WO2017045407A1 - Procédé d'exécution de chiffrement de conversation de bout en bout, terminal, et élément de réseau sur le côté réseau - Google Patents

Procédé d'exécution de chiffrement de conversation de bout en bout, terminal, et élément de réseau sur le côté réseau Download PDF

Info

Publication number
WO2017045407A1
WO2017045407A1 PCT/CN2016/081313 CN2016081313W WO2017045407A1 WO 2017045407 A1 WO2017045407 A1 WO 2017045407A1 CN 2016081313 W CN2016081313 W CN 2016081313W WO 2017045407 A1 WO2017045407 A1 WO 2017045407A1
Authority
WO
WIPO (PCT)
Prior art keywords
media
media channel
call
negotiation
encryption
Prior art date
Application number
PCT/CN2016/081313
Other languages
English (en)
Chinese (zh)
Inventor
高扬
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2017045407A1 publication Critical patent/WO2017045407A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]

Definitions

  • Embodiments of the present invention relate to, but are not limited to, a method, a terminal, and a network side network element for implementing end-to-end call encryption.
  • VoLTE Voice over LTE
  • IMS IP Multimedia Subsystem
  • the current general deployment is to support the establishment of encryption between the terminal and the IMS access side device, such as the Session Border Controller (SBC), while on the network side. There is no encryption between them, so it is easy to be maliciously monitored.
  • SBC Session Border Controller
  • VoLTE As the mainstream technology of voice, and the fact that VoLTE itself is based on IP technology, the problem of malicious monitoring of VoLTE voice will even rise to the level of national security.
  • VoLTE encryption means generally negotiates key parameters through a signaling plane, and then uses these negotiated key parameters to perform call encryption.
  • key parameter encryption the security level is not enough, you need to use the country's own digital certificate.
  • Information such as digital certificates cannot be carried on the signaling plane of VoLTE, which will be an intractable contradiction.
  • An embodiment of the present invention provides a method for implementing end-to-end call encryption, which includes: exchanging digital certificates and performing key parameter negotiation in a reliable transmission mode during a call establishment process;
  • the negotiated key parameters are used for end-to-end encrypted calls.
  • the method further includes establishing the reliable transmission manner, including:
  • the method for establishing the first media channel is an explicit manner, and specifically includes:
  • media negotiation is performed by adding a dedicated encrypted negotiation media line in the session initial description protocol SDP to establish the first media channel.
  • the method for establishing the first media channel is an implicit manner, and specifically includes: establishing the first media channel as a dedicated default connection.
  • the method further includes: turning on the dedicated default connection.
  • the reliable transmission mode is to introduce a media packet in the media channel in the voice media channel, and retransmit the packet loss manner
  • the method further includes: restoring normal media packet processing.
  • the method further includes: during the establishing the call, the session initiator carries the first pre-condition in the media line of the voice media when the session request is initiated;
  • the first precondition is that when the digital certificate is exchanged in the reliable transmission mode and the key parameter negotiation is completed, a ringing prompt is sent to the answering party.
  • the method further includes: during the establishing the call, the session initiator carries the second pre-condition in the media line of the voice media when the session request is initiated;
  • the second precondition is: completing the resource reservation, and performing a ringing prompt to the answering party.
  • the embodiment of the invention further provides a terminal, which includes at least a first processing module and a second processing module, where
  • the first processing module is configured to exchange in a reliable transmission mode during a call setup Digital certificate and key parameter negotiation
  • the second processing module is configured to perform an end-to-end encrypted call by using the negotiated key parameter in the voice media channel.
  • the method further includes: a transceiver module configured to perform media negotiation by adding a dedicated encryption negotiation media line in the SDP to establish a first media channel; or establishing a first media channel, that is, a dedicated encryption negotiation media channel It is a dedicated default connection; or, the media packet in the media channel is analyzed, and the lost packet is retransmitted, and when the digital certificate is exchanged and the key parameter negotiation is performed, the normal media packet processing is resumed;
  • a transceiver module configured to perform media negotiation by adding a dedicated encryption negotiation media line in the SDP to establish a first media channel; or establishing a first media channel, that is, a dedicated encryption negotiation media channel It is a dedicated default connection; or, the media packet in the media channel is analyzed, and the lost packet is retransmitted, and when the digital certificate is exchanged and the key parameter negotiation is performed, the normal media packet processing is resumed;
  • the first processing module is specifically configured to: during the establishing a call, exchange the digital certificate in the first media channel and perform the key parameter negotiation; or use the media packet in the media channel.
  • the method of analyzing and retransmitting the lost packet completes the exchange of the digital certificate and performs key parameter negotiation.
  • the transceiver module is further configured to:
