CN117528150A - GB35114-2017 protocol-based security system and method - Google Patents
GB35114-2017 protocol-based security system and method Download PDFInfo
- Publication number
- CN117528150A CN117528150A CN202311551128.2A CN202311551128A CN117528150A CN 117528150 A CN117528150 A CN 117528150A CN 202311551128 A CN202311551128 A CN 202311551128A CN 117528150 A CN117528150 A CN 117528150A
- Authority
- CN
- China
- Prior art keywords
- video
- management
- equipment
- signaling
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 23
- 230000011664 signaling Effects 0.000 claims abstract description 75
- 230000006870 function Effects 0.000 claims abstract description 42
- 238000012544 monitoring process Methods 0.000 claims abstract description 36
- 238000012795 verification Methods 0.000 claims abstract description 25
- 238000004891 communication Methods 0.000 claims abstract description 15
- 238000007726 management method Methods 0.000 claims description 101
- 238000012550 audit Methods 0.000 claims description 7
- 230000002457 bidirectional effect Effects 0.000 claims description 7
- 230000000977 initiatory effect Effects 0.000 claims description 5
- 230000006855 networking Effects 0.000 claims description 5
- 238000003032 molecular docking Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 210000001503 joint Anatomy 0.000 claims description 2
- 238000010276 construction Methods 0.000 abstract description 7
- 238000011161 development Methods 0.000 description 4
- 238000011144 upstream manufacturing Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000008569 process Effects 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012827 research and development Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000001627 detrimental effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000007704 transition Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04N—PICTORIAL COMMUNICATION, e.g. TELEVISION
- H04N21/00—Selective content distribution, e.g. interactive television or video on demand [VOD]
- H04N21/20—Servers specifically adapted for the distribution of content, e.g. VOD servers; Operations thereof
- H04N21/23—Processing of content or additional data; Elementary server operations; Server middleware
- H04N21/234—Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs
- H04N21/2347—Processing of video elementary streams, e.g. splicing of video streams or manipulating encoded video stream scene graphs involving video stream encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0861—Generation of secret information including derivation or calculation of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Multimedia (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a safety system and a method based on GB35114-2017 protocol, comprising an access module which is in communication connection with user equipment and is used for identity authentication and SIP control signaling authentication of the equipment, ensuring the safety control of front-end equipment and managing the equipment, certificate keys, logs and clusters; the public module is in communication connection with the access module and is used for managing video security keys and providing streaming media services; the upper connection module is in communication connection with the public module and provides various signaling services to realize the functions of identity authentication, key management, authority management and signature verification of a user; and the application module is used for signature verification, encryption decoding and verification of the video stream and controlling playing and downloading of the encrypted video. The GB35114 security system consists of a plurality of functional modules, can be deployed as required, and realizes cost pressure drop and flexible scheduling of a large-scale video monitoring platform under the multi-node deployment construction while implementing the GB35114 security capability.
Description
Technical Field
The invention relates to the technical field of emerging information, in particular to a security system and a security method based on a GB35114-2017 protocol.
Background
With the rapid development of information technology, video monitoring is increasingly widely applied in various industries, and rapidly developing towards networking, large-scale and intelligent. This trend has led to the rise of very large scale video surveillance platforms and the generation of massive amounts of view data. However, with this development, a series of information security challenges are presented. The video monitoring platform and view data generated by the video monitoring platform contain a large amount of high-value information, and the information is very easy to be an attack object of lawbreakers. In order to cope with the security risk of public security video monitoring systems, the country has established the first technical standard for the security of video monitoring networking information, namely GB 35114-2017. The standard aims to solve the problems of potential information safety hazards such as weak passwords, video leakage and the like in the current public safety video monitoring system.
In the industry, construction of GB35114 security platforms often adopts a closed integrated architecture scheme, relying on hardware deployment. While this approach may provide relatively high security, it is associated with higher costs, which is detrimental to cost reduction and flexible scheduling under multi-node deployment and construction of very large scale video surveillance platforms. In addition, the hardware architecture is generally not easy to maintain and update, thus restricting the flexibility and maintainability of the system.
Thus, as technology advances, the search for more cost-effective, flexible solutions has become an urgent need for the industry. These solutions aim at reducing the cost and improving the scalability and convenience of the system while maintaining the information security.
