+

WO2007048301A1 - Procede de cryptage pour service mgn - Google Patents

Procede de cryptage pour service mgn Download PDF

Info

Publication number
WO2007048301A1
WO2007048301A1 PCT/CN2006/001922 CN2006001922W WO2007048301A1 WO 2007048301 A1 WO2007048301 A1 WO 2007048301A1 CN 2006001922 W CN2006001922 W CN 2006001922W WO 2007048301 A1 WO2007048301 A1 WO 2007048301A1
Authority
WO
WIPO (PCT)
Prior art keywords
encryption
negotiation
parameter
key
encryption parameter
Prior art date
Application number
PCT/CN2006/001922
Other languages
English (en)
Chinese (zh)
Inventor
Cheng Chen
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007048301A1 publication Critical patent/WO2007048301A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/56Financial cryptography, e.g. electronic payment or e-cash

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to an encryption method for an NGN service.
  • NGN Next Generation Network
  • NGN Next Generation Network
  • softswitch is The device responsible for call control
  • the media gateway is responsible for TDM-IP (Time Division Multiple Access Internet Protocol) bearer media conversion device
  • MRS Media Resource Server
  • NGN business is a packet-based network that can provide telecommunication services and utilizes multiple broadband capabilities and QoS (Quality of Service) guarantees.
  • the typical networking application is shown in Figure 1, where softswitch is The device responsible for call control; the media gateway is responsible for TDM-IP (Time Division Multiple Access Internet Protocol) bearer media conversion device; MRS (Media Resource Server) is to provide functions such as playback, number collection, multi-party conference; NGN business;
  • TDM-IP Time Division Multiple Access Internet Protocol
  • MRS Media Resource Server
  • the main media message format is:
  • IP protocol part UDP User Datagram Protocol
  • RTP Real-Time Transport Protocol
  • User service information transmitted over an IP network includes voice, video, data, and in-band signaling such as DTMF (Dual Tone Multi-Frequency). Since the IP network is more likely to be intercepted and stolen than the information on the TDM network, there is a great security risk in transmitting user service information directly on the IP network. There are two aspects to this security risk: on the one hand, the user's voice, video, and data information may be monitored; on the other hand, the user's confidential information is stolen, such as the user's telephone bank account number and password being stolen. Even a dedicated IP network, such as a network management device connected to an IP network, can steal confidential information from users.
  • DTMF Dual Tone Multi-Frequency
  • the existing technologies for encrypted transmission mainly include the following three types:
  • the first is IPSec (IP Encryption Protocol) encrypted transmission technology:
  • IPSec encryption technology is a universal encryption transmission technology on IP networks. It encrypts all the content above the IP protocol layer.
  • the encryption algorithm and key can be configured on the device or exchanged by IKE (key exchange) protocol. Key, see definition in protocols such as RFC2401;
  • This technology only encrypts user service data, and voice messages in the following formats:
  • the encryption algorithm is fixed on the NGN device; the encryption key can be dynamically allocated, and the soft exchange is passed to the encryption device when the call is established.
  • the process is as shown in FIG. 2.
  • the softswitch generates a key, and when the media resource is allocated by the H.248 protocol to control the media gateway, the encryption key is also specified.
  • the default encryption algorithm encrypts all data; then, during the call setup with the IP terminal, the IP terminal is also notified of the encryption key, generally using the SIP (Session Initiation Protocol) protocol; after the call is established, both the media gateway and the IP terminal are obtained.
  • SIP Session Initiation Protocol
  • the encryption process is controlled by softswitch.
  • Softswitch is required to understand the encryption capabilities of different media gateways and IP terminal devices, which increases the complexity of softswitches.
  • IP terminals are diverse and difficult to be completely unified.
  • the third method provided is the RTP (Real-Time Transport Protocol) encryption method defined by RFC3711.
  • SRTP is an end-to-end encryption and authentication method for voice services carried by RTP. It uses the AES (Advanced Data Encryption Algorithm) encryption algorithm to encrypt the message content and supports authentication at the RTP protocol layer.
  • AES Advanced Data Encryption Algorithm
  • the shortcomings of the prior art 3 are basically the same as those of the prior art 2.
  • the fixed encryption algorithm requires that all the systems support the decryption algorithm to be used; each message is encrypted, the amount of encryption is large, and the efficiency is affected.
  • the object of the present invention is to provide an encryption method for an NGN service.
  • the two parties encrypt the encryption parameters end-to-end on the IP bearer network, and encrypt the media stream by using encryption parameters supported by both ends. Transmission improves the security of network transmission.
  • An encryption method for an NGN service including:
  • the encryption parameters are negotiated end-to-end between IP devices, and the parts of the media stream that need to be encrypted are encrypted and transmitted according to the encryption parameters confirmed by negotiation.