  • the first pre-condition is carried in the media line of the voice media; wherein the first pre-condition is: completing the exchange of the digital certificate and the reliable transmission mode Key parameter negotiation; accordingly,
  • the terminal further includes a ringing processing module configured to initiate a ringing prompt to the answering party when the first precondition is met.
  • the transceiver module is further configured to: when the session request is initiated, the second pre-condition is carried in the media line of the voice media; wherein the second pre-condition is: Complete resource reservation; accordingly,
  • the terminal further includes:
  • a resource reservation module configured to complete resource reservation
  • the ringing module is configured to initiate a ringing prompt to the answering party when the second precondition is met.
  • the embodiment of the invention further provides a network side network element, which includes at least a forwarding module and a media channel processing module;
  • the forwarding module is configured to forward a message during the establishment of the call
  • the media channel processing module is configured to pre-establish a first media channel, where the first media channel is a dedicated media channel for encryption negotiation; and when the call establishment is completed, the pre-established first media channel is turned on.
  • the network side network element is an IP multimedia subsystem IMS access side device.
  • the IMS access side device is a session border controller SBC.
  • the embodiment of the invention further provides a computer readable storage medium storing computer executable instructions for performing any of the above methods for implementing end-to-end call encryption.
  • the technical solution of the present application includes: exchanging digital certificates and performing key parameter negotiation in a reliable transmission mode during the establishment of a call; and performing an end-to-end encrypted call by using the negotiated key parameters in the voice media channel.
  • the digital certificate is exchanged by the reliability transmission mode, and the key parameters are negotiated, and then the end-to-end encrypted call is performed by using the negotiated key parameter in the existing media channel, thus ensuring the VoLTE-based.
  • the security of end-to-end calls while also ensuring national security.
  • FIG. 1 is a schematic flowchart of implementing end-to-end call encryption based on VoLTE in the related art
  • FIG. 2 is a flowchart of a method for implementing end-to-end call encryption according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a first embodiment for implementing end-to-end call encryption according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of a second embodiment for implementing end-to-end call encryption according to an embodiment of the present invention
  • FIG. 5 is a schematic flowchart of a third embodiment for implementing end-to-end call encryption according to an embodiment of the present invention
  • FIG. 6 is a schematic flowchart of a fourth embodiment for implementing end-to-end call encryption according to an embodiment of the present invention.
  • FIG. 7 is a schematic flowchart of a fifth embodiment for implementing end-to-end call encryption according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a terminal for implementing end-to-end call encryption according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a network side network element for implementing end-to-end call encryption according to an embodiment of the present invention.
  • FIG. 1 is a schematic flowchart of implementing end-to-end call encryption based on VoLTE in the related art, as shown in FIG. 1 , including:
  • Step 100 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP carries a media line (such as m lines) that identifies the voice media for the call.
  • Step 101 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 102 The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
  • Step 103 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 104 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer.
  • Step 105 SBC2 forwards the 200 OK SDP answer message to the IMS.
  • Step 106 The IMS forwards the 200 OK SDP answer message to SBC1.
  • Step 107 SBC1 forwards the 200 OK SDP answer message to UE1. At this point, the media channel for the voice call is established.
  • Step 108 UE1 and UE2 exchange digital certificates in the media channel.
  • the media channels established in the related art are transmitted based on the Real-time Transport Protocol (RTP), and the transmission of the RTP itself is unreliable, so it is unreliable to exchange digital certificates in this channel.
  • RTP Real-time Transport Protocol
  • This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
  • Step 109 UE1 and UE2 negotiate key parameters in the media channel.
  • Step 110 UE1 and UE2 perform an end-to-end encrypted call by using the negotiated key parameters.
  • the SDP Answer can be carried in the called 183 message.
  • the digital certificate and the key parameter involved in the steps 108 and 109 are transmitted in the network. Since the digital certificate is in the form of text, the transmission should be reliable transmission from the perspective of data integrity.
  • different RTP media are in a streaming media format, and a protocol for unreliable transmission may be used. That is to say, it is unreliable to exchange digital certificates directly in the RTP media channel in the related art.
  • SBC1 and SBC2 are optional network elements.
  • FIG. 2 is a flowchart of a method for implementing end-to-end call encryption according to an embodiment of the present invention. As shown in FIG. 2, the method includes:
  • Step 200 During the establishment of the call, the digital certificate is exchanged in the reliable transmission mode and the key parameter negotiation is performed.
  • This step also includes: establishing a reliable transmission method, including but not limited to:
  • the first media channel is established. Since the first media channel is a dedicated media channel that is distinguished from the existing voice media channel for the end-to-end encrypted call, the first media channel can use a reliable transmission protocol. or,
  • a special mode is introduced in the voice media channel, that is, the media packets in the media channel are analyzed, and the lost packets are retransmitted, and the digital certificate is exchanged in this special mode and the key parameters are negotiated. In this way, the reliable transmission of digital certificates and key information is also guaranteed.
  • the method for establishing the first media channel may be an explicit manner, and specifically includes: performing media negotiation by adding a dedicated encrypted negotiation media line (such as m line) in the SDP to establish the first media.
  • the channel is a dedicated media channel for cryptographic negotiation.
  • the media channel of the dedicated encryption negotiation established by the display mode is normally established through media negotiation. Therefore, the current network side network element supports the network side additional requirement, and is convenient for rapid deployment and promotion in the network.
  • this explicit way is convenient for standardization and industrialization, and is convenient for promotion to government and enterprise users, and is not limited to internal use by national security agencies.
  • the method for establishing the first media channel may also be an implicit manner, and specifically includes: pre-establishing the first media channel, that is, the dedicated media channel for encryption negotiation as a dedicated default connection.
  • the establishment of the dedicated default connection is not reflected in the SDP process, but is a dedicated default connection agreed by both parties, UE1 and UE2.
  • the dedicated default connection may use a contracted fixed port such as a TCP connection of port 8080, or a TCP connection to a port associated with the actual media stream, such as audio port +2.
  • the first media channel is established in an implicit manner. Because the media channel of the dedicated encryption negotiation does not have the channel media negotiation established, the network side network element, such as the SBC device, is required to perform the default connection of the dedicated default connection.
  • Step 201 Perform an end-to-end encrypted call in the voice media channel by using the negotiated key parameter.
  • the voice media channel in this step is the media channel established for the voice call established in the existing method shown in FIG. The specific implementation of this step is consistent with the prior art, and details are not described herein again.
  • the step further includes: restoring the normal media packet processing.
  • the digital certificate is exchanged by the reliability transmission method and the key parameters are negotiated, and then the end-to-end encrypted call is performed by using the negotiated key parameter in the existing media channel. It guarantees the security of end-to-end calls based on VoLTE, and also guarantees national security.
  • the method of the embodiment of the present invention further includes:
  • the session initiator such as UE1
  • the session initiator carries the first precondition in the media line of the voice media when the session request is initiated, for example, the first precondition is: when the digital certificate is exchanged in the reliable transmission mode, The key parameter negotiation is completed, and then the ringing prompt is sent to the receiving party such as UE2.
  • the receiving party such as UE2.
  • the corresponding preconditions may be extended in the SDP to carry the first precondition.
  • the method of the embodiment of the present invention further includes:
  • the session initiator such as UE1
  • the session initiator carries the second pre-condition in the media line of the voice media when the session request is initiated.
  • the second pre-condition is: completing the resource reservation, and ringing to the receiving party. prompt.
  • the extension of the corresponding attribute condition in the SDP to carry the first pre-condition is supported by each network element in the network. From the perspective of compatibility, if the purpose of the first pre-condition is reached, and the attribute descriptions are not required to be extended, the related network element upgrades in the network are not required, that is, the embodiments of the present invention are provided. Compatibility of technical solutions.
  • the existing second precondition that is, the resource reservation mechanism is used only on the SDP.
  • the related network elements in the network are not required to be upgraded, and the first precondition is also achieved.
  • the compatibility of the technical solutions provided by the embodiments of the present invention is improved.
  • FIG. 3 is a schematic flowchart of a first embodiment of an end-to-end call encryption according to an embodiment of the present invention.
  • the first embodiment is a manner of establishing a first media channel in a display manner, as shown in FIG. 3, including:
  • Step 300 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP in addition to the media line (m line) carrying the voice media for identifying the call, the SDP carries the media line (m line) of the encryption negotiation dedicated to the identification.
  • Step 301 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 302 The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
  • Step 303 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 304 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer. Similarly, in the SDP, in addition to the media line (m line) carrying the voice media for the call, the media line (m line) of the encryption-dedicated encryption for identification is carried.
  • Step 305 SBC2 forwards the 200 OK SDP answer message to the IMS.
  • Step 306 The IMS forwards the 200 OK SDP answer message to SBC1.