Disclosure of Invention
The invention provides a safety system and a method based on GB35114-2017 protocol, which aim to introduce the access capability or cascading capability of GB35114 through module assembly on the premise of not changing the data interaction of a video monitoring platform, deploy projects as required and support capacity expansion, and the video monitoring platform can quickly realize the GB35114 safety capability in a mode of embedding the safety system, so as to provide an industry comprehensive safety solution.
To achieve the above object, the present invention provides a security system and method based on GB35114-2017 protocol, including:
the access module is in communication connection with the user equipment and is used for identity authentication and Session Initiation Protocol (SIP) control signaling authentication of the equipment, ensuring the safety control of front-end equipment and managing the equipment, the certificate key, the log and the cluster;
the public module is in communication connection with the access module and is used for managing video security keys and providing streaming media services;
the upper connection module is in communication connection with the public module and provides various signaling services to realize the functions of identity authentication, key management, authority management and signature verification of a user;
the application module is used for signature verification, encryption decoding and verification of the video stream and controlling playing and downloading of the encrypted video.
In one embodiment, the access module and the public module are combined into a GB35114 access gateway to realize the southbound access function of the GB35114 terminal;
the uplink module and the public module are combined into a GB35114 uplink gateway to realize the north uplink function.
In one embodiment, the access module includes GB35114 access signaling service and GB35114 video access management service;
the GB35114 access signaling service is used for equipment identity authentication based on a digital certificate, signaling security and key distribution, provides equipment identity authentication and SIP control signaling authentication functions meeting the requirements of GB35114-2017 standards, realizes SIP signaling processing authentication and SIP routing with front-end equipment, and ensures the security of the front-end equipment control functions;
the GB35114 video access management service includes device management, certificate key management, log management, and cluster management functions.
In one embodiment, the device management supports adding, deleting, modifying GB35114-2017 secure networking devices;
the certificate key management provides comprehensive identity certificate management, including application, audit, issuing and updating of equipment, platforms and client identity certificates, realizes the whole-course identity certificate management and audit function, and supports equipment authentication, signaling authentication and video encryption and decryption related to GB 35114-2017;
the log management is used for searching and auditing GB35114-2017 signaling authentication logs, operation logs and system logs;
the cluster management provides a cluster management function of signaling and media, and realizes message balance forwarding and balanced load of SIP transaction and data flow through various polling strategies.
In one embodiment, the uplink module includes a GB35114 cascade signaling service and a GB35114 video uplink management service;
the GB35114 cascade signaling service provides a plurality of signaling services, including receiving superior SIP signaling, completing signaling security routing, transferring routing information between gateways, adding and identifying routing signaling and signaling identity;
the GB35114 video uplink management service is used for carrying out management configuration, signaling control and media control scheduling on platforms which are cascaded up and down, and is in butt joint with a video security key service system to realize identity authentication, key management, authority management and signature verification of a user.
In one embodiment, the common module includes a security management facility and GB35114 streaming media services;
the security management facility comprises a video security key management service and a cipher machine, wherein the video security key management service is used for issuing certificates and keys for equipment and users, and the cipher machine supports cryptographic algorithms of SM1, SM2, SM3 and SM4 and provides cipher operation functions of signature and verification;
the GB35114 streaming media service is used for identity authentication, video encryption and decryption, supports receiving media streams, completes signature verification of video streams in cooperation with a cipher machine, confirms the integrity and authenticity of video data, supports load forwarding SVAC video streams and writing video streams into a storage medium, and supports pushing real-time video streams and video recording videos to an upper platform.
In one embodiment, the video security key management service includes certificate management and key management for generating digital certificates, combining with a video monitoring system characteristic management key, supporting a key inquiry function suitable for monitoring service, and providing a symmetric key management function of full life cycle, including user registration and audit, to generate, distribute, store and inquire symmetric keys in all systems.
In one embodiment, the application module includes an SVAC decryption decoding SDK and an SVAC player;
the SVAC decryption decoding SDK is used for signature verification, encryption, decryption and decoding of GB 35114C-level SVAC video streams, and provides an SDK docking interface;
the SVAC player is used for acquiring, retrieving, playing back and controlling and downloading the real-time video stream of GB 35114C-level encrypted video stream, and can be embedded into a client application.
