter information for obtaining session key by described KMC, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request.
Alternatively, described terminal equipment also comprises: processing module 23, wherein:
Processing module 23, during for session key after receiving the encryption that described EAS sends, sends to described second terminal equipment by the session key after described encryption.
Described processing module 23, specifically for sending to described second terminal equipment by IMS network signaling by the session key after described encryption;
Or,
By set up and medium surface data transmission channel between described second terminal equipment the session key after described encryption is sent to described second terminal equipment.
Described terminal equipment also comprises: deciphering module 24, wherein:
Deciphering module 24; during for session key after receiving the encryption that described EAS sends; utilize the first Protective Key produced when logging in described KMC to be decrypted the session key after described encryption, obtaining described KMC is the session key carrying out secure traffic generation between described first terminal equipment and described second terminal equipment.
It should be noted that, the terminal equipment described in the embodiment of the present invention six can be hard-wired physical entity unit, also can be the logical block of software simulating, be not specifically limited here.
In addition, the embodiment of the present invention six further comprises IP communication module and crypto communications module.
Wherein, IP communication module supports SIP communication protocol, has IMS communication capacity, and support terminal is in functions such as the logins/logoffs of IMS system, authentication, Call-Control1 and process; Crypto module is responsible for terminal key and is managed and perform enciphering and deciphering algorithm, at chain of command, realize carrying out Signalling exchange with KMC and obtain session key, at medium surface, utilize the security association of Session key establishment and the opposite equip. obtained, realize the secrecy transmission of communication service.
Embodiment seven:
As shown in Figure 9, the structural representation of a kind of KMC for secure traffic provided for the embodiment of the present invention seven.The embodiment of the present invention seven is the inventions belonged to the embodiment of the present invention one to embodiment four under same inventive concept, and described KMC comprises: key request receiver module 31 and key sending module 32, wherein:
Key request receiver module 31, for receiving the session key request message that encryption application server EAS sends, wherein, described session key request message is that the secure traffic needing between first terminal equipment and the second terminal equipment to set up produces session key for characterizing the described KMC of request, the parameter information for obtaining session key is contained in described session key request message, the described parameter information for obtaining session key be described first terminal equipment that described EAS receives send need the secure traffic setting up secure traffic to set up in request message between described first terminal equipment and described second terminal equipment to carry for characterizing, and
Key sending module 32, for returning the session key after encryption to described EAS, so that the described session key after encryption is sent to described first terminal equipment by described EAS, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
Particularly, the identification information of described first terminal equipment comprised in the described parameter information for obtaining session key and the identification information of the second terminal equipment;
Described key sending module 32, specifically for generating the session key being used for needing for performing secure traffic between described first terminal equipment and described second terminal equipment, according to the identification information of the described first terminal equipment comprised in the parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the first Protective Key encryption, and
According to the identification information of described second terminal equipment comprised in the parameter information for obtaining session key, determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; And utilize described second Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the second Protective Key encryption;
Using described utilize first Protective Key encryption after session key and described utilize second Protective Key encryption after session key as encryption after session key, send to described EAS by key response message.
It should be noted that, the KMC described in the embodiment of the present invention seven can be hard-wired physical entity unit, also can be the logical block of software simulating, be not specifically limited here.
Embodiment eight:
As shown in Figure 10, the structural representation of the treatment system of a kind of secure traffic provided for the embodiment of the present invention eight, described system comprises: encryption application server 41, KMC 42, first terminal equipment 43 and the second terminal equipment 44, wherein:
Described first terminal equipment 43, request message is set up for sending secure traffic to encryption application server EAS, and the session key received after the encryption of described EAS transmission, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key.
Described encryption application server 41, the secure traffic sent for receiving first terminal equipment sets up request message, the parameter information being used for obtaining session key is carried in session key request message and sends to described first terminal equipment and the KMC KMC belonging to described second terminal equipment, and the session key received after the encryption that described KMC returns, and the described session key after encryption is sent to described first terminal equipment, wherein, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request.