  • Step 307 SBC1 forwards the 200 OK SDP answer message to UE1.
  • the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
  • Step 308 UE1 and UE2 exchange digital certificates in the first media channel.
  • This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
  • Step 309 UE1 and UE2 negotiate key parameters in the first media channel.
  • Step 310 UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
  • the SDP Answer can be carried in the called 183 message.
  • the digital certificate involved in steps 308 and 309 and the key parameter are transmitted in the network, and the transmission must be reliable transmission from the perspective of data integrity.
  • Transmission protocols such as Transmission Control Protocol (TCP), Stream Control Transmission Protocol (SCTP), etc. may be employed herein.
  • SBC1 and SBC2 are optional network elements.
  • FIG. 4 is a schematic flowchart of a second embodiment of implementing end-to-end call encryption according to an embodiment of the present invention.
  • the second embodiment is a method for establishing a first media channel in an implicit manner. As shown in FIG. 4, the method includes:
  • Step 400 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP carries a media line (m line) identifying the voice media for the call.
  • Step 401 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 402 The IMS forwards the INVITE SDP offer to the SBC2 of the called user side.
  • Step 403 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 404 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer.
  • Step 405 SBC2 forwards the 200 OK SDP answer message to the IMS.
  • Step 406 If the deployment has SBC2, SBC2 needs to conduct the first media channel of the encryption negotiation of the dedicated default connection.
  • Step 407 The IMS forwards the 200 OK SDP answer message to SBC1.
  • Step 408 SBC1 forwards the 200 OK SDP answer message to UE1.
  • Step 409 If the deployment has SBC1, SBC1 needs to conduct the first media channel of the encryption negotiation of the dedicated default connection.
  • the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
  • Step 410 UE1 and UE2 exchange digital certificates in the first media channel.
  • This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
  • Step 411 UE1 and UE2 negotiate key parameters in the first media channel.
  • Step 412 UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
  • the SDP Answer can be carried in the called 183 message.
  • the establishment of the dedicated default connection is not reflected in the SDP process, but is a dedicated default connection agreed by both parties, UE1 and UE2.
  • the dedicated default connection can use a contracted fixed port such as a TCP connection of port 8080, or a contracted port associated with the actual media stream such as audio. Port +2 TCP connection.
  • SBC1 and SBC2 are optional network elements.
  • FIG. 5 is a schematic flowchart of a third embodiment of implementing end-to-end call encryption according to an embodiment of the present invention.
  • a special mode is introduced in a voice media channel, that is, media packets in a media channel are analyzed.
  • the method of retransmitting the lost packet includes:
  • Step 500 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP carries a media line (m line) identifying the voice media for the call.
  • Step 501 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 502 The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
  • Step 503 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 504 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer.
  • Step 505 SBC2 forwards the 200 OK SDP answer message to the IMS.
  • Step 506 The IMS forwards the 200 OK SDP answer message to SBC1.
  • Step 507 SBC1 forwards the 200 OK SDP answer message to UE1. The call is now established.
  • Step 508 UE1 and UE2 enter a special mode, that is, analyze media packets in the media channel, such as a Real-Time Transport Protocol (RTP) packet, and retransmit the lost packets.
  • RTP Real-Time Transport Protocol
  • Step 509 UE1 and UE2 exchange digital certificates in the media channel in the special mode.
  • This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
  • Step 510 UE1 and UE2 negotiate key parameters in the media channel in the special mode.
  • Step 511 The key parameter negotiation is completed, and UE1 and UE2 exit the special mode to resume normal RTP processing.
  • Step 512 UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
  • the SDP Answer can be carried in the called 183 message.
  • SBC1 and SBC2 are optional network elements.
  • FIG. 6 is a schematic flowchart of a fourth embodiment of implementing end-to-end call encryption according to an embodiment of the present invention.
  • a digital certificate is exchanged in a reliable transmission mode
  • key parameter negotiation is completed, and then the call is answered.
  • UE2 performs a ringing prompt as a precondition, as shown in FIG. 6, including:
  • Step 600 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP carries a media line (m line) for identifying the voice media for the call, and a media line (m line) for identifying the dedicated encrypted negotiation, and carries a precondition, that is, when In the reliable transmission mode, the digital certificate is exchanged and the key parameter negotiation is completed, and then the ringing prompt is sent to the receiving party such as UE2.
  • Step 601 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 602 The IMS forwards the INVITE SDP offer to the SBC2 of the called user side.
  • Step 603 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 604 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer. Similarly, in the SDP, in addition to the media line (m line) carrying the voice media for identifying the call, and the media line (m line) for identifying the dedicated encryption negotiation, the pre-condition is also carried, that is, when in the reliable transmission mode. The digital certificate is exchanged and the key parameter negotiation is completed, and then the ringing prompt is sent to the receiving party such as UE2.