A security method based on a GB35114-2017 protocol, for use in the security system based on the GB35114-2017 protocol, comprising:
step S101, equipment initiates a bidirectional authentication registration request to a video monitoring platform through a client request according to the filled SIP server address port;
step S102, GB35114 generates a random number R1 after receiving the request, and responds 401 to the device;
step S103, the equipment generates a random number R2 after receiving the 401 message to obtain a digital signature S1, and sends the digital signature S1 again through a Register request;
step S104, after receiving the request, GB35114 accesses the signaling service, decrypts S1 through the equipment certificate, verifies the validity of R1 and the equipment SIPID, if so, acquires or creates a symmetric key VKEK, encrypts by using the equipment public key and the platform private key to obtain S2, and sends 200 information to the equipment;
step S105, after receiving the 200 message, the equipment decodes the S2 by using the public key in the GB35114 access signaling service certificate in sequence, verifies the validity of the R2 and the SIPID of the equipment, and obtains the VKEK by using the self private key decoding;
step S106, the equipment and GB35114 access signaling service completes the security authentication of equipment access according to the GB35114-2017 protocol bidirectional identity authentication flow, and then the GB35114 access signaling service sends an equipment online notification to the video monitoring platform.
In one embodiment, in step S103, the public module encrypts R1, R2 and the sip id of the device by using its private key and the cryptographic SM2 algorithm to obtain a digital signature S1;
in step S104, a symmetric key VKEK is obtained when the VKEK is present, and a symmetric key is created as the VKEK when the VKEK is not present.
The invention has the following beneficial effects:
1. the GB35114 security capability construction of the scheme is developed in a module form, can be embedded into a video monitoring platform architecture for application, and provides an extensible API interface by integrating the GB35114 security capability, so that personalized customization development is realized, and the research and development and cost investment of the video monitoring platform are obviously reduced.
2. The scheme supports the video monitoring platform to carry out software upgrading in a mode of superposing the GB35114 security module, thereby realizing construction of GB35114 security capability, maintaining compatibility of the platform to an original front-end camera access mode, ensuring continuity of normal service and being not affected by any influence.
3. The GB35114 security system consists of a plurality of functional modules, can be deployed as required, for example, an access module and a public module can form a GB35114 access gateway to realize the south access capability of a GB35114 terminal, or an uplink module and a public module can form a GB35114 uplink gateway to realize the north uplink capability.
Drawings
FIG. 1 is a block diagram of a security system based on the GB35114-2017 protocol in accordance with an embodiment of the present invention;
FIG. 2 is a block diagram illustrating a bidirectional authentication flow of a security system based on the GB35114-2017 protocol in accordance with an embodiment of the present invention;
fig. 3 is a flow chart of a security method based on GB35114-2017 protocol according to an embodiment of the present invention.
Wherein 100 is an uplink module; 110 is GB35114 cascade signaling service; 120 is GB35114 video uplink management service; 200 is a common module; 210 is GB35114 streaming media service; 220 is a security management facility; 221 is a video security key management service; 222 is a cryptographic engine; 300 is an access module; 310 is GB35114 to access signaling service; 320 is GB35114 video access management service; 400 is an application module; 410 is the SVAC decryption decoding SDK;420 is a SVAC player.
Detailed Description
In order to make the purposes, technical solutions and advantages of the implementation of the present application more clear, the technical solutions in the embodiments of the present application will be described in more detail below with reference to the accompanying drawings in the embodiments of the present application. In the drawings, the same or similar reference numerals denote the same or similar elements or elements having the same or similar functions. The described embodiments are some, but not all, of the embodiments of the present application. The embodiments described below by referring to the drawings are exemplary and intended for the purpose of explaining the present application and are not to be construed as limiting the present application. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, are intended to be within the scope of the present application.