Described KMC 42, for receiving the session key request message that encryption application server EAS sends, and return the session key after encryption to described EAS, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
Particularly, the identification information of described first terminal equipment and the identification information of described second terminal equipment is contained in the described parameter information for obtaining session key;
Described encryption application server 41, for before the described parameter information being used for obtaining session key being carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment, according to the identification information of described first terminal equipment and the identification information of described second terminal equipment, determine described first terminal equipment and the KMC KMC belonging to described second terminal equipment.
Described encryption application server 41, also for by encryption after session key send to described second terminal equipment, make described second terminal equipment can utilize described session key realize with described first terminal equipment between secure communication.
Described encryption application server 41, specifically for sending to described first terminal equipment and/or the second terminal equipment by IMS network signaling by the session key after encryption.
Described first terminal equipment 43, during for session key after receiving the encryption that described EAS sends, sends to described second terminal equipment by the session key after described encryption.
Described first terminal equipment 43, specifically for sending to described second terminal equipment by IMS network signaling by the session key after described encryption;
Or,
By set up and medium surface data transmission channel between described second terminal equipment the session key after described encryption is sent to described second terminal equipment.
Session key after session key after described encryption contains the session key after utilizing the first Protective Key encryption and utilizes the second Protective Key encryption;
Described first terminal equipment 43; during for session key after receiving the encryption that described EAS sends; utilize the first Protective Key produced when logging in described KMC to be decrypted the session key after described encryption, obtaining described KMC is the session key carrying out secure traffic generation between described first terminal equipment and described second terminal equipment.
Described KMC 42, specifically for generating the session key being used for needing for performing secure traffic between described first terminal equipment and described second terminal equipment, according to the identification information of the described first terminal equipment comprised in the parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the first Protective Key encryption, and
According to the identification information of described second terminal equipment comprised in the parameter information for obtaining session key, determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; And utilize described second Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the second Protective Key encryption;
Using described utilize first Protective Key encryption after session key and described utilize second Protective Key encryption after session key as encryption after session key, send to described EAS by key response message.
It will be understood by those skilled in the art that embodiments of the invention can be provided as method, device (equipment) or computer program.Therefore, the present invention can adopt the form of complete hardware embodiment, completely software implementation or the embodiment in conjunction with software and hardware aspect.And the present invention can adopt in one or more form wherein including the upper computer program implemented of computer-usable storage medium (including but not limited to magnetic disc store, CD-ROM, optical memory etc.) of computer usable program code.
The present invention describes with reference to according to the flow chart of the method for the embodiment of the present invention, device (equipment) and computer program and/or block diagram.Should understand can by the combination of the flow process in each flow process in computer program instructions realization flow figure and/or block diagram and/or square frame and flow chart and/or block diagram and/or square frame.These computer program instructions can being provided to the processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing device to produce a machine, making the instruction performed by the processor of computer or other programmable data processing device produce device for realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be stored in can in the computer-readable memory that works in a specific way of vectoring computer or other programmable data processing device, the instruction making to be stored in this computer-readable memory produces the manufacture comprising command device, and this command device realizes the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
These computer program instructions also can be loaded in computer or other programmable data processing device, make on computer or other programmable devices, to perform sequence of operations step to produce computer implemented process, thus the instruction performed on computer or other programmable devices is provided for the step realizing the function of specifying in flow chart flow process or multiple flow process and/or block diagram square frame or multiple square frame.
Although describe the preferred embodiments of the present invention, those skilled in the art once obtain the basic creative concept of cicada, then can make other change and amendment to these embodiments.So claims are intended to be interpreted as comprising preferred embodiment and falling into all changes and the amendment of the scope of the invention.
Obviously, those skilled in the art can carry out various change and modification to the present invention and not depart from the spirit and scope of the present invention.Like this, if these amendments of the present invention and modification belong within the scope of the claims in the present invention and equivalent technologies thereof, then the present invention is also intended to comprise these change and modification.
Claims (23)
1. a processing method for secure traffic, is characterized in that, comprising:
The secure traffic that encryption application server EAS receives the transmission of first terminal equipment sets up request message, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key;
The described parameter information being used for obtaining session key is carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by described EAS, wherein, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request;
Described EAS receives the session key after the encryption that described KMC returns, and the described session key after encryption is sent to described first terminal equipment, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
2. the method for claim 1, is characterized in that, contains the identification information of described first terminal equipment and the identification information of described second terminal equipment in the described parameter information for obtaining session key;
Described EAS is before being carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by the described parameter information being used for obtaining session key, described method also comprises:
Described EAS, according to the identification information of the identification information of described first terminal equipment and described second terminal equipment, determines described first terminal equipment and the KMC KMC belonging to described second terminal equipment.