  • the precondition can further carry the conf attribute line.
  • the Conf line indicates that the party that receives the Conf indication during the media negotiation needs to send a message to the other party that the precondition is satisfied when the precondition is satisfied.
  • Step 605 SBC2 forwards the 183 SDP answer message to the IMS.
  • Step 606 The IMS forwards the 183 SDP answer message to SBC1.
  • Step 607 SBC1 forwards 183 SDP answer message to UE1.
  • the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
  • Step 608 UE1 and UE2 exchange digital certificates in the first media channel.
  • This step is optional. If you do not need to use a digital certificate, such as identity authentication, you can omit this step.
  • Step 609 UE1 and UE2 negotiate key parameters in the first media channel.
  • Step 610 Because the key parameter negotiation is completed, the pre-condition of the voice media channel is satisfied, and the UE1 sends an UPDATE, carrying the state that the pre-condition is satisfied.
  • Step 611 SBC1 forwards the UPDATE request to the IMS.
  • Step 612 The IMS forwards the UPDATE request to the SBC2 on the called user side.
  • Step 613 SBC2 forwards the UPDATE request to UE2.
  • Step 614 UE2 accepts the UPDATE message and constructs a 200 OK response to send to SBC2.
  • Step 615 SBC2 forwards the 200 OK message to the IMS.
  • Step 616 The IMS forwards the 200 OK message to SBC1.
  • Step 617 SBC1 forwards the 200 OK message to UE1.
  • Step 618 Because the pre-condition is satisfied, the UE2 rings to prompt the user to receive the call, and simultaneously sends 180 to SBC2.
  • Step 619 SBC2 forwards 180 the message to the IMS.
  • Step 620 The IMS forwards 180 the message to SBC1.
  • Step 621 SBC1 forwards 180 the message to UE1.
  • Step 622 The called user (UE2) goes off-hook, and UE2 sends 200 OK to SBC2.
  • Step 623 SBC2 forwards the 200 OK message to the IMS.
  • Step 624 The IMS forwards the 200 OK message to SBC1.
  • Step 625 SBC1 forwards the 200 OK message to UE1.
  • Step 626 UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
  • step 604 may not carry the conf line, and correspondingly, 610 to 617 may be omitted.
  • SBC1 and SBC2 are optional network elements.
  • the SDP format in 183 is as follows:
  • A conf:encryption e2e sendrecv, indicating that if the peer precondition reaches this state, the peer needs to send a status notification.
  • the SDP format in UPDATE or 200OK is as follows:
  • FIG. 7 is a schematic flowchart of a fifth embodiment of implementing end-to-end call encryption according to an embodiment of the present invention.
  • resource reservation is completed as a pre-condition, as shown in FIG. 7, including:
  • Step 700 The UE1 sends an invite INVITE call request to the SBC1, where the Session Description Protocol (SDP) is carried. From the perspective of media negotiation, the SDP is Offer, which is the INVITE SDP offer.
  • SDP Session Description Protocol
  • the SDP carries a media line (m line) for identifying the voice media for the call, and a media line (m line) for identifying the dedicated encryption negotiation, and carries the precondition (Precondition), that is, the resource is completed. Reserved.
  • Step 701 SBC1 forwards the INVITE SDP offer to the IMS.
  • Step 702 The IMS forwards the INVITE SDP offer to the SBC2 on the called user side.
  • Step 703 SBC2 forwards the INVITE SDP offer to UE2.
  • Step 704 UE2 processes the received INVITE SDP offer, and constructs an SDP and sends it to SBC2. From the perspective of media negotiation, the SDP is Answer, that is, UE2 returns a 200 OK SDP answer. Similarly, in the SDP, in addition to the media line (m line) carrying the voice media for identifying the call, and the media line (m line) identifying the dedicated encryption negotiation, the precondition is also carried, that is, the resource reservation is completed.
  • the precondition can further carry the conf attribute line.
  • the Conf line is a prior art, and indicates that the party that receives the Conf indication during the media negotiation needs to send a message to the other party that the precondition is satisfied when the precondition is satisfied.
  • Step 705 SBC2 forwards the 183 SDP answer message to the IMS.
  • Step 706 The IMS forwards the 183 SDP answer message to SBC1.
  • Step 707 SBC1 forwards 183 SDP answer message to UE1.
  • the call establishment is completed, and in addition to establishing a voice media channel for voice calls, a dedicated media channel for encryption negotiation is also established.
  • Step 708 UE1 and UE2 exchange digital certificates in the first media channel.
  • This step is an optional step, if you do not need to use a digital certificate, such as identification This step can be omitted.
  • Step 709 UE1 and UE2 negotiate key parameters in the first media channel.
  • Step 710 The UE1 resource reservation is completed, and the UE2 resource reservation is completed.
  • Step 711 The UE1 and the UE2 resource reservation are also completed, and the pre-conditions of the voice media channel are satisfied, and the UE1 sends an UPDATE, carrying the state that the pre-condition is satisfied.
  • Step 712 SBC1 forwards the UPDATE request to the IMS.
  • Step 713 The IMS forwards the UPDATE request to the SBC2 on the called user side.
  • Step 714 SBC2 forwards the UPDATE request to UE2.
  • Step 715 UE2 accepts the UPDATE message and constructs a 200 OK response to send to SBC2.
  • Step 716 SBC2 forwards the 200 OK message to the IMS.
  • Step 717 The IMS forwards the 200 OK message to SBC1.
  • Step 718 SBC1 forwards the 200 OK message to UE1.
  • Step 719 The resource reservation of the UE1 is completed, the resource reservation of the UE2 is also completed, and the key negotiation is also completed, that is, all the preconditions are satisfied, and the UE2 ringing prompts the user to receive the call and simultaneously sends 180 to the SBC2.
  • Step 720 SBC2 forwards 180 the message to the IMS.