  • the encryption method specifically includes:
  • the calling party initiates encryption parameter negotiation
  • the called party After receiving the above negotiation, the called party selects the encryption parameter supported by the local end and returns to the calling party;
  • the calling party confirms the encryption parameter selected by the called party, and the encryption negotiation is successful, and the specific part of the media stream is encrypted and transmitted by using the negotiated encryption parameter.
  • the step A further includes: before initiating the encryption parameter negotiation:
  • the calling party configures or uses the key exchange protocol.
  • IKE sets the key a used to encrypt the key information in the signaling during the encryption negotiation process and the encryption algorithm a of the key a.
  • the step A further includes:
  • the calling party allocates IP resources for the calling service and reserves the encrypted resources.
  • the step A further includes: the softswitch receives the encrypted parameter negotiation message of the calling party, and transparently transmits the message to the called party, and the softswitch does not participate in the negotiation process.
  • the encryption parameter in the negotiation of the encryption parameter initiated by the calling party in the step A is a plurality of encryption parameter sequences that can be selected by the called party.
  • the encryption parameters include: acknowledgment encryption, acknowledgment not encryption, encryption algorithm, key, and/or encryption object.
  • the encryption method further includes:
  • the encryption method further includes:
  • the present invention can flexibly negotiate whether to support the encryption function, the encryption algorithm, the key, and the encryption object between the media devices using the IP bearer by supporting the end-to-end negotiation function of the encryption parameters.
  • Control parameters such as encryption parameters and softswitches do not need to control this negotiation process, which increases the flexibility of encrypted transmission and improves the service security of the IP network.
  • FIG. 1 is a schematic diagram of networking of a prior art NGN network
  • FIG. 2 is a flow chart showing another operation of an encryption method in the prior art
  • Figure 3 is a flow chart showing the operation of the method of the present invention.
  • the core idea of the present invention is to provide an NGN service encryption method, which encrypts the end-to-end negotiation of the IP bearer network, whether encryption, encryption algorithm, key and encrypted object, and increases the reliability and flexibility of encryption.
  • the present invention provides an NGN service encryption method, which is described by taking a media gateway and an IP terminal as an example.
  • the method is applicable to communication between devices in the NGN and IMS domains that carry IP media over the IP interface.
  • the operation flow of the method is as shown in FIG. 3, and specifically includes the following steps: Step 10: The encryption algorithm a and the key a of the configuration key are used to encrypt the encryption key in the call negotiation process. '
  • IKE key exchange protocol negotiation key a.
  • the key a is used to encrypt the key b information in the signaling during the encryption negotiation process. If the key and the encryption algorithm in the negotiation process are stolen, the encryption of the media stream may be cracked.
  • Step 11 Start the call.
  • the softswitch receives the call, it notifies the media gateway to allocate the IP resource.
  • the media gateway initiates the negotiation of the encryption parameter in the response message.
  • the softswitch and the media gateway generally use the H.248/MGCP (Media Gateway Control Protocol) protocol to communicate.
  • the softswitch and the IP terminal generally use the SIP/H.323 protocol to communicate.
  • the following uses the commonly used H.248 and SIP protocols as an example. The call setup process using these protocols follows the standard protocol.
  • the softswitch uses the H.248 protocol to notify the media gateway to allocate IP resources, that is, assign an IP address and port number for receiving and transmitting the media stream, and the softswitch also needs to notify the media gateway to reserve the encrypted resource.
  • the media gateway After receiving the message sent by the softswitch, the media gateway reserves the ciphering resource, sends the acknowledgment message, and initiates the ciphering parameter negotiation, which can be implemented by carrying the ciphering parameter in the SDP (Session Description Protocol) of the acknowledgment message, in the SDP protocol.
  • the encryption parameters carried include: an encryption calculation b, a key b, and an encryption object, and the media gateway can provide a plurality of the encryption parameter sequences selectable by the other party.
  • the encryption algorithm may be an encryption algorithm such as RSA (Public Key Algorithm), DES (Data Encryption Standard Algorithm), AES (Advanced Data Encryption Algorithm), RC4, or the like.
  • RSA Public Key Algorithm
  • DES Data Encryption Standard Algorithm
  • AES Advanced Data Encryption Algorithm
  • the key b is generated in accordance with the requirements of the encryption algorithm.
  • the encryption object refers to which part of the media stream is encrypted, and may be: an encrypted 2833 message, an encrypted T38 fax data, an encrypted Modem data, an encrypted G.711 A voice code, etc., and the encrypted object may be pressed by PT. (Load type) to distinguish, the PT is a parameter that distinguishes different message types in the media stream, and different encryption objects can be identified by PT.