3. the method for claim 1, is characterized in that, described method also comprises:
Described EAS by encryption after session key send to described second terminal equipment, make described second terminal equipment can utilize described session key realize with described first terminal equipment between secure communication.
4. method as claimed in claim 3, is characterized in that, the session key after encryption is sent to described first terminal equipment and/or the second terminal equipment by described EAS, comprising:
Session key after encryption is sent to described first terminal equipment and/or the second terminal equipment by IMS network signaling by described EAS.
5. the method as described in as arbitrary in claims 1 to 3, is characterized in that, the session key after the session key after described encryption contains the session key after utilizing the first Protective Key encryption and utilizes the second Protective Key encryption;
Described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key, comprising:
Described KMC is according to the identification information of the described first terminal equipment comprised in the described parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the first Protective Key encryption; And
According to the identification information of described second terminal equipment comprised in the described parameter information for obtaining session key; determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; and utilize described second Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the second Protective Key encryption.
6. a processing method for secure traffic, is characterized in that, comprising:
First terminal equipment sends secure traffic to encryption application server EAS and sets up request message, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key;
Described first terminal equipment receives the session key after the encryption of described EAS transmission, wherein, session key after described encryption is that the described parameter information being used for obtaining session key is carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by described EAS, obtain after the session key produced being encrypted according to the described parameter information for obtaining session key by described KMC, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request.
7. method as claimed in claim 6, it is characterized in that, described method also comprises:
During the session key of described first terminal equipment after receiving the encryption that described EAS sends, the session key after described encryption is sent to described second terminal equipment.
8. method as claimed in claim 7, it is characterized in that, the session key after described encryption is sent to described second terminal equipment by described first terminal equipment, comprising:
Session key after described encryption is sent to described second terminal equipment by IMS network signaling by described first terminal equipment;
Or,
Described first terminal equipment by set up and medium surface data transmission channel between described second terminal equipment the session key after described encryption is sent to described second terminal equipment.
9. the method as described in as arbitrary in claim 6 ~ 7, it is characterized in that, described method also comprises:
During the session key of described first terminal equipment after receiving the encryption that described EAS sends; utilize the first Protective Key produced when logging in described KMC to be decrypted the session key after described encryption, obtaining described KMC is the session key carrying out secure traffic generation between described first terminal equipment and described second terminal equipment.
10. a processing method for secure traffic, is characterized in that, comprising:
KMC KMC receives the session key request message that encryption application server EAS sends, wherein, described session key request message is that the secure traffic needing between first terminal equipment and the second terminal equipment to set up produces session key for characterizing the described KMC of request, the parameter information for obtaining session key is contained in described session key request message, the described parameter information for obtaining session key be described first terminal equipment that described EAS receives send need the secure traffic setting up secure traffic to set up in request message between described first terminal equipment and described second terminal equipment to carry for characterizing, and
The session key after encryption is returned to described EAS, so that the described session key after encryption is sent to described first terminal equipment by described EAS, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
11. methods as claimed in claim 10, is characterized in that, the identification information of described first terminal equipment comprised in the described parameter information for obtaining session key and the identification information of the second terminal equipment;
Described KMC returns the session key after encryption to described EAS, comprising:
Described KMC generates the session key being used for needing for performing secure traffic between described first terminal equipment and described second terminal equipment;
Described KMC is according to the identification information of the described first terminal equipment comprised in the parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the first Protective Key encryption; And
According to the identification information of described second terminal equipment comprised in the parameter information for obtaining session key, determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; And utilize described second Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the second Protective Key encryption;
Described KMC using described utilize first Protective Key encryption after session key and described utilize second Protective Key encryption after session key as encryption after session key, send to described EAS by key response message.