  • Step 721 The IMS forwards 180 the message to SBC1.
  • Step 722 SBC1 forwards 180 the message to UE1.
  • Step 723 The called user (UE2) goes off-hook, and UE2 sends 200 OK to SBC2.
  • Step 724 SBC2 forwards the 200 OK message to the IMS.
  • Step 725 The IMS forwards the 200 OK message to SBC1.
  • Step 726 SBC1 forwards the 200 OK message to UE1.
  • Step 727 UE1 and UE2 perform an end-to-end encrypted call on the voice media channel by using the negotiated key parameters.
  • the embodiment of the invention further provides a computer readable storage medium storing computer executable instructions for performing any of the above methods for implementing end-to-end call encryption.
  • FIG. 8 is a schematic structural diagram of a terminal for implementing an end-to-end call encryption according to an embodiment of the present invention. As shown in FIG. 8, the method includes at least a first processing module 80 and a second processing module 81.
  • the first processing module 80 is configured to exchange digital certificates and perform key parameter negotiation in a reliable transmission mode during the establishment of the call;
  • the second processing module 81 is configured to perform an end-to-end encrypted call using the negotiated key parameters in the voice media channel.
  • the terminal of the present invention further includes a transceiver module 82 configured to perform media negotiation by adding a dedicated encryption negotiation media line (m line) in the SDP to establish a first media channel; or pre-establishing a first media channel, that is, dedicated The media channel of the encryption negotiation is a dedicated default connection; or, the media packet in the media channel is analyzed, and the lost packet is retransmitted, and the normal media packet processing is resumed when the digital certificate is exchanged and the key parameter negotiation is performed;
  • m line dedicated encryption negotiation media line
  • the first processing module 80 is specifically configured to: during the establishment of the call, exchange digital certificates in the first media channel and perform key parameter negotiation; or analyze the media packets in the media channel, and retransmit the lost packets. The way to complete the exchange of digital certificates and key parameter negotiation.
  • transceiver module 82 is further configured to:
  • the first precondition is carried in the media line of the voice media when the session request is initiated.
  • the first precondition is: performing the exchange of the digital certificate and performing the key parameter negotiation in the reliable transmission mode. at this time,
  • the terminal of the present invention further includes a ringing processing module 83 configured to initiate a ringing prompt to the answering party when the first precondition is satisfied.
  • the transceiver module 82 is further configured to: when the session request is initiated, the second pre-condition is carried in the media line of the voice media; wherein the second pre-condition is: completing the resource reservation. at this time,
  • the terminal of the present invention further includes a resource reservation module 84 configured to complete reservation of resources.
  • the ringing processing module 83 is configured to initiate a ringing prompt to the answering party when the second precondition is met.
  • FIG. 9 is a schematic structural diagram of a network side network element for implementing end-to-end call encryption according to an embodiment of the present invention. As shown in FIG. 9, the method includes at least a forwarding module 90 and a media channel processing module 91.
  • the forwarding module 90 is configured to forward the message during the establishment of the call
  • the media channel processing module 91 is configured to pre-establish a first media channel, that is, a dedicated encryption negotiation media channel, as a dedicated default connection, and when the call establishment is completed, turn on the pre-established first media channel.
  • the network side network element may be an IMS access side device such as an SBC.
  • the method for implementing the end-to-end call encryption, the terminal, and the network side network element include: exchanging digital certificates and performing key parameter negotiation in a reliable transmission mode during the establishment of a call; in the voice media channel End-to-end encrypted calls using negotiated key parameters.
  • the digital certificate is exchanged by the reliability transmission mode, and the key parameters are negotiated, and then the end-to-end encrypted call is performed by using the negotiated key parameter in the existing media channel, thus ensuring the VoLTE-based.
  • the security of end-to-end calls while also ensuring national security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé d'exécution de chiffrement de conversation de bout en bout, un terminal, et un élément de réseau sur le côté réseau. Le procédé comprend les étapes consistant à : échanger un certificat numérique et négocier un paramètre clé dans un mode de transmission fiable durant l'établissement d'une conversation ; et exécuter la conversation chiffrée de bout en bout dans un canal média vocal au moyen du paramètre clé négocié. Un mode de réalisation de la présente invention assure la sécurité d'une conversation de bout en bout basée VoLTE, et garantit en même temps la sécurité nationale, via l'échange du certificat numérique et la négociation du paramètre clé dans le mode de transmission fiable, et via l'exécution de la conversation chiffrée de bout en bout dans le canal média vocal existant au moyen du paramètre clé négocié.
PCT/CN2016/081313 2015-09-17 2016-05-06 Procédé d'exécution de chiffrement de conversation de bout en bout, terminal, et élément de réseau sur le côté réseau WO2017045407A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510593385.1A CN106549906A (zh) 2015-09-17 2015-09-17 实现端到端通话加密的方法、终端及网络侧网元
CN201510593385.1 2015-09-17

Publications (1)

Publication Number Publication Date
WO2017045407A1 true WO2017045407A1 (fr) 2017-03-23

Family

ID=58288112

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/081313 WO2017045407A1 (fr) 2015-09-17 2016-05-06 Procédé d'exécution de chiffrement de conversation de bout en bout, terminal, et élément de réseau sur le côté réseau

Country Status (2)

Country Link
CN (1) CN106549906A (fr)
WO (1) WO2017045407A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630512A (zh) * 2021-08-04 2021-11-09 宁波菊风***软件有限公司 一种富媒体通话移动终端***及其使用方法
CN115022024A (zh) * 2022-05-31 2022-09-06 中国电信股份有限公司 用于加密通话的方法及装置、存储介质及电子设备

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109788473B (zh) * 2017-11-13 2022-01-25 ***通信有限公司研究院 一种VoLTE通话加密方法、网络设备及终端
US11663091B2 (en) * 2018-12-17 2023-05-30 Sap Se Transparent database session recovery with client-side caching
CN112953963B (zh) * 2021-03-15 2023-04-07 北京中联环信科技有限公司 媒体流内容加密处理***及加密处理方法
CN115842808A (zh) * 2021-08-04 2023-03-24 ***通信有限公司研究院 通话交互方法、装置、网络节点及存储介质