  • the key b, the field is encrypted and encrypted according to the encryption algorithm a and the key a configured in step 10.
  • the encryption algorithm a and the encryption algorithm b may be different algorithms, and the key a and the key b should be different.
  • the call initiated by the media gateway side is the same as the call initiated by the IP terminal.
  • the SDP of the request message carries the encryption parameter and initiates the negotiation.
  • the process is the same as the negotiation process initiated by the media gateway.
  • Step 12 After receiving the encryption parameter negotiation message of the media gateway, the softswitch transparently transmits the negotiated encryption parameter to the IP terminal.
  • the softswitch is only a transparent transmission parameter and does not participate in negotiation.
  • the negotiation process is performed end-to-end between the media gateway and the IP terminal.
  • the media gateway uses the H.248 protocol.
  • the softswitch only needs to send the SDP in the H.248 protocol message to the IP terminal through the SIP protocol.
  • Step 13 After receiving the negotiation request message, the IP terminal selects the encryption parameter supported by the device in the encryption parameter carried in the SDP, and returns the selected encryption parameter to the softswitch in the response message through the SIP protocol.
  • the IP terminal selects the encryption parameter used for the current call from the request SDP according to the encryption algorithm and encryption capability supported by the device. If no encryption is used, no encryption parameter is returned. .
  • the encryption parameters selected by the IP terminal include: Encryption algorithm! ), key c, encrypted object.
  • the key c and the key b may be different, and the key c herein refers to the decryption key.
  • the key c is different from the key b, indicating that the upstream and downstream media streams of the call use different keys.
  • Step 14 After receiving the response message from the IP terminal, the softswitch notifies the media gateway of the negotiation result.
  • the softswitch confirms the negotiated encryption parameter through the Modify message of the H.248 protocol. If the media gateway accepts the negotiation result, the negotiation succeeds and sends an acknowledgement message to the softswitch. If the negotiation result is not accepted, the negotiation is unsuccessful. User service requirements, you can suspend the service or not encrypt the call.
  • Step 15 During the call progress, the specific part of the media stream is encrypted and decrypted according to the negotiated encryption parameters.
  • Step 16 During the call progress, either party can modify the encryption parameters as needed.
  • the encryption parameter negotiation process may be re-initiated.
  • the IP terminal to initiate the renegotiation as an example, if the IP terminal requests to change the encryption parameter, the cryptographic parameter negotiation request is sent to the softswitch through the SIP protocol, and the softswitch then sends the cryptographic parameter negotiation request to the media gateway through the H.248 protocol.
  • the media gateway selects the encryption parameter supported by the local end in the received encryption parameter, modifies the current encryption parameter, returns the modified encryption parameter to the softswitch, and finally sends it to the IP terminal, and the re-negotiation is completed.
  • the media gateway does not accept the encryption parameters provided by the IP terminal during the renegotiation process, the original encryption parameters are retained.
  • the softswitch is notified by the H.248 Notify message, which is the same as the renegotiation process initiated by the IP terminal.
  • the present invention can flexibly negotiate whether to support encryption functions, encryption algorithms, encryption parameters such as encryption keys, encryption keys, etc., softswitch, etc., by supporting end-to-end negotiation functions of encryption parameters.
  • the control device does not need to control this negotiation process, which increases the flexibility of the encrypted transmission and improves the service security of the IP network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Procédé de cryptage pour service MGN de la technologie de communication réseau. Les deux parties bout à bout négocient le paramètre de cryptage sur le réseau porteur, cryptent la transmission pour la partie spécifique du flux média de transfert selon le paramètre de cryptage négocié. L'invention est avantageuse pour l'interconnexion compatible entre différents dispositifs et pour le commerce à grande échelle. Grâce à la fonction de négociation bout à bout prenant en charge le paramètre de cryptage, l'invention permet de négocier avec souplesse les paramètres de prise en charge de la fonction de négociation, de l'algorithme de négociation, de la clé de cryptage et de l'objet de cryptage et analogue entre les dispositifs média au moyen de IP, des dispositifs de contrôle de commutation douce et analogue sans avoir à contrôler les négociations, d'où une augmentation de l'adaptabilité de la transmission de cryptage et l'amélioration de la sécurité du service du réseau IP.
PCT/CN2006/001922 2005-10-24 2006-08-01 Procede de cryptage pour service mgn WO2007048301A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200510114400 CN1956443A (zh) 2005-10-24 2005-10-24 一种ngn业务的加密方法
CN200510114400.6 2005-10-24