12. 1 kinds, for the encryption application server of secure traffic, is characterized in that, comprising:
Receiver module, the secure traffic sent for receiving first terminal equipment sets up request message, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key;
Sending module, for the described parameter information being used for obtaining session key being carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment, wherein, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request;
Processing module, for receiving the session key after encryption that described KMC returns, and the described session key after encryption is sent to described first terminal equipment, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
13. encrypt application server as claimed in claim 12, it is characterized in that, contain the identification information of described first terminal equipment and the identification information of described second terminal equipment in the described parameter information for obtaining session key;
Described encryption application server also comprises:
Determination module, for before the described parameter information being used for obtaining session key being carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment, according to the identification information of described first terminal equipment and the identification information of described second terminal equipment, determine described first terminal equipment and the KMC KMC belonging to described second terminal equipment.
14. encrypt application server as claimed in claim 12, it is characterized in that,
Described processing module, also for by encryption after session key send to described second terminal equipment, make described second terminal equipment can utilize described session key realize with described first terminal equipment between secure communication.
15. encrypt application server as claimed in claim 14, it is characterized in that,
Described processing module, specifically for sending to described first terminal equipment and/or the second terminal equipment by IMS network signaling by the session key after encryption.
16. as arbitrary in claim 12 ~ 14 as described in encryption application server, it is characterized in that, the communication service key after the communication service key packet after described encryption contains the communication service key after utilizing the first Protective Key encryption and utilizes the second Protective Key encryption;
Described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key, comprising:
Described KMC is according to the identification information of the described first terminal equipment comprised in the described parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the first Protective Key encryption; And
According to the identification information of described second terminal equipment comprised in the described parameter information for obtaining session key; determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; and utilize described second Protective Key to be encrypted computing to the described session key produced, obtain the session key after utilizing the second Protective Key encryption.
17. 1 kinds of terminal equipments performing secure traffic, is characterized in that, comprising:
Request message sending module, request message is set up for sending secure traffic to encryption application server EAS, wherein, described secure traffic sets up request message to be needed to set up secure traffic for characterizing between described first terminal equipment and the second terminal equipment, and described secure traffic sets up in request message the parameter information contained for obtaining session key;
Session key receiver module, for receive described EAS send encryption after session key, wherein, session key after described encryption is that the described parameter information being used for obtaining session key is carried in session key request message the KMC KMC sent to belonging to described first terminal equipment and described second terminal equipment by described EAS, obtain after the session key produced being encrypted according to the described parameter information for obtaining session key by described KMC, described session key request message is that the secure traffic needing between described first terminal equipment and described second terminal equipment to set up produces session key for characterizing the described KMC of request.
18. terminal equipments as claimed in claim 17, it is characterized in that, described terminal equipment also comprises:
Processing module, during for session key after receiving the encryption that described EAS sends, sends to described second terminal equipment by the session key after described encryption.
19. terminal equipments as claimed in claim 18, is characterized in that,
Described processing module, specifically for sending to described second terminal equipment by IMS network signaling by the session key after described encryption;
Or,
By set up and medium surface data transmission channel between described second terminal equipment the session key after described encryption is sent to described second terminal equipment.
20. as arbitrary in claim 17 ~ 18 as described in terminal equipment, it is characterized in that, described terminal equipment also comprises:
Deciphering module; during for session key after receiving the encryption that described EAS sends; utilize the first Protective Key produced when logging in described KMC to be decrypted the session key after described encryption, obtaining described KMC is the session key carrying out secure traffic generation between described first terminal equipment and described second terminal equipment.
21. 1 kinds for the KMC of secure traffic, is characterized in that, comprising:
Key request receiver module, for receiving the session key request message that encryption application server EAS sends, wherein, described session key request message is that the secure traffic needing between first terminal equipment and the second terminal equipment to set up produces session key for characterizing the described KMC of request, the parameter information for obtaining session key is contained in described session key request message, the described parameter information for obtaining session key be described first terminal equipment that described EAS receives send need the secure traffic setting up secure traffic to set up in request message between described first terminal equipment and described second terminal equipment to carry for characterizing, and
Key sending module, for returning the session key after encryption to described EAS, so that the described session key after encryption is sent to described first terminal equipment by described EAS, make described first terminal equipment can utilize described session key realize with described second terminal equipment between secure communication, wherein, the described session key after described encryption obtains after described KMC is encrypted the session key produced according to the described parameter information for obtaining session key.