Fig. 1 is a block diagram of a security system based on GB35114-2017 protocol according to an embodiment of the present invention, where the security system based on GB35114-2017 protocol includes:
the access module 300 is in communication connection with the user equipment, and is used for identity authentication and Session Initiation Protocol (SIP) control signaling authentication of the equipment, ensuring the safety control of the front-end equipment and managing the equipment, the certificate key, the log and the cluster;
the public module 200 is in communication connection with the access module 300, and is used for managing the video security keys and providing streaming media services;
the upper connection module 100, the upper connection module 100 provides various signaling services, and the upper connection module 100 is in communication connection with the public module 200 to realize the functions of identity authentication, key management, authority management and signature verification of a user;
the application module 400 is used for signature verification of the video stream, encryption decoding verification function and control of playing and downloading of the encrypted video.
In one embodiment, the access module 300 and the public module 200 are combined into a GB35114 access gateway to implement a southbound access function of a GB35114 terminal;
the upper connection module 100 and the public module 200 are combined into a GB35114 upper connection gateway to realize the north upper connection function.
In one embodiment, the access module 300 includes GB35114 access signaling service 310 and GB35114 video access management service 320;
the GB35114 access signaling service 310 is used for equipment identity authentication based on digital certificates, signaling security and key distribution, and provides equipment identity authentication and SIP (session initiation protocol) control signaling authentication functions meeting the requirements of the GB35114-2017 standard, so as to implement SIP signaling processing authentication and SIP routing with the front-end equipment, and ensure the security of the front-end equipment control functions;
the GB35114 video access management service 320 includes device management, certificate key management, log management, and cluster management functions.
In one embodiment, the device management supports adding, deleting, modifying GB35114-2017 secure networking devices;
the certificate key management provides comprehensive identity certificate management, including application, audit, issuing and updating of equipment, platforms and client identity certificates, realizes the whole-course identity certificate management and audit function, and supports equipment authentication, signaling authentication and video encryption and decryption related to GB 35114-2017;
the log management is used for searching and auditing GB35114-2017 signaling authentication logs, operation logs and system logs;
the cluster management provides a cluster management function of signaling and media, and realizes message balance forwarding and balanced load of SIP transaction and data flow through various polling strategies.
In one embodiment, the uplink module 100 includes a GB35114 cascading signaling service 110 and a GB35114 video uplink management service 120;
the GB35114 cascade signaling service 110 provides various signaling services, including receiving upper SIP signaling, completing signaling security routing, transferring routing information between gateways, adding and authenticating routing signaling, and signaling identity;
the GB35114 video uplink management service 120 is configured to perform management configuration, signaling control and media control scheduling on platforms cascaded up and down, and interfaces with a video security key service system to implement identity authentication, key management, rights management and signature verification of a user.
In particular, by receiving the upper level signaling and completing the signaling, efficient session establishment and maintenance can be achieved, which enables the user to easily establish the multimedia communication session.
In one embodiment, the public module 200 includes a security management facility 220 and a GB35114 streaming media service 210;
the security management facility 220 module comprises a video security key management service 221 and a cryptographic engine 222, wherein the video security key management service 221 is used for issuing certificates and keys for devices and users, and the cryptographic engine 222 supports cryptographic operation functions of signing and verification by using SM1 (national secret number one algorithm), SM2 (national secret number two algorithm), SM3 (national secret number three algorithm) and SM4 (national secret number four algorithm);
the GB35114 streaming media service 210 is used for identity authentication, video encryption and decryption, supporting receiving media streams, and cooperating with a cryptographic engine 222 to complete signature verification of video streams, confirm integrity and authenticity of video data, supporting load forwarding SVAC (national digital video codec standard) video streams and writing video streams into storage media, and supporting pushing real-time video streams and video recording videos to an upper platform.
Specifically, based on the cryptographic machine 222 supporting the national cryptographic algorithm and conforming to the related specifications and technical requirements of the national cryptographic bureau, the video security key management service 221 is constructed to form a security management infrastructure together, certificate management and key management are provided, generation of a digital certificate is realized, and the key inquiry function of the monitoring service is realized by managing the key.
In one embodiment, the video security key management service 221 includes certificate management and key management for generating digital certificates, and in combination with the video monitoring system feature management key, supports a key query function suitable for monitoring services, provides a symmetric key management function of full life cycle, including user registration and auditing, and generates, distributes, stores and queries symmetric keys in all systems.
Specifically, a GB35114 security system is established, and by interfacing with the video security key management service 221, a digital certificate-based device identity authentication procedure required in the GB35114 specification is implemented, and a digital certificate-based client identity authentication procedure is implemented, so that functions such as key distribution in a video session process are implemented.
In one embodiment, the application module 400 includes an SVAC decryption decoding SDK (software development kit) 410 and an SVAC player 420;
the SVAC decryption decoding SDK410 is used for signature verification, encryption and decryption and decoding of GB 35114C-level SVAC video streams, and the SVAC decryption decoding SDK410 provides an SDK docking interface;
the SVAC player 420 is used for real-time video stream acquisition, video retrieval, video playback, play control and downloading of GB 35114C-level encrypted video streams, and the SVAC player 420 can be embedded in a client application.
Fig. 3 is a flow chart of a security method based on GB35114-2017 protocol according to an embodiment of the present invention, for the security system based on GB35114-2017 protocol, including:
step S101, equipment initiates a bidirectional authentication registration request to a video monitoring platform through a client request according to the filled SIP server address port;
step S102, GB35114 access signaling service 310 receives the request and generates a random number R1, and responds 401 to the device;
step S103, the device generates a random number R2 after receiving 401 the message, obtains a digital signature S1, and sends out the digital signature again through a Register (registered to a network or a server) request;
step S104, after receiving the request, GB35114 access signaling service 310 decrypts S1 through the device certificate, verifies the validity of R1 and the device SIPID (session initiation protocol identifier), if so, acquires or creates a VKEK (symmetric key), encrypts by using a device public key and a platform private key to obtain S2, and sends 200 information to the device;
step S105, after receiving the 200 message, the equipment decodes S2 by using the public key in the GB35114 access signaling service 310 certificate to verify the validity of R2 and the SIPID of the equipment, and decodes by using the private key to obtain the VKEK;
in step S106, the device and GB35114 access signaling service 310 completes the security authentication of the device access according to the GB35114-2017 protocol c.2.2.2 bidirectional identity authentication procedure, and then the GB35114 access signaling service 310 sends a device online notification to the video monitoring platform.
In one embodiment, in step S103, the public module 200 encrypts R1, R2 and the sip id of the device by using its private key and the cryptographic SM2 algorithm to obtain a digital signature S1;
in step S104, a symmetric key VKEK is obtained when the VKEK is present, and a symmetric key is created as the VKEK when the VKEK is not present.
Further, the video monitoring platform carries out software upgrading in a mode of overlapping the GB35114 security system, so that the signaling service and the streaming media service of the video monitoring platform have security functions. The updated video monitoring platform can still simultaneously support the access of the original front-end camera and the like, and solves the problem of compatibility of the system in the transition period.
FIG. 2 shows an implementation of the present invention, which is specifically shown as follows:
firstly, the client requests to obtain an RTSP (real time streaming media) protocol play address from the video monitoring platform, the platform judges whether the user has authority to access the device, and if so, the RTSP play address of the device is obtained from the GB35114 streaming media service 210.
GB35114 streaming media service 210 will query whether the media stream of the device has been accessed to the video monitoring platform, if so, generate an RTSP access address, store the distribution information and the user relationship, and return the RTSP address to the video monitoring platform; if the access flow information of the device is not queried, a request is made to acquire a media access IP (Internet protocol) and a port, then a device push flow request is initiated by accessing signaling service 310 through GB35114, the device push flow is caused to reach the designated IP and port, and after receiving the device push flow, GB35114 streaming media service 210 generates an RTSP play address and notifies the RTSP play address to a video monitoring platform. Next, the video management platform acquires the device certificate from the video security key management service 221, and returns it to the client together with the RTSP address.
The client receives the returned content, parses the device certificate, obtains and caches the device public key in the certificate, and accesses the RTSP address through the embedded SVAC player 420.
After receiving the RTSP address access, GB35114 streaming service 210 first checks the validity of the address, and if the address is invalid, refuses the RTSP connection; if the address is valid, the video security key management service 221 is requested to obtain the public key of the user to which the RTSP address belongs, the latest VKEK of the device and the version of the VKEK, and the cipher 222 is used to encrypt the VKEK corresponding to the video stream by using the public key of the user through SM2, so as to obtain the VKEK ciphertext. And then, the contents such as the VKEK ciphertext, the VKEK version and the like are sent to the client through an RTSP link.
Finally, the client uses the user private key stored in UKEY (user key) to decrypt the VKEK ciphertext through SM2, and a block of the obtained VKEK and the VKEK version is cached in the memory of the client. Meanwhile, the player receives the video data pushed by the GB35114 streaming media service 210, reads the signature, decodes the video data with the Base64 (64-system code), reads the device certificate from the cache, and decrypts the video data with the SM2 to obtain the signature verification hash value. And obtaining hash values from video data through SM3 hash calculation, comparing the two hash values to be consistent, and decrypting the video stream in the SVAC format by using the VKEK according to the encryption type (encryption type) content in a video data NAL (network abstraction layer) unit for playing.
The invention has the following beneficial effects:
1. the GB35114 security capability construction of the scheme is developed in a module form, can be embedded into a video monitoring platform architecture for application, and provides an extensible API interface by integrating the GB35114 security capability, so that personalized customization development is realized, and the research and development and cost investment of the video monitoring platform are obviously reduced.
2. The scheme supports the video monitoring platform to carry out software upgrading in a mode of superposing the GB35114 security module, thereby realizing construction of GB35114 security capability, maintaining compatibility of the platform to an original front-end camera access mode, ensuring continuity of normal service and being not affected by any influence.
3. The GB35114 security system consists of a plurality of functional modules, can be deployed as required, for example, an access module and a public module can form a GB35114 access gateway to realize the south access capability of a GB35114 terminal, or an uplink module and a public module can form a GB35114 uplink gateway to realize the north uplink capability.
In the description of the present application, it is to be understood that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments in accordance with the present application. For ease of description, the dimensions of the various features shown in the drawings are not drawn to actual scale. Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but should be considered part of the specification where appropriate. In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of the exemplary embodiments may have different values. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further discussion thereof is necessary in subsequent figures.
It should be noted that "upstream" in this document refers to a connection between a switch and another switch or router. "southbound access capability" refers to access, control, and data transfer capabilities provided by a device or system to its downstream components, southbound access being a way for a downstream component or subsystem of a device or system to communicate with, which may include communications between the device and sensors, actuators, sub-devices, or infrastructure. "northbound capability" refers to the access and data transfer capabilities that a device or system provides to its upstream system, server or management platform, northbound capability being a communication channel between the device or system and the upstream components or control platform for transferring data, status information or reports to the upstream system to support monitoring, management and decision making. In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. It should also be noted that the scope of the methods and apparatus in the embodiments of the present application is not limited to performing the functions in the order shown or discussed, but may also include performing the functions in a substantially simultaneous manner or in an opposite order depending on the functions involved, e.g., the described methods may be performed in an order different from that described, and various steps may be added, omitted, or combined. Additionally, features described with reference to certain examples may be combined in other examples.
It should be further noted that, unless explicitly stated or limited otherwise, the terms "connected" and "entrained" and the like used in the description of the present application should be understood in a broad sense, and may be either direct or through an intermediate medium, or a relationship between two elements, and a person skilled in the art may understand the specific meaning in the present application according to the specific circumstances.
The embodiments described above are intended to be implemented or used by those skilled in the art, and those skilled in the art may make various modifications or changes to the embodiments described above without departing from the spirit of the application, so that the scope of the application is not limited by the embodiments described above, but is to be accorded the broadest scope consistent with the innovative features recited in the claims.
Claims (10)
1. A security system based on the GB35114-2017 protocol, wherein the security system based on the GB35114-2017 protocol comprises:
the access module is in communication connection with the user equipment and is used for identity authentication and Session Initiation Protocol (SIP) control signaling authentication of the equipment, ensuring the safety control of front-end equipment and managing the equipment, the certificate key, the log and the cluster;
the public module is in communication connection with the access module and is used for managing video security keys and providing streaming media services;
the upper connection module is in communication connection with the public module and provides various signaling services to realize the functions of identity authentication, key management, authority management and signature verification of a user;
the application module is used for signature verification, encryption decoding and verification of the video stream and controlling playing and downloading of the encrypted video.
2. The security system based on GB35114-2017 protocol of claim 1, wherein the access module and the common module combine to form a GB35114 access gateway, implementing a southbound access function of a GB35114 terminal;
the uplink module and the public module are combined to form a GB35114 uplink gateway, so that the north uplink function is realized.