Publications (1)

Publication Number Publication Date
WO2007048301A1 true WO2007048301A1 (fr) 2007-05-03

Family

ID=37967398

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2006/001922 WO2007048301A1 (fr) 2005-10-24 2006-08-01 Procede de cryptage pour service mgn

Country Status (2)

Country Link
CN (1) CN1956443A (fr)
WO (1) WO2007048301A1 (fr)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101494538B (zh) * 2008-01-23 2014-04-02 华为技术有限公司 一种数据传输控制方法及通讯系统以及加密控制网元
CN101247218B (zh) * 2008-01-23 2012-06-06 中兴通讯股份有限公司 用于实现媒体流安全的安全参数协商方法和装置
CN101222503A (zh) * 2008-01-25 2008-07-16 中兴通讯股份有限公司 用于实现媒体流安全的安全参数产生方法和装置
CN101800734B (zh) * 2009-02-09 2013-10-09 华为技术有限公司 一种会话信息交互方法、装置及系统
CN101882995B (zh) * 2009-05-06 2013-08-07 中兴通讯股份有限公司 数据发送、接收和传输方法及装置
CN102036232B (zh) * 2010-12-17 2015-12-09 中兴通讯股份有限公司 一种基站数据发送、接收方法及装置
CN104038930B (zh) * 2013-03-04 2017-10-10 北京信威通信技术股份有限公司 一种端到中心ip数据分组加密的方法
CN108696512B (zh) * 2018-04-24 2021-02-02 苏州科达科技股份有限公司 跨协议的码流加密协商方法、装置及会议设备

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1479480A (zh) * 2002-08-26 2004-03-03 华为技术有限公司 一种协商加密算法的方法
CN1564514A (zh) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 无线局域网自组网模式共享密钥认证和会话密钥协商方法
CN1564509A (zh) * 2004-03-23 2005-01-12 中兴通讯股份有限公司 一种无线局域网中密钥协商方法
CN1658552A (zh) * 2004-02-17 2005-08-24 华为技术有限公司 媒体流安全传输的实现方法
US20050198490A1 (en) * 2004-03-02 2005-09-08 Microsoft Corporation Dynamic negotiation of encryption protocols
CN1681239A (zh) * 2004-04-08 2005-10-12 华为技术有限公司 在无线局域网系统中支持多种安全机制的方法

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1479480A (zh) * 2002-08-26 2004-03-03 华为技术有限公司 一种协商加密算法的方法
CN1658552A (zh) * 2004-02-17 2005-08-24 华为技术有限公司 媒体流安全传输的实现方法
US20050198490A1 (en) * 2004-03-02 2005-09-08 Microsoft Corporation Dynamic negotiation of encryption protocols
CN1564509A (zh) * 2004-03-23 2005-01-12 中兴通讯股份有限公司 一种无线局域网中密钥协商方法
CN1564514A (zh) * 2004-03-26 2005-01-12 中兴通讯股份有限公司 无线局域网自组网模式共享密钥认证和会话密钥协商方法
CN1681239A (zh) * 2004-04-08 2005-10-12 华为技术有限公司 在无线局域网系统中支持多种安全机制的方法

Also Published As

Publication number Publication date
CN1956443A (zh) 2007-05-02

Similar Documents

Publication Publication Date Title
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
KR100862050B1 (ko) VoIP 보안 통신을 제공하는 사용자 에이전트 및 이를이용한 보안 통신 제공 방법
US7986773B2 (en) Interactive voice response system security
WO2009021441A1 (fr) Procédé d'émission et de réception, appareil et système pour la politique de sécurité de la session en multidiffusion
CN101268644A (zh) 用于通过广域网传输加密媒体流的方法和装置
WO2007048301A1 (fr) Procede de cryptage pour service mgn
KR101297936B1 (ko) 단말기 간의 보안 통신 방법 및 그 장치
JP2009526454A (ja) メディアサーバと加入者機器との間においてメディアデータを暗号化して伝送するための方法、装置および/またはコンピュータプログラム製品
WO2008040213A1 (fr) Procédé, système et dispositif de chiffrement et de signature de messages dans un système de communication
CN100459620C (zh) 用于加密电话通话的安全模块
CN100571133C (zh) 媒体流安全传输的实现方法
WO2017215443A1 (fr) Système, appareil et procédé de transmission de message
US8181013B2 (en) Method, media gateway and system for transmitting content in call established via media gateway control protocol
CN107395552A (zh) 一种数据传输方法及装置
WO2007093079A1 (fr) Procédé de mise en oeuvre d'une politique de sécurité en matière de négociation-clé dans un réseau interdomaine de commutation de paquets à plusieurs garde-portes
WO2011131051A1 (fr) Procédé et dispositif pour la négociation de communication de sécurité
WO2008083607A1 (fr) Procédé et système pour transférer de manière sûre un flux multimédia
CN114900500B (zh) 呼叫控制方法、应用服务器、通信系统以及存储介质
WO2009094813A1 (fr) Procédé et appareil de négociation de paramètres de sécurité pour sécuriser le flux multimédia
CN1881869B (zh) 一种实现加密通信的方法
WO2005104423A1 (fr) Procede de communication secrete entre deux points limites
CN1972278A (zh) 一种实现安全的远程视频监控的方法
CN100583733C (zh) 实现媒体流安全的方法及通信系统
KR101094631B1 (ko) 비디오뱅킹 서비스 시스템 및 그 방법
WO2009094814A1 (fr) Procédé de génération de paramètres de sécurité pour sécuriser un flux multimédia et appareil associé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06761613

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载