22. KMCs as claimed in claim 21, is characterized in that, the identification information of described first terminal equipment comprised in the described parameter information for obtaining session key and the identification information of the second terminal equipment;
Described key sending module, specifically for generating the session key being used for needing for performing secure traffic between described first terminal equipment and described second terminal equipment, according to the identification information of the described first terminal equipment comprised in the parameter information for obtaining session key, determine the first Protective Key that the first terminal equipment that the identification information of described first terminal equipment is corresponding produces when logging in described KMC, and utilize described first Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the first Protective Key encryption; And
According to the identification information of described second terminal equipment comprised in the parameter information for obtaining session key, determine the second Protective Key that the second terminal equipment that the identification information of described second terminal equipment is corresponding produces when logging in described KMC; And utilize described second Protective Key to be encrypted computing to the described session key generated, obtain the session key after utilizing the second Protective Key encryption;
Using described utilize first Protective Key encryption after session key and described utilize second Protective Key encryption after session key as encryption after session key, send to described EAS by key response message.
The treatment system of 23. 1 kinds of secure traffics, it is characterized in that, described system comprises: the encryption application server as described in as arbitrary in claim 12 ~ 16, as arbitrary in claim 17 ~ 20 as described in terminal equipment and as arbitrary in claim 21 ~ 22 as described in KMC.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310631793.2A CN104683304B (en) | 2013-11-29 | 2013-11-29 | A kind of processing method of secure traffic, equipment and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310631793.2A CN104683304B (en) | 2013-11-29 | 2013-11-29 | A kind of processing method of secure traffic, equipment and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104683304A true CN104683304A (en) | 2015-06-03 |
| CN104683304B CN104683304B (en) | 2019-01-01 |
Family
ID=53317907
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310631793.2A Active CN104683304B (en) | 2013-11-29 | 2013-11-29 | A kind of processing method of secure traffic, equipment and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104683304B (en) |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017032298A1 (en) * | 2015-08-27 | 2017-03-02 | 华为技术有限公司 | Key distribution and receiving method, key management center, first network element and second network element |
| CN106535184A (en) * | 2016-10-18 | 2017-03-22 | 深圳市金立通信设备有限公司 | Key management method and system |
| CN106534044A (en) * | 2015-09-09 | 2017-03-22 | 中兴通讯股份有限公司 | Method and device for encrypting voice call |
| EP3151597A1 (en) * | 2014-05-28 | 2017-04-05 | Datang Mobile Communications Equipment Co., Ltd. | Method and apparatus for achieving secret communications |
| WO2017080136A1 (en) * | 2015-11-13 | 2017-05-18 | 华为技术有限公司 | Key distribution and reception method, first key management center, and first network element |
| CN106714153A (en) * | 2015-11-13 | 2017-05-24 | 华为技术有限公司 | Key distribution, generation and reception method, and related device |
| CN106936570A (en) * | 2015-12-31 | 2017-07-07 | 华为技术有限公司 | A kind of cipher key configuration method and KMC, network element |
| WO2018010474A1 (en) * | 2016-07-15 | 2018-01-18 | 中兴通讯股份有限公司 | Method and apparatus for secure communication between vehicle-to-everything terminals |
| CN107979836A (en) * | 2016-10-21 | 2018-05-01 | ***通信有限公司研究院 | A kind of encryption call method and device applied to VoLTE |
| CN108155991A (en) * | 2018-03-22 | 2018-06-12 | 北京可信华泰科技有限公司 | A kind of generation system of trusted key |
| CN108449347A (en) * | 2018-03-22 | 2018-08-24 | 北京可信华泰信息技术有限公司 | A kind of key generating server |