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183935A (zh) * 2007-12-17 2008-05-21 华为技术有限公司 Rtp报文的密钥协商方法、装置及***
CN102137393A (zh) * 2010-12-28 2011-07-27 华为技术有限公司 一种端到端的加密方法及装置
CN103036872A (zh) * 2012-11-19 2013-04-10 华为技术有限公司 数据传输的加密和解密方法、设备及***
CN104486077A (zh) * 2014-11-20 2015-04-01 中国科学院信息工程研究所 一种VoIP实时数据安全传输的端到端密钥协商方法
US9077754B2 (en) * 2013-04-06 2015-07-07 Citrix Systems, Inc. Systems and methods for nextproto negotiation extension handling using mixed mode

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100466805C (zh) * 2005-02-05 2009-03-04 华为技术有限公司 一种端到端加密语音通信的方法
CN1905436B (zh) * 2005-07-28 2010-05-05 北京航空航天大学 保证数据交换安全的方法
US20120130905A1 (en) * 2010-11-09 2012-05-24 The Regents Of The University Of California Transaction verification on rfid enabled payment and transaction instruments

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101183935A (zh) * 2007-12-17 2008-05-21 华为技术有限公司 Rtp报文的密钥协商方法、装置及***
CN102137393A (zh) * 2010-12-28 2011-07-27 华为技术有限公司 一种端到端的加密方法及装置
CN103036872A (zh) * 2012-11-19 2013-04-10 华为技术有限公司 数据传输的加密和解密方法、设备及***
US9077754B2 (en) * 2013-04-06 2015-07-07 Citrix Systems, Inc. Systems and methods for nextproto negotiation extension handling using mixed mode
CN104486077A (zh) * 2014-11-20 2015-04-01 中国科学院信息工程研究所 一种VoIP实时数据安全传输的端到端密钥协商方法

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630512A (zh) * 2021-08-04 2021-11-09 宁波菊风***软件有限公司 一种富媒体通话移动终端***及其使用方法
CN113630512B (zh) * 2021-08-04 2023-10-13 宁波菊风***软件有限公司 一种富媒体通话移动终端***及其使用方法
CN115022024A (zh) * 2022-05-31 2022-09-06 中国电信股份有限公司 用于加密通话的方法及装置、存储介质及电子设备
CN115022024B (zh) * 2022-05-31 2023-09-29 中国电信股份有限公司 用于加密通话的方法及装置、存储介质及电子设备

Also Published As

Publication number Publication date
CN106549906A (zh) 2017-03-29

Similar Documents

Publication Publication Date Title
WO2017045407A1 (fr) Procédé d'exécution de chiffrement de conversation de bout en bout, terminal, et élément de réseau sur le côté réseau
US9351203B2 (en) Voice call continuity in hybrid networks
EP3284233B1 (fr) Communication en cours de session pour application de services
US20090041006A1 (en) Method and system for providing internet key exchange
US8131259B2 (en) Methods, systems, and apparatus for handling secure-voice-communication sessions
TW200904100A (en) Signaling of early media capabilities in IMS terminals
KR101705440B1 (ko) 미디어 통신용 하이브리드 클라우드 미디어 아키텍쳐
US10638524B2 (en) Method and system for providing mission critical service (MCX) in wireless communication network
CN108833943B (zh) 码流的加密协商方法、装置及会议终端
US9525710B2 (en) Seamless switch over from centralized to decentralized media streaming
WO2008089694A1 (fr) Procédé, système et équipement d'obtention de clé de protection de flux multimédia dans un réseau ims
US10595203B2 (en) Enhanced establishment of IMS session with secure media
US9071690B2 (en) Call transfer processing in SIP mode
US10313400B2 (en) Method of selecting a network resource
WO2011131051A1 (fr) Procédé et dispositif pour la négociation de communication de sécurité
US11218515B2 (en) Media protection within the core network of an IMS network
WO2018072202A1 (fr) Procédé de commutation d'un service d'appel de terminal et appareil
CN114040385A (zh) 一种基于VoLTE的加密通话***及方法
Gongjian The study and implementation of voip intelligent voice communication system based on SIP protocol
US11463485B2 (en) Method, system and entity for a media transfer session in an IMS infrastructure
WO2015117486A1 (fr) Procédé et système de capture automatique de paquets
WO2024108900A1 (fr) Procédé et appareil de vérification de signature électronique
JP2016220027A (ja) 中継装置、呼制御システム、呼制御方法、および、呼制御プログラム
CN117750537A (zh) 通话方法、电子设备以及存储介质
KR20100122481A (ko) 콘텐츠를 원격 위치들에 스트리밍하기 위한 시스템과 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16845521

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16845521

Country of ref document: EP

Kind code of ref document: A1