3. The GB35114-2017 protocol-based security system of claim 1, wherein the access module includes a GB35114 access signaling service and a GB35114 video access management service;
the GB35114 access signaling service is used for equipment identity authentication based on a digital certificate, signaling security and key distribution, provides equipment identity authentication and SIP control signaling authentication functions meeting the requirements of GB35114-2017 standards, realizes SIP signaling processing authentication and SIP routing with front-end equipment, and ensures the safe realization of the front-end equipment control functions;
the GB35114 video access management service includes device management, certificate key management, log management, and cluster management functions.
4. A security system based on the GB35114-2017 protocol as claimed in claim 3, wherein:
the device management supports adding, deleting and modifying GB35114-2017 security networking devices;
the certificate key management provides comprehensive identity certificate management, including application, audit, issuing and updating of equipment, platforms and client identity certificates, realizes the whole-course identity certificate management and audit function, and supports equipment authentication, signaling authentication and video encryption and decryption related to GB 35114-2017;
the log management is used for searching and auditing GB35114-2017 signaling authentication logs, operation logs and system logs;
the cluster management provides a cluster management function of signaling and media, and realizes message balance forwarding and balanced load of SIP transaction and data flow through various polling strategies.
5. The security system based on GB35114-2017 protocol of claim 1, wherein the onlay module includes a GB35114 cascade signaling service and a GB35114 video onlay management service;
the GB35114 cascade signaling service provides a plurality of signaling services, including receiving superior SIP signaling, completing signaling security routing, transferring routing information between gateways, adding and identifying routing signaling and signaling identity;
the GB35114 video uplink management service is used for carrying out management configuration, signaling control and media control scheduling on platforms which are cascaded up and down, and is in butt joint with a video security key service system to realize identity authentication, key management, authority management and signature verification of a user.
6. The GB35114-2017 protocol-based security system of claim 1, wherein the common module comprises a security management facility and GB35114 streaming media services;
the security management facility comprises a video security key management service and a cipher machine, wherein the video security key management service is used for issuing certificates and keys for equipment and users, and the cipher machine supports cryptographic algorithms of SM1, SM2, SM3 and SM4 and provides cipher operation functions of signature and verification;
the GB35114 streaming media service is used for identity authentication, video encryption and decryption, supports receiving media streams, completes signature verification of video streams in cooperation with a cipher machine, confirms the integrity and authenticity of video data, supports load forwarding SVAC video streams and writing video streams into a storage medium, and supports pushing real-time video streams and video recording videos to an upper platform.
7. The GB35114-2017 protocol-based security system of claim 6, wherein the video security key management service comprises certificate management and key management for generating digital certificates, supporting key querying functions suitable for monitoring services in combination with video monitoring system feature management keys, providing full life cycle symmetric key management functions including user registration and auditing, generating, distributing, storing and querying symmetric keys in all systems.
8. The GB35114-2017 protocol-based security system of claim 1, wherein the application module comprises an SVAC decryption decoding SDK and an SVAC player;
the SVAC decryption decoding SDK is used for signature verification, encryption, decryption and decoding of GB 35114C-level SVAC video streams, and provides an SDK docking interface;
the SVAC player is used for acquiring, retrieving, playing back and controlling and downloading the real-time video stream of GB 35114C-level encrypted video stream, and can be embedded into a client application.
9. A security method based on the GB35114-2017 protocol for a security system based on the GB35114-2017 protocol as claimed in any one of claims 1-8, comprising:
step S101, equipment initiates a bidirectional authentication registration request to a video monitoring platform through a client request according to the filled SIP server address port;
step S102, GB35114 generates a random number R1 after receiving the request, and responds 401 to the device;
step S103, the equipment generates a random number R2 after receiving the 401 message to obtain a digital signature S1, and sends the digital signature S1 again through a Register request;
step S104, after receiving the request, GB35114 accesses the signaling service, decrypts S1 through the equipment certificate, verifies the validity of R1 and the equipment SIPID, if so, acquires or creates a symmetric key VKEK, encrypts by using the equipment public key and the platform private key to obtain S2, and sends 200 information to the equipment;
step S105, after receiving the 200 message, the equipment decodes the S2 by using the public key in the GB35114 access signaling service certificate in sequence, verifies the validity of the R2 and the SIPID of the equipment, and obtains the VKEK by using the self private key decoding;
step S106, the equipment and GB35114 access signaling service completes the security authentication of equipment access according to the GB35114-2017 protocol bidirectional identity authentication flow, and then the GB35114 access signaling service sends an equipment online notification to the video monitoring platform.
10. The security method based on GB35114-2017 protocol according to claim 9, wherein in step S103, the public module encrypts R1, R2 and the sip id of the device by its own private key and the smart SM2 algorithm to obtain a digital signature S1;
in step S104, a symmetric key VKEK is obtained when the VKEK is present, and a symmetric key is created as the VKEK when the VKEK is not present.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311551128.2A CN117528150A (en) | 2023-11-20 | 2023-11-20 | GB35114-2017 protocol-based security system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311551128.2A CN117528150A (en) | 2023-11-20 | 2023-11-20 | GB35114-2017 protocol-based security system and method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117528150A true CN117528150A (en) | 2024-02-06 |
Family
ID=89764038
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311551128.2A Pending CN117528150A (en) | 2023-11-20 | 2023-11-20 | GB35114-2017 protocol-based security system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117528150A (en) |
-
2023
- 2023-11-20 CN CN202311551128.2A patent/CN117528150A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| RU2391783C2 (en) | Method for control of digital rights in broadcasting/multiple-address servicing | |
| US6192130B1 (en) | Information security subscriber trust authority transfer system with private key history transfer | |
| US6732277B1 (en) | Method and apparatus for dynamically accessing security credentials and related information | |
| CN101401390B (en) | Security management method and apparatus in multimedia middleware, and storage medium therefor | |
| CN110995418B (en) | Cloud storage authentication method and system, edge computing server and user router | |
| US20050204038A1 (en) | Method and system for distributing data within a network | |
| US20100131764A1 (en) | System and method for secured data transfer over a network from a mobile device | |
| KR20100051772A (en) | Secure signing method, secure authentication method and iptv system | |
| CN103763319A (en) | Method for safely sharing mobile cloud storage light-level data | |
| US9577824B2 (en) | Delivering a content item from a server to a device | |
| US20070022306A1 (en) | Method and apparatus for providing protected digital content | |
| US20090187978A1 (en) | Security and authentications in peer-to-peer networks | |
| KR20080046253A (en) | Digital security for distributing media content to a local area network | |
| CN102594823A (en) | Trusted system for remote secure access of intelligent home | |
| EP2232398B1 (en) | Controlling a usage of digital data between terminals of a telecommunications network | |
| CN101702725A (en) | System, method and device for transmitting streaming media data | |
| WO2006069939A1 (en) | Method, system and apparatus for sharing media content in a private network | |
| JP2003530635A (en) | System and method for securely storing confidential information, and digital content distribution device and server used in the system and method | |
| US20070104104A1 (en) | Method for managing security keys utilized by media devices in a local area network | |
| Yuan et al. | Enabling secure and efficient video delivery through encrypted in-network caching | |
| CN109743170A (en) | A kind of Streaming Media logs in and the method and apparatus of data transmission encryption | |
| CN106685919A (en) | Secure cloud storage method with passive dynamic key distribution mechanism | |
| US20070086431A1 (en) | Privacy proxy of a digital security system for distributing media content to a local area network | |
| US7526560B1 (en) | Method and apparatus for sharing a secure connection between a client and multiple server nodes | |
| CN100452737C (en) | Copyright managing method for digit household network and digital household network system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20240314 Address after: Unit 1, Building 1, China Telecom Zhejiang Innovation Park, No. 8 Xiqin Street, Wuchang Street, Yuhang District, Hangzhou City, Zhejiang Province, 311100 Applicant after: Tianyi Shilian Technology Co.,Ltd. Country or region after: China Address before: Room 1423, No. 1256 and 1258, Wanrong Road, Jing'an District, Shanghai 200072 Applicant before: Tianyi Digital Life Technology Co.,Ltd. Country or region before: China |
|
| TA01 | Transfer of patent application right |