| CN109344848A (en) * | 2018-07-13 | 2019-02-15 | 电子科技大学 | Mobile intelligent terminal security level classification method based on Adaboost |
| CN111404671A (en) * | 2019-01-02 | 2020-07-10 | ***通信有限公司研究院 | Mobile quantum secret communication method, gateway, mobile terminal and server |
| CN112702734A (en) * | 2019-10-23 | 2021-04-23 | 中移物联网有限公司 | Key distribution system and method |
| CN114930887A (en) * | 2020-02-06 | 2022-08-19 | 华为技术有限公司 | Key management method and communication device |
| CN115549956A (en) * | 2022-08-17 | 2022-12-30 | 青岛海尔科技有限公司 | Session establishing method, device, storage medium and electronic device |
| WO2024041498A1 (en) * | 2022-08-22 | 2024-02-29 | ***通信有限公司研究院 | Secret communication processing method, first terminal, and storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100789668B1 (en) * | 2005-01-27 | 2007-12-31 | 정명식 | Mobile communications terminal having both general communication mode and secret communication service mode |
| CN101442742A (en) * | 2008-12-12 | 2009-05-27 | 华为技术有限公司 | Method, system and equipment for implementing end-to-end encipher of mobile cluster set call |
| CN101536399A (en) * | 2006-09-28 | 2009-09-16 | 西门子公司 | Method for providing a symmetric key for protecting a key management protocol |
| CN101572694A (en) * | 2008-04-29 | 2009-11-04 | 华为技术有限公司 | Method for acquiring media stream key, session equipment and key management function entity |
-
2013
- 2013-11-29 CN CN201310631793.2A patent/CN104683304B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100789668B1 (en) * | 2005-01-27 | 2007-12-31 | 정명식 | Mobile communications terminal having both general communication mode and secret communication service mode |
| CN101536399A (en) * | 2006-09-28 | 2009-09-16 | 西门子公司 | Method for providing a symmetric key for protecting a key management protocol |
| CN101572694A (en) * | 2008-04-29 | 2009-11-04 | 华为技术有限公司 | Method for acquiring media stream key, session equipment and key management function entity |
| CN101442742A (en) * | 2008-12-12 | 2009-05-27 | 华为技术有限公司 | Method, system and equipment for implementing end-to-end encipher of mobile cluster set call |
Cited By (29)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9871656B2 (en) | 2014-05-28 | 2018-01-16 | Datang Mobile Communications Equipment Co., Ltd. | Encrypted communication method and apparatus |
| EP3151597A1 (en) * | 2014-05-28 | 2017-04-05 | Datang Mobile Communications Equipment Co., Ltd. | Method and apparatus for achieving secret communications |
| EP3151597A4 (en) * | 2014-05-28 | 2017-05-03 | Datang Mobile Communications Equipment Co., Ltd. | Method and apparatus for achieving secret communications |
| US10826688B2 (en) | 2015-08-27 | 2020-11-03 | Huawei Technologies Co., Ltd. | Key distribution and receiving method, key management center, first network element, and second network element |
| WO2017032298A1 (en) * | 2015-08-27 | 2017-03-02 | 华为技术有限公司 | Key distribution and receiving method, key management center, first network element and second network element |
| CN106534044A (en) * | 2015-09-09 | 2017-03-22 | 中兴通讯股份有限公司 | Method and device for encrypting voice call |
| EP3343966A4 (en) * | 2015-11-13 | 2018-08-29 | Huawei Technologies Co., Ltd. | Key distribution and reception method, first key management center, and first network element |
| CN106714152A (en) * | 2015-11-13 | 2017-05-24 | 华为技术有限公司 | Secret key distribution and reception methods, first secret key management center, and first network element |
| CN106714153A (en) * | 2015-11-13 | 2017-05-24 | 华为技术有限公司 | Key distribution, generation and reception method, and related device |
| US11700245B2 (en) | 2015-11-13 | 2023-07-11 | Huawei Technologies Co., Ltd. | Key distribution method, key receiving method, first key management system, and first network element |
| CN106714153B (en) * | 2015-11-13 | 2022-06-10 | 华为技术有限公司 | Key distribution, generation and reception method and related device |
| US11303622B2 (en) | 2015-11-13 | 2022-04-12 | Huawei Technologies Co., Ltd. | Key distribution method, key receiving method, first key management system, and first network element |
| WO2017080136A1 (en) * | 2015-11-13 | 2017-05-18 | 华为技术有限公司 | Key distribution and reception method, first key management center, and first network element |
| CN106714152B (en) * | 2015-11-13 | 2021-04-09 | 华为技术有限公司 | Key distribution and receiving method, first key management center and first network element |
| CN106936570A (en) * | 2015-12-31 | 2017-07-07 | 华为技术有限公司 | A kind of cipher key configuration method and KMC, network element |
| US10903987B2 (en) | 2015-12-31 | 2021-01-26 | Huawei Technologies Co., Ltd. | Key configuration method, key management center, and network element |
| WO2018010474A1 (en) * | 2016-07-15 | 2018-01-18 | 中兴通讯股份有限公司 | Method and apparatus for secure communication between vehicle-to-everything terminals |
| CN106535184A (en) * | 2016-10-18 | 2017-03-22 | 深圳市金立通信设备有限公司 | Key management method and system |
| CN107979836A (en) * | 2016-10-21 | 2018-05-01 | ***通信有限公司研究院 | A kind of encryption call method and device applied to VoLTE |
| CN108449347B (en) * | 2018-03-22 | 2021-08-13 | 北京可信华泰信息技术有限公司 | Key generation server |
| CN108449347A (en) * | 2018-03-22 | 2018-08-24 | 北京可信华泰信息技术有限公司 | A kind of key generating server |
| CN108155991A (en) * | 2018-03-22 | 2018-06-12 | 北京可信华泰科技有限公司 | A kind of generation system of trusted key |
| CN109344848A (en) * | 2018-07-13 | 2019-02-15 | 电子科技大学 | Mobile intelligent terminal security level classification method based on Adaboost |
| CN111404671A (en) * | 2019-01-02 | 2020-07-10 | ***通信有限公司研究院 | Mobile quantum secret communication method, gateway, mobile terminal and server |
| CN112702734A (en) * | 2019-10-23 | 2021-04-23 | 中移物联网有限公司 | Key distribution system and method |
| CN112702734B (en) * | 2019-10-23 | 2023-04-28 | 中移物联网有限公司 | Key distribution system and method |
| CN114930887A (en) * | 2020-02-06 | 2022-08-19 | 华为技术有限公司 | Key management method and communication device |
| CN115549956A (en) * | 2022-08-17 | 2022-12-30 | 青岛海尔科技有限公司 | Session establishing method, device, storage medium and electronic device |
| WO2024041498A1 (en) * | 2022-08-22 | 2024-02-29 | ***通信有限公司研究院 | Secret communication processing method, first terminal, and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104683304B (en) | 2019-01-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104683304A (en) | Processing method, equipment and system of secure communication service | |
| EP1946479B1 (en) | Communication securiy | |
| US9537837B2 (en) | Method for ensuring media stream security in IP multimedia sub-system | |
| CN100369430C (en) | A protection method for access security of IP multimedia subsystem | |
| CN102572817B (en) | Method and intelligent memory card for realizing mobile communication confidentiality | |
| CN102045210B (en) | End-to-end session key consultation method and system for supporting lawful interception | |
| CN107800539A (en) | Authentication method, authentication device and Verification System | |
| CN104702611A (en) | Equipment and method for protecting session key of secure socket layer | |
| CN101562813A (en) | Method for implementing real-time data service, real-time data service system and mobile terminal | |
| CN104683291B (en) | Session key negotiation method based on IMS system | |
| CN1658547B (en) | Crytographic keys distribution method | |
| CN105792193A (en) | End-to-end voice encryption method of mobile terminal based on iOS operating system | |
| CN101790160A (en) | Method and device for safely consulting session key | |
| CN104683098A (en) | Implementation method, equipment and system of secure communication service | |
| CN111970699A (en) | Terminal WIFI login authentication method and system based on IPK | |
| CN100561909C (en) | A kind of IP Multimedia System access security guard method based on TLS | |
| CN104243146A (en) | Encryption communication method and device and terminal | |
| CN100571133C (en) | The implementation method of media flow security transmission | |
| CN104683103A (en) | Terminal equipment login authentication method and equipment | |
| CN107294968A (en) | The monitoring method and system of a kind of audio, video data | |
| CN100544247C (en) | The negotiating safety capability method | |
| Gu et al. | A green and secure authentication for the 4th generation mobile network | |
| CN106209384B (en) | Use the client terminal of security mechanism and the communication authentication method of charging unit | |
| WO2017197968A1 (en) | Data transmission method and device | |
| CN105991277B (en) | Cryptographic key distribution method based on SIP communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |