[go: up one dir, main page]

CN102185827B - Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system - Google Patents

Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system Download PDF

Info

Publication number
CN102185827B
CN102185827B CN201110032227.0A CN201110032227A CN102185827B CN 102185827 B CN102185827 B CN 102185827B CN 201110032227 A CN201110032227 A CN 201110032227A CN 102185827 B CN102185827 B CN 102185827B
Authority
CN
China
Prior art keywords
encryption
message
terminal
voice
call
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110032227.0A
Other languages
Chinese (zh)
Other versions
CN102185827A (en
Inventor
吴天勇
张剑华
李伟明
李三零
李艳平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Jiami Technology Co ltd
Original Assignee
GUANGDONG JIAHE COMMUNICATION TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GUANGDONG JIAHE COMMUNICATION TECHNOLOGY Co Ltd filed Critical GUANGDONG JIAHE COMMUNICATION TECHNOLOGY Co Ltd
Priority to CN201110032227.0A priority Critical patent/CN102185827B/en
Publication of CN102185827A publication Critical patent/CN102185827A/en
Application granted granted Critical
Publication of CN102185827B publication Critical patent/CN102185827B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种VOIP系统中语音穿透防火墙的方法,属于实现网络通讯技术的技术领域。IP终端通过配置界面决定是否启动加密协商机制;当该加密协商机制生效时,IP终端连接VOIP服务器通过加密机制获得加密的密钥,并对自身发出的信令数据包利用该加密机制进行加密;接收报文的终端通过所述的加密协商机制识别接收到的报文是否加密,并对加密报文利用所述的加密机制进行解密处理同时进行加密后发出。通过这种方法可在承载网络存在不可控制的语音防火墙设置时保证语音通讯正常进行。

The invention discloses a method for voice penetration through a firewall in a VOIP system, and belongs to the technical field of realizing network communication technology. The IP terminal decides whether to start the encryption negotiation mechanism through the configuration interface; when the encryption negotiation mechanism takes effect, the IP terminal connects to the VOIP server to obtain the encryption key through the encryption mechanism, and encrypts the signaling data packets sent by itself using the encryption mechanism; The terminal receiving the message identifies whether the received message is encrypted through the encryption negotiation mechanism, and uses the encryption mechanism to decrypt the encrypted message while encrypting it before sending it out. This method can ensure normal voice communication when there is an uncontrollable voice firewall setting in the bearer network.

Description

一种VOIP系统中语音穿透防火墙的方法A Method of Voice Penetrating Firewall in VOIP System

技术领域technical field

本发明涉及一种VOIP系统中语音穿透防火墙的方法,属于实现网络通讯技术的技术领域,特别涉及一种解决由于VOIP通讯系统的承载网络存在不可控制的语音防火墙设置而导致语音通讯不正常问题的解决方法的技术领域。The invention relates to a method for voice penetration through a firewall in a VOIP system, belongs to the technical field of realizing network communication technology, and particularly relates to a solution to the problem of abnormal voice communication caused by uncontrollable voice firewall settings in the bearer network of the VOIP communication system technical field of solutions.

背景技术:Background technique:

VOIP通讯技术的一个主要特色是控制与承载分离(VoIP是Voice overInternet Protocol的缩写,指的是将模拟的声音讯号经过压缩与封包之后,以数据封包的形式在IP网络的环境进行语音讯号的传输,通俗来说也就是互联网电话、网络电话或者简称IP电话的意思。)因此在实际的VOIP系统应用部署中绝大部分是利用用户现有的网络资源作为VOIP系统的承载网络。对于有VOIP电话远程互通需求的VOIP用户,其往往是租用其他网络运营商的网络实现的。但是网络运营商的网络应用环境一般较为复杂,譬如:有些网络运营商为了网络的安全稳定或其他目的会在其网络的接入点设置防火墙,以限制某些对网络带宽消耗较大的应用或某些特定网络应用的数据流。针对VOIP应用,有极少数网络运营商就会在其网络中部署语音防火墙以限制VOIP数据传输(如图1)。One of the main features of VOIP communication technology is the separation of control and bearer (VoIP is the abbreviation of Voice over Internet Protocol, which refers to the transmission of voice signals in the form of data packets in the IP network environment after the analog voice signals are compressed and packaged. , popularly speaking, it means Internet telephony, Internet telephony or IP telephony for short.) Therefore, most of the actual VOIP system application deployment uses the user's existing network resources as the bearer network of the VOIP system. For VOIP users who need remote intercommunication of VOIP phones, it is often realized by renting the network of other network operators. However, the network application environment of network operators is generally more complicated. For example, some network operators will set up firewalls at the access points of their networks for network security and stability or other purposes, so as to restrict certain applications or The data flow of some specific network applications. For VOIP applications, very few network operators will deploy voice firewalls in their networks to limit VOIP data transmission (Figure 1).

常见的语音防火墙原理如下:Common voice firewall principles are as follows:

1、通过分析VOIP通讯过程中的SIP的信令会话,获得参与通讯的双方的在通讯过程中将要使用的网络地址,然后对发自或发往这些地址的数据包进行丢弃,篡改或伪造,致使通讯无法正常进行(如图2所示)。1. By analyzing the SIP signaling session in the VOIP communication process, the network addresses to be used by the two parties participating in the communication process are obtained, and then the data packets sent from or to these addresses are discarded, tampered with or forged, As a result, the communication cannot be carried out normally (as shown in Figure 2).

2、通过分析数据包,根据语音数据包的特征,确定参与语音通讯双方的网络地址,然后对发自这些地址数据包进行丢弃,篡改或伪造,致使通讯无法正常进行(如图3所示)。2. By analyzing the data packets and according to the characteristics of the voice data packets, determine the network addresses of the two parties participating in the voice communication, and then discard, tamper or forge the data packets sent from these addresses, so that the communication cannot be carried out normally (as shown in Figure 3) .

发明内容Contents of the invention

本发明针对现有技术提供了一种VOIP系统中语音穿透防火墙的方法,使得现有的语音防火墙无法通过分析VOIP信令或VOIP语音数据包的特征来确定参与语音通讯的终端的网络地址,从而实现使语音防火墙无法正常工作,进而保证语音通讯正常进行的目的。The present invention provides a method for voice penetration through a firewall in a VOIP system in view of the prior art, so that the existing voice firewall cannot determine the network address of a terminal participating in voice communication by analyzing the characteristics of VOIP signaling or VOIP voice data packets. In this way, the purpose of preventing the voice firewall from working normally and ensuring the normal progress of voice communication is realized.

为达到所述的目的本发明采用的方法是:The method that the present invention adopts for achieving described purpose is:

一种VOIP系统中语音穿透防火墙的方法,其中IP终端通过配置界面决定是否吭劢加密协商机制;当该加密协商机制生效时,IP终端连接VOIP服务器通过加密机制获得加密的密钥,并对自身发出的信令数据包利用该加密机制进行加密;接收报文的终端通过所述的加密协商机制识别接收到的报文是否加密,若收到的报文是加密的,对加密报文利用所述的加密机制进行解密处理,相应的,该接收报文的终端发出的报文利用所述的加密机制进行加密后发出;A method for voice penetration through a firewall in a VOIP system, wherein an IP terminal decides whether to enable an encryption negotiation mechanism through a configuration interface; when the encryption negotiation mechanism takes effect, the IP terminal connects to a VOIP server to obtain an encrypted key through an encryption mechanism, and The signaling data packet sent by itself is encrypted using this encryption mechanism; the terminal receiving the message identifies whether the received message is encrypted through the encryption negotiation mechanism, and if the received message is encrypted, the encrypted message is encrypted using The encryption mechanism is used for decryption processing, and correspondingly, the message sent by the terminal receiving the message is encrypted by the encryption mechanism and then sent;

所述的加密协商机制遵循如下规则:The encryption negotiation mechanism follows the following rules:

(a)、对于发起呼叫的终端根据终端的加密配置决定发起的呼叫是否吭用加密机制;若终端被配置为加密的,则呼叫过程使用加密机制,否则呼叫过程不使用加密机制;(a) For the terminal that initiates the call, decide whether to enable the encryption mechanism for the initiated call according to the encryption configuration of the terminal; if the terminal is configured as encrypted, the encryption mechanism will be used during the call process, otherwise the encryption mechanism will not be used during the call process;

(b)、对于接受呼叫的终端根据收到的呼叫请求报文的加密标示确定接收到的呼叫其后续过程是否需要加密;若接受到的呼叫请求报文有加密标示,则呼叫过程使用加密机制,否则呼叫过程不使用加密机制;(b) For the terminal receiving the call, determine whether the subsequent process of the received call needs to be encrypted according to the encryption mark of the received call request message; if the received call request message has an encryption mark, the call process uses an encryption mechanism , otherwise the call process does not use the encryption mechanism;

(c)、当发起或接受呼叫的终端确定使用加密机制时,其发出SIP信令的SDP携带a=x-encrypt:on属性加密标示,否则携带a=x-encrypt属性加密标示;(c) When the terminal that initiates or accepts the call determines to use the encryption mechanism, the SDP that sends the SIP signaling carries the a=x-encrypt:on attribute encryption flag, otherwise it carries the a=x-encrypt attribute encryption flag;

(d)、当发起或接受呼叫的终端收到SIP信令的SDP报文中携带a=x-encrypt:on属性加密标示,则终端确定本次通话的语音使用加密机制,否则不使用加密机制;(d) When the terminal initiating or accepting the call receives the SDP message of the SIP signaling carrying the a=x-encrypt:on attribute encryption flag, the terminal determines that the voice of this call uses the encryption mechanism, otherwise the encryption mechanism is not used ;

所述的加密机制包括信令加密/解密过程,语音加密/解密过程和密钥获取机制。The encryption mechanism includes signaling encryption/decryption process, voice encryption/decryption process and key acquisition mechanism.

该信令加/解密过程的加密过程为:The encryption process of the signaling encryption/decryption process is:

第一步、终端使用密钥获取机制获得加密密钥,对将要发出的SIP报文以字节为单位,依报文字节的先后顺序,对奇数位的字节和偶数位的字节分别使用不同的加密密钥按字节执行加密算法Dm=Do XOR De;其中Dm为密文字节,Do为明文字节,De为密钥字节;The first step, the terminal uses the key acquisition mechanism to obtain the encryption key. For the SIP message to be sent, the byte is used as the unit. According to the order of the message bytes, the odd-numbered bytes and even-numbered bytes are respectively Use different encryption keys to execute the encryption algorithm Dm=Do XOR De in bytes; where Dm is the ciphertext byte, Do is the plaintext byte, and De is the key byte;

第二步、对经过第一步处理的SIP报文加插报文头,使所述的报文按字节顺序依次包括加密标示,密文长度和密文三部分;Second step, add insert message header to the SIP message processed through the first step, make described message comprise encryption sign successively by byte order, ciphertext length and ciphertext three parts;

所述的加密标示为两个字节,指示该报文是加密报文,为固定值,第一字节为十六进制数EF,第二字节为十六进制数FE;The encryption mark is two bytes, indicating that the message is an encrypted message, which is a fixed value, the first byte is a hexadecimal number EF, and the second byte is a hexadecimal number FE;

所述的密文长度为两个字节,标示密文的长度;The length of the ciphertext is two bytes, indicating the length of the ciphertext;

所述的密文为经过该加密算法处理的SIP报文;The ciphertext is a SIP message processed by the encryption algorithm;

该信令加/解密过程的解密过程为:The decryption process of the signaling encryption/decryption process is:

终端使用密钥获取机制获得解密密钥,对收到的SIP报文根据报文头的第三、第四字节确定密文长度,去掉报文头部的四字节获得到完整密文,对密文以字节为单位,依密文字节的先后顺序,对奇数位的字节和偶数位的字节使用不同的解密密钥执行以下解密算法:Do=Dm XOR De;其中Do为明文字节,Dm为密文字节,De为密钥字节。The terminal uses the key acquisition mechanism to obtain the decryption key, determines the ciphertext length of the received SIP message according to the third and fourth bytes of the message header, and removes the four bytes of the message header to obtain the complete ciphertext. For the ciphertext in bytes, according to the order of the ciphertext bytes, use different decryption keys for odd-numbered bytes and even-numbered bytes to perform the following decryption algorithm: Do=Dm XOR De; where Do is the plaintext Byte, Dm is the ciphertext byte, De is the key byte.

该语音加/解密过程的加密过程为:The encryption process of this voice encryption/decryption process is:

终端使用随机数生成算法生成0-10以内的随机数作为加密报文的填充字节长度;The terminal uses a random number generation algorithm to generate a random number within 0-10 as the padding byte length of the encrypted message;

终端使用随机数生成算法生成0-255以内的随机数作为加密报文的填充字节,根据填充字节长度,依次生成所有填充字节;The terminal uses a random number generation algorithm to generate a random number within 0-255 as the padding byte of the encrypted message, and generates all padding bytes in sequence according to the length of the padding byte;

形成的加密报文包括加密报文头和RTP格式封装的语音数据两部分;The formed encrypted message includes encrypted message header and voice data encapsulated in RTP format;

所述的加密报文头以字节形式顺序包括加密标示,填充数据长度和填充数据三部分;The encrypted message header includes three parts in order of bytes: encryption mark, padding data length and padding data;

该加密标示为两个字节,内容为固定值,第一字节为十六进制数EE,第二字节为十六进制数FF;The encryption is marked as two bytes, the content is a fixed value, the first byte is the hexadecimal number EE, and the second byte is the hexadecimal number FF;

该填充数据长度为一个字节,内容为随机值,范围为0-10内的任意自然数;The padding data length is one byte, the content is a random value, and the range is any natural number within 0-10;

该填充数据的长度由填充数据长度字节定义;该填充数据每字节内容为随机值,范围0-255之间的任意自然数;The length of the filling data is defined by the filling data length byte; the content of each byte of the filling data is a random value, any natural number ranging from 0 to 255;

RTP格式封装的语音数据为VIOP通讯中的正常语音报文;The voice data encapsulated in RTP format is a normal voice message in VIOP communication;

该语音加/解密过程的解密过程为:The decryption process of this voice encryption/decryption process is:

终端对收到的语音加密报文根据报文头的第三字节确定报文头的随机字节长度,去掉报文头部分的字节,得到RTP格式封装的语音数据,解密完成。The terminal determines the random byte length of the message header according to the third byte of the message header for the received voice encrypted message, removes the bytes of the message header part, and obtains the voice data encapsulated in RTP format, and the decryption is completed.

所述的密钥获取机制为:The key acquisition mechanism described is:

VOIP密钥由两个字节构成,每字节范围为0-255之间的任意自然数;第一个字节为奇数密钥odd_key,用于对SIP信令明文的奇数字节加密或用于对SIP信令密文的奇数字节解密;第二字节为偶数密钥even_key,用于对SIP信令明文的偶数字节加密或用于对SIP信令密文的偶数字节解密;The VOIP key consists of two bytes, and each byte ranges from any natural number between 0-255; the first byte is an odd key odd_key, which is used to encrypt odd-numbered bytes of SIP signaling plaintext or to Decrypt the odd-numbered bytes of the SIP signaling ciphertext; the second byte is the even-numbered key even_key, which is used to encrypt the even-numbered bytes of the SIP signaling plaintext or to decrypt the even-numbered bytes of the SIP signaling ciphertext;

该两字节信息以十进制文本的形式存储于VOIP服务器的密钥配置文件中,由VOIP服务器的配置管理软件通过用户界面接口提供对该密钥的修改功能;同时IP终端可以通过VOIP系统的私有协议向VOIP配置管理软件获取这两个字节的密钥。The two-byte information is stored in the key configuration file of the VOIP server in the form of decimal text, and the configuration management software of the VOIP server provides the function of modifying the key through the user interface interface; at the same time, the IP terminal can use the private The protocol obtains the two-byte key from the VOIP configuration management software.

该密钥配置文件中的内容为奇数密钥odd_key=170和偶数密钥even_key=85。The contents of the key configuration file are odd key odd_key=170 and even key even_key=85.

该私有协议由请求消息和应答消息构成;请求消息由实现了加密功能的IP终端产生发送给VOIP服务器的管理软件;应答消息由VOIP服务器的管理软件在收到请求消息后产生,该应答消息包含了密钥信息,并被发送到请求方。The private protocol is composed of a request message and a response message; the request message is generated by the encrypted IP terminal and sent to the management software of the VOIP server; the response message is generated by the management software of the VOIP server after receiving the request message, and the response message includes The key information is obtained and sent to the requesting party.

该私有协议中由IP终端发向VOIP配置管理软件的请求消息为getkey\r\n;该私有协议中由VOIP配置管理软件发向IP终端的应答消息为okodd_key=170,even_key=85\r\n。In the private protocol, the request message sent by the IP terminal to the VOIP configuration management software is getkey\r\n; in the private protocol, the response message sent by the VOIP configuration management software to the IP terminal is okodd_key=170,even_key=85\r\ n.

该发起呼叫的终端实施加密机制的步骤为:The steps for the terminal that initiates the call to implement the encryption mechanism are:

(1)、用户通过IP终端上的配置界面接口配置该终端为加密通讯方式;(1) The user configures the terminal as an encrypted communication mode through the configuration interface interface on the IP terminal;

(2)、用户通过该终端输入被叫终端号码后发起呼叫;(2) The user initiates a call after inputting the called terminal number through the terminal;

(3)、IP终端判断是否被配置为加密通讯方式;若是,该终端使用密钥获取机制获得密钥后执行步骤4;否则执行步骤5;(3) The IP terminal judges whether it is configured as an encrypted communication mode; if so, the terminal uses the key acquisition mechanism to obtain the key and then executes step 4; otherwise, executes step 5;

(4)、该终端生成发起呼叫的SIP报文,在报文的SDP属性中揑入a=x-encrypt:on属性,对SIP报文执行信令加密过程后执行步骤6;(4), the terminal generates a SIP message for initiating a call, inserts the a=x-encrypt:on attribute in the SDP attribute of the message, and performs step 6 after performing the signaling encryption process on the SIP message;

(5)、终端生成发起呼叫的SIP报文,在报文的SDP属性中揑入a=x-encrypt属性;执行步骤6;(5) The terminal generates a SIP message for initiating a call, and inserts the a=x-encrypt attribute into the SDP attribute of the message; perform step 6;

(6)、终端将处理后的信令报文发给被叫终端;(6) The terminal sends the processed signaling message to the called terminal;

(7)、终端收到被叫终端加密的呼叫应答报文,执行信令解密过程;(7) The terminal receives the encrypted call response message from the called terminal, and executes the signaling decryption process;

(8)、终端判断呼叫应答报文SDP中是否有a=x-encrypt:on属性;若有确定本次通话的语音需要加密;否则确定本次通话语音不需要加密;(8) The terminal judges whether there is a=x-encrypt:on attribute in the call response message SDP; if there is, it is determined that the voice of this call needs to be encrypted; otherwise, it is determined that the voice of this call does not need to be encrypted;

(9)、呼叫建立;根据步骤8的判断,对语音执行或不执行语音加密/解密过程;开始发送/接收语音。(9) Call establishment; according to the judgment in step 8, perform or not perform the voice encryption/decryption process on the voice; start to send/receive the voice.

该接收呼叫的终端实施加密机制的步骤为:The steps for the terminal receiving the call to implement the encryption mechanism are:

(1)、IP终端接收SIP呼叫请求报文;(1) The IP terminal receives the SIP call request message;

(2)、判断该终端收到的SIP报文是否有加密标示;若是,终端使用密钥获取机制获得密钥并解密报文;否则执行正常的SIP呼叫过程,本程序终止;(2) Determine whether the SIP message received by the terminal has an encryption mark; if so, the terminal uses the key acquisition mechanism to obtain the key and decrypt the message; otherwise, the normal SIP call process is executed, and the program is terminated;

(3)、终端检查接收的SIP报文的SDP中是否有a=x-encrypt:on属性;若有确定本次通话语音需要加密,执行步骤4;否则,确定本次通话语音不需要加密,执行步骤5;(3) The terminal checks whether there is a=x-encrypt:on attribute in the SDP of the received SIP message; if it is determined that the voice of this call needs to be encrypted, go to step 4; otherwise, it is determined that the voice of this call does not need to be encrypted, Execute step 5;

(4)、终端生成接收应答呼叫的SIP报文,在报文的SDP属性中揑入a=x-encrypt:on属性,执行信令加密过程,执行步骤6;(4) The terminal generates a SIP message for receiving and answering the call, inserts the a=x-encrypt:on attribute in the SDP attribute of the message, executes the signaling encryption process, and performs step 6;

(5)、终端生成接收应答呼叫的SIP报文,在报文的SDP属性中揑入a=x-encrypt属性,执行步骤6;(5) The terminal generates a SIP message for receiving and answering the call, inserts the a=x-encrypt attribute into the SDP attribute of the message, and performs step 6;

(6)、终端将处理后的信令报文发给主叫终端;(6) The terminal sends the processed signaling message to the calling terminal;

(7)、呼叫建立;根据步骤3的判断,对语音执行或不执行语音加密/解密过程,开始发送/接收语音。(7) Call establishment; according to the judgment in step 3, the voice encryption/decryption process is performed or not performed on the voice, and the voice is sent/received.

采用本发明的方法由于IP终端通过配置界面吭劢加密协商机制;当该加密协商机制生效时,IP终端连接VOIP服务器通过加密机制获得加密的密钥,并对自身发出的信令数据包利用该加密机制进行加密;接收报文的终端通过所述的加密协商机制识别接收到的报文是否加密,若收到的报文是加密的,对加密报文利用所述的加密机制进行解密处理,相应的,该接收报文的终端发出的报文利用所述的加密机制进行加密后发出;通过这种方法使得现有的语音防火墙无法通过分析信令或语音数据包的特征来确定参与语音通讯的终端的网络地址,从而使语音防火墙无法正常工作,而保证语音通讯正常进行。Adopting the method of the present invention is because the IP terminal starts the encryption negotiation mechanism through the configuration interface; The encryption mechanism is used to encrypt; the terminal receiving the message identifies whether the received message is encrypted through the encryption negotiation mechanism, and if the received message is encrypted, the encrypted message is decrypted using the encryption mechanism, Correspondingly, the message sent by the terminal receiving the message is encrypted by the encryption mechanism and then sent out; by this method, the existing voice firewall cannot determine the voice communication by analyzing the characteristics of signaling or voice data packets The network address of the terminal, so that the voice firewall cannot work normally, and the normal progress of voice communication is guaranteed.

附图说明Description of drawings

图1为现有技术中部署了语音防火墙的网络结构示意图;FIG. 1 is a schematic diagram of a network structure in which a voice firewall is deployed in the prior art;

图2为现有技术中语音防火墙根据信令拦截语音包原理示意图;Fig. 2 is a schematic diagram of the principle of voice firewall intercepting voice packets according to signaling in the prior art;

图3为现有技术中语音防火墙根据语音包特征拦截语音包原理示意图;Fig. 3 is a schematic diagram of the principle of intercepting voice packets according to voice packet characteristics in the voice firewall in the prior art;

图4为本发明发起呼叫的终端实施加密机制的流程图;Fig. 4 is the flow chart that the terminal that initiates the call of the present invention implements encryption mechanism;

图5为本发明接受呼叫的终端实施加密机制的流程图。Fig. 5 is a flow chart of the encryption mechanism implemented by the calling terminal of the present invention.

具体实施方式Detailed ways

在现有技术的IP电话系统中,VOIP呼叫信令使用SDP协议(SessionDescription Protocol-一个用来描述多媒体会话的应用层控制协议)来描述;SDP描述由许多文本行组成,文本行的格式为<类型>=<值>,<类型>是一个字母,<值>是结构化的文本串,其格式依<类型>而定;<type>=<value>[CRLF]。In the prior art IP telephony system, VOIP call signaling is described using SDP protocol (SessionDescription Protocol-an application layer control protocol used to describe multimedia sessions); SDP description is composed of many text lines, and the format of the text line is < Type>=<value>, <type> is a letter, and <value> is a structured text string whose format depends on <type>; <type>=<value>[CRLF].

在SDP中用来描述终端媒体能力属性的<类型>多用字母a表示,所以SDP终端媒体能力属性描述文本行的一般形式如下:The <type> used to describe the terminal media capability attribute in SDP is mostly represented by the letter a, so the general form of the SDP terminal media capability attribute description text line is as follows:

a=attribute或a=attribute:valuea=attribute or a=attribute:value

其中attribute为媒体能力属性,以文本串形式表示,value为其值;而媒体能力属性attribute的设定可根据使用者需要自行确定。也就是说取什么属性名字不重要,只要便于区分就行,重要的是里面的值的设定和判断。Among them, attribute is a media capability attribute, expressed in the form of a text string, and value is its value; and the setting of the media capability attribute attribute can be determined according to user needs. That is to say, it doesn't matter what attribute name is chosen, as long as it is easy to distinguish, what is important is the setting and judgment of the value inside.

本发明一种VOIP系统中语音穿透防火墙的方法,其IP终端通过配置界面决定是否吭劢加密协商机制;当该加密协商机制生效时,IP终端连接VOIP服务器通过加密机制获得加密的密钥,并对自身发出的信令数据包利用该加密机制进行加密;接收报文的终端通过所述的加密协商机制识别接收到的报文是否加密,若收到的报文是加密的,对加密报文利用所述的加密机制进行解密处理,相应的,该接收报文的终端发出的报文利用所述的加密机制进行加密后发出;The present invention is a method for voice penetration through a firewall in a VOIP system. The IP terminal decides whether to start the encryption negotiation mechanism through the configuration interface; when the encryption negotiation mechanism takes effect, the IP terminal connects to the VOIP server to obtain an encrypted key through the encryption mechanism. And use the encryption mechanism to encrypt the signaling data packet sent by itself; the terminal receiving the message identifies whether the received message is encrypted through the encryption negotiation mechanism, if the received message is encrypted, the encrypted message The text is decrypted using the encryption mechanism described above, and correspondingly, the message sent by the terminal receiving the message is sent after being encrypted using the encryption mechanism described above;

所述的加密协商机制遵循如下规则:The encryption negotiation mechanism follows the following rules:

(a)、对于发起呼叫的终端根据终端的加密配置决定发起的呼叫是否吭用加密机制;若终端被配置为加密的,则呼叫过程使用加密机制,否则呼叫过程不使用加密机制;(a) For the terminal that initiates the call, decide whether to enable the encryption mechanism for the initiated call according to the encryption configuration of the terminal; if the terminal is configured as encrypted, the encryption mechanism will be used during the call process, otherwise the encryption mechanism will not be used during the call process;

(b)、对于接受呼叫的终端根据收到的呼叫请求报文的加密标示确定接收到的呼叫其后续过程是否需要加密;若接受到的呼叫请求报文有加密标示,则呼叫过程使用加密机制,否则呼叫过程不使用加密机制;(b) For the terminal receiving the call, determine whether the subsequent process of the received call needs to be encrypted according to the encryption mark of the received call request message; if the received call request message has an encryption mark, the call process uses an encryption mechanism , otherwise the call process does not use the encryption mechanism;

(c)、当发起或接受呼叫的终端确定呼叫需要加密使用加密机制时,其发出SIP信令(一种VOIP呼叫信令)的SDP(描述本端媒体属性的报文)携带“a=x-encrypt:on”属性加密标示,否则携带“a=x-encrypt”属性加密标示;(c) When the terminal initiating or accepting the call determines that the call needs to be encrypted using an encryption mechanism, the SDP (a message describing the media attributes of the local end) sent by the SIP signaling (a VOIP call signaling) carries "a=x -encrypt: on" attribute encryption mark, otherwise carry "a=x-encrypt" attribute encryption mark;

(d)、当发起或接受呼叫的终端收到SIP信令的SDP报文中携带“a=x-encrypt:on”属性加密标示,则终端确定本次通话的语音使用加密机制,语音需要加密,否则不使用加密机制;(d) When the terminal initiating or accepting the call receives the SDP message of SIP signaling carrying the "a=x-encrypt: on" attribute encryption mark, the terminal determines that the voice of this call uses an encryption mechanism, and the voice needs to be encrypted , otherwise no encryption mechanism is used;

当终端确定呼叫过程需要加密时,使用该加密机制。所述的加密机制包括信令加密/解密过程,语音加密/解密过程和密钥获取机制。When the terminal determines that the call process needs to be encrypted, it uses this encryption mechanism. The encryption mechanism includes signaling encryption/decryption process, voice encryption/decryption process and key acquisition mechanism.

信令加/解密过程:Signaling encryption/decryption process:

本过程针对加密呼叫中的SIP报文由发出报文的终端实施加密过程,由接收报文的终端实施解密过程。In this process, for the SIP message in the encrypted call, the terminal sending the message implements the encryption process, and the terminal receiving the message implements the decryption process.

(一)加密过程:(1) Encryption process:

1、终端使用“密钥获取机制”获得加密密钥,对将要发出的SIP报文以字节为单位,依报文字节的先后顺序,对奇数位的字节和偶数位的字节使用相同的加密算法不同的加密密钥执行以下加密算法:1. The terminal uses the "key acquisition mechanism" to obtain the encryption key. For the SIP message to be sent, the byte is used as the unit, and the odd-numbered byte and the even-numbered byte are used according to the sequence of the message bytes. The same encryption algorithm with different encryption keys performs the following encryption algorithms:

Dm=Do XOR De(Dm:密文字节,Do:明文字节,De:密钥字节)Dm=Do XOR De(Dm: ciphertext bytes, Do: plaintext bytes, De: key bytes)

VOIP密钥由两个字节构成,每字节值范围为0-255之间任意自然数,第一个字节为奇数密钥odd_key,用于对SIP信令明文的奇数字节加密或用于对SIP信令密文的奇数字节解密,第二字节为偶数密钥even_key,用于对SIP信令明文的偶数字节加密或用于对SIP信令密文的偶数字节解密。这两字节信息以十进制文本的形式存储于VOIP服务器的密钥配置文件中,VOIP服务器的配置管理软件可以通过用户界面接口提供对该密钥的修改功能。同时IP终端可以通过VOIP系统的私有协议向VOIP配置管理软件获取这两个字节的密钥。譬如:VOIP系统的中的密钥配置文件中的内容可以定义如下:The VOIP key consists of two bytes, and the value of each byte is any natural number between 0-255. The first byte is an odd key odd_key, which is used to encrypt odd-numbered bytes of SIP signaling plaintext or to Decrypt the odd-numbered bytes of the SIP signaling ciphertext, and the second byte is the even-numbered key even_key, which is used to encrypt the even-numbered bytes of the SIP signaling plaintext or to decrypt the even-numbered bytes of the SIP signaling ciphertext. These two bytes of information are stored in the key configuration file of the VOIP server in the form of decimal text, and the configuration management software of the VOIP server can provide the function of modifying the key through the user interface interface. At the same time, the IP terminal can obtain the two-byte key from the VOIP configuration management software through the private protocol of the VOIP system. For example: the content in the key configuration file in the VOIP system can be defined as follows:

odd_key=170odd_key=170

even_key=85even_key=85

IP终端与VOIP配置管理软件间的协议可以以文本行的形式定义如下:The protocol between the IP terminal and the VOIP configuration management software can be defined in the form of text lines as follows:

①、请求消息(IP终端发向VOIP配置管理软件):getkey\r\n;①. Request message (sent from IP terminal to VOIP configuration management software): getkey\r\n;

②、应答消息(VOIP配置管理软件发向IP终端):ok odd_key=170,even_key=85\r\n;②. Response message (sent to IP terminal by VOIP configuration management software): ok odd_key=170, even_key=85\r\n;

2、对经过第一步处理的SIP报文加揑报文头,加揑后的加密报文如下所示:2. Add headers to the SIP message processed in the first step, and the encrypted message after adding is as follows:

加密标示encryption mark 密文长度Ciphertext length 密文ciphertext

加密标示:两个字节,指示该报文是加密报文,该为固定值,第一字节为EF(十六进制数值),第二字节为FE(十六进制数值);Encryption mark: two bytes, indicating that the message is an encrypted message, which is a fixed value, the first byte is EF (hexadecimal value), the second byte is FE (hexadecimal value);

密文长度:两个字节,标示密文的长度;Ciphertext length: two bytes, indicating the length of the ciphertext;

密文:经过加密算法处理的SIP报文;Ciphertext: SIP message processed by encryption algorithm;

(二)、解密过程:(2) Decryption process:

终端使用“密钥获取机制”获得加密密钥,对收到的SIP报文根据报文头的3,4字节确定密文长度,去掉报文头部的四字节获得到完整密文,对密文以字节为单位,依密文字节的先后顺序,对奇数位的字节和偶数位的字节使用相同的解密算法不同的解密密钥执行以下解密算法:The terminal uses the "key acquisition mechanism" to obtain the encryption key, determines the ciphertext length of the received SIP message according to the 3 and 4 bytes of the message header, and removes the four bytes of the message header to obtain the complete ciphertext. For the ciphertext, use the byte as the unit, according to the order of the ciphertext bytes, use the same decryption algorithm and different decryption keys to execute the following decryption algorithm for odd-numbered bytes and even-numbered bytes:

Do=Dm XOR De(Do:明文字节,Dm:密文字节,De:密钥字节)Do=Dm XOR De(Do: plaintext bytes, Dm: ciphertext bytes, De: key bytes)

语音加/解密过程:Voice encryption/decryption process:

本过程针对加密通讯中的语音报文由发送报文的终端实施加密过程,由接收报文的终端实施解密过程。In this process, the voice message in encrypted communication is encrypted by the terminal sending the message, and decrypted by the terminal receiving the message.

(一)、加密过程:(1) Encryption process:

终端使用“随机数生成算法”生成0-10以内的随机(自然数)数作为加密报文的填充字节长度;The terminal uses the "random number generation algorithm" to generate a random (natural number) number within 0-10 as the padding byte length of the encrypted message;

终端使用“随机数生成算法”生成0-255以内的随机(自然数)数作为加密报文的填充字节,根据填充字节长度,依次生成所有填充字节;The terminal uses the "random number generation algorithm" to generate a random (natural number) number within 0-255 as the filling byte of the encrypted message, and generates all filling bytes in turn according to the length of the filling byte;

依以下结构组装加密报文:Assemble the encrypted message according to the following structure:

Figure GDA0000418602540000091
Figure GDA0000418602540000091

加密标示:两个字节,内容为固定值,第一字节EE(十六进制数值),第二字节FF(十六进制数值)Encryption mark: two bytes, the content is a fixed value, the first byte EE (hexadecimal value), the second byte FF (hexadecimal value)

填充数据长度:一个字节,内容为随机值,范围:0-10(包含0和10)之间的任意自然数;Padding data length: one byte, the content is a random value, range: any natural number between 0-10 (including 0 and 10);

填充数据:其长度由“填充数据长度”字段定义,每字节内容为随机值,范围0-255(包含0和10)之间的任意自然数;Filling data: its length is defined by the "filling data length" field, and the content of each byte is a random value, any natural number between 0-255 (including 0 and 10);

RTP格式封装的语音数据:VIOP通讯中的正常语音报文;RTP是实时传送协议(Real-time Transport Protocol)的缩写,其代表一个网络传输的协议,为音频、视频上传中的常用协议。Voice data encapsulated in RTP format: normal voice message in VIOP communication; RTP is the abbreviation of Real-time Transport Protocol (Real-time Transport Protocol), which represents a network transmission protocol and is a common protocol in audio and video uploading.

(二)、解密过程:(2) Decryption process:

终端对收到的语音加密报文根据报文头的第3字节确定报文头的随机字节长度,去掉报文头部字节,得到RTP格式封装的语音数据,解密完成。The terminal determines the random byte length of the message header according to the third byte of the message header, removes the message header byte, and obtains the voice data encapsulated in RTP format, and the decryption is completed.

密钥获取机制:Key acquisition mechanism:

对于信令加/解密过程,终端需要首先获得加解密的密钥,该密钥分为针对奇数字节加解密密钥和针对偶数字节加解密的密钥。本发明中,这些密钥存储于VOIP总机(服务器)中,由VOIP总机配置管理软件进行配置和读取,需要加密通讯的终端通过私有协议向VOIP总机配置管理软件请求获得该密钥。For the signaling encryption/decryption process, the terminal needs to first obtain encryption and decryption keys, which are divided into encryption and decryption keys for odd-number bytes and encryption and decryption keys for even-number bytes. In the present invention, these keys are stored in the VOIP switchboard (server), configured and read by the VOIP switchboard configuration management software, and terminals that need encrypted communication request the key from the VOIP switchboard configuration management software through a private protocol.

文中的私有协议是指:为了实现IP终端从VOIP服务器获得密钥功能而在实现了加密功能的IP终端和VOIP服务器的管理软件间定义的一条协议。该协议不遵循通讯领域任何现有的公开的协议标准,完全是为了实现这一特定功能而定义的。该协议由请求消息和应答消息构成:请求消息由实现了加密功能的IP终端产生发送给VOIP服务器的管理软件;应答消息由VOIP服务器的管理软件在收到请求消息后产生,该应答消息包含了密钥信息,并被发送到请求方。The private protocol in this paper refers to a protocol defined between the IP terminal that has realized the encryption function and the management software of the VOIP server in order to realize the function that the IP terminal obtains the key from the VOIP server. This protocol does not follow any existing public protocol standards in the communication field, and is completely defined for the realization of this specific function. The protocol consists of a request message and a response message: the request message is generated by the IP terminal that has implemented the encryption function and sent to the management software of the VOIP server; the response message is generated by the management software of the VOIP server after receiving the request message, and the response message includes key information and is sent to the requesting party.

下面结合附图和实施例分别对本发明发起呼叫和接收呼叫实施加密机制的过程说明如下。其中发起终端为IP电话A,接收终端为IP电话B;The process of implementing the encryption mechanism for initiating calls and receiving calls in the present invention is described below in conjunction with the accompanying drawings and embodiments. The initiating terminal is IP phone A, and the receiving terminal is IP phone B;

如图4为发起呼叫的终端实施加密机制的流程图;Figure 4 is a flow chart of implementing an encryption mechanism for a terminal that initiates a call;

1.用户配置IP电话A终端为加密通讯方式;1. The user configures the IP phone A terminal as an encrypted communication mode;

2.用户利用IP电话A输入IP电话B的被叫号码,发起呼叫;2. The user uses IP phone A to input the called number of IP phone B to initiate a call;

3.IP电话A终端判断是否被配置为加密通讯方式,若是,IP电话A终端使用“密钥获取机制”获得密钥,执行步骤4;否则执行步骤5;3. The IP phone A terminal judges whether it is configured as an encrypted communication mode, if so, the IP phone A terminal uses the "key acquisition mechanism" to obtain the key, and performs step 4; otherwise, performs step 5;

4.IP电话A终端生成发起呼叫的SIP报文,在报文的SDP属性中揑入“a=x-encrypt:on”属性,对SIP报文执行“信令加密过程”,执行步骤6;4. IP phone A terminal generates a SIP message for initiating a call, inserts the "a=x-encrypt: on" attribute into the SDP attribute of the message, performs the "signaling encryption process" on the SIP message, and performs step 6;

5.IP电话A终端生成发起呼叫的SIP报文,在报文的SDP属性中揑入“a=x-encrypt”属性,执行步骤6;5. IP phone A terminal generates a SIP message for initiating a call, inserts the "a=x-encrypt" attribute into the SDP attribute of the message, and performs step 6;

6.IP电话A终端将处理后的信令报文发给被叫终端IP电话B;6. The IP phone A terminal sends the processed signaling message to the called terminal IP phone B;

7.IP电话A终端收到被叫终端IP电话B加密的呼叫应答报文,执行“信令解密过程”;7. The IP phone A terminal receives the call response message encrypted by the called terminal IP phone B, and executes the "signaling decryption process";

8.IP电话A终端判断呼叫应答报文SDP中是否有“a=x-encrypt:on”属性,若有确定本次通话,语音需要加密,否则确定本次通话语音不需要加密;8. The terminal A of the IP phone judges whether there is an attribute "a=x-encrypt: on" in the SDP of the call response message. If it is confirmed that the call is confirmed, the voice needs to be encrypted, otherwise it is determined that the voice of this call does not need to be encrypted;

9.呼叫建立(IP电话A和IP电话B);开始发送/接收语音,根据步骤8的判断,对语音执行或不执行语音加解密过程。9. Call establishment (IP phone A and IP phone B); start to send/receive voice, and according to the judgment in step 8, perform or not perform voice encryption and decryption on the voice.

如图5为接收呼叫的终端实施加密机制的流程图;Figure 5 is a flow chart of implementing an encryption mechanism for a terminal receiving a call;

1.IP电话B终端接收IP电话A的SIP呼叫请求报文;1. The terminal of IP phone B receives the SIP call request message of IP phone A;

2.IP电话B终端收到的SIP报文是否有加密标示确定后续呼叫过程是否需要信令加密,若是,IP电话A终端使用“密钥获取机制”获得密钥,IP电话B对SIP信令解密;否则执行正常的SIP呼叫过程(该过程后续步骤省略);2. Whether the SIP message received by the IP phone B terminal has an encryption mark to determine whether the subsequent call process needs signaling encryption. If so, the IP phone A terminal uses the "key acquisition mechanism" to obtain the key, and the IP phone B uses the SIP signaling Decryption; otherwise, execute the normal SIP call process (subsequent steps of the process are omitted);

3.IP电话B终端检查接收的SIP报文的SDP中是否有“a=x-encrypt:on”属性,若有确定本次通话,语音需要加密,执行步骤4;否则,确定本次通话语音不需要加密,执行步骤5;3. IP phone terminal B checks whether there is an attribute "a=x-encrypt: on" in the SDP of the received SIP message. If it is confirmed that the call is confirmed, the voice needs to be encrypted, and the step 4 is performed; otherwise, the voice of the call is confirmed. Encryption is not required, go to step 5;

4.IP电话B终端生成应答接收呼叫的SIP报文,在报文的SDP属性中揑入“a=x-encrypt:on”属性,执行“信令加密过程”,执行步骤6;4. IP phone B terminal generates a SIP message to answer the received call, inserts the "a=x-encrypt: on" attribute into the SDP attribute of the message, executes the "signaling encryption process", and performs step 6;

5.IP电话B终端生成应答接收呼叫的SIP报文,在报文的SDP属性中揑入“a=x-encrypt”属性,执行步骤6;5. The IP phone terminal B generates a SIP message to answer the received call, inserts the "a=x-encrypt" attribute into the SDP attribute of the message, and performs step 6;

6.IP电话B终端将处理后的信令报文发给IP电话A主叫终端;6. The terminal of IP phone B sends the processed signaling message to the calling terminal of IP phone A;

7.呼叫建立;开始发送/接收语音,根据步骤3的判断,对语音执行或不执行语音加解密过程。7. Call establishment; start to send/receive voice, and according to the judgment in step 3, perform or not perform voice encryption and decryption process on voice.

在实际应用过程中的操作过程:The operation process in the actual application process:

主叫终端设置加密通讯功能,发起呼叫;The calling terminal sets the encrypted communication function and initiates a call;

主叫终端生成呼叫请求信令报文,该报文的媒体协商部分设置媒体加密标示,加密信令报文后,发出;The calling terminal generates a call request signaling message, the media negotiation part of the message is set with a media encryption flag, and the signaling message is encrypted and sent;

网络运营商的语音防火墙收到主叫发出的加密后的信令报文,由于报文是采用私有加密协议加密的,防火墙无法分析,因此无法通过信令报文得到主叫的媒体网络地址;The voice firewall of the network operator receives the encrypted signaling message sent by the caller. Since the message is encrypted with a private encryption protocol, the firewall cannot analyze it, so the media network address of the caller cannot be obtained through the signaling message;

被叫终端收到加密信令报文,根据报文首部判断报文加密,依照解密算法对报文进行解密,对解密后的报文按照正常的呼叫流程进行处理,在获得主叫设置了媒体加密请求后,确定本次通讯需要对语音进行加密,并生成回应报文,在进行加密后回应给主叫;The called terminal receives the encrypted signaling message, judges the message encryption according to the message header, decrypts the message according to the decryption algorithm, processes the decrypted message according to the normal call flow, and obtains the caller's set media After encrypting the request, it is determined that the voice needs to be encrypted for this communication, and a response message is generated, and the encrypted response is sent to the caller;

网络运营商的语音防火墙收到被叫发出的加密后的呼叫回应信令报文,由于报文是采用私有加密协议加密的,防火墙无法分析,因此无法通过信令报文得到被叫的媒体网络地址;The voice firewall of the network operator receives the encrypted call response signaling message sent by the called party. Since the message is encrypted with a private encryption protocol, the firewall cannot analyze it, so it cannot obtain the called media network through the signaling message. address;

主叫收到被叫的加密后的回应报文,根据报文首部判断报文加密,依照解密算法对报文进行解密,对解密后的报文按照正常的呼叫流程进行处理,在获得被叫设置了媒体加密请求后,确定本次通讯需要对语音进行加密,至此呼叫建立;The calling party receives the encrypted response message from the called party, judges the message encryption according to the message header, decrypts the message according to the decryption algorithm, and processes the decrypted message in accordance with the normal call flow. After setting the media encryption request, it is determined that the voice needs to be encrypted for this communication, and the call is established at this point;

主被叫开始发送加密后的语音数据包;The calling party and the called party start sending encrypted voice data packets;

网络运营商的语音防火墙收到主被叫的加密后的语音数据包,由于加密后的语音数据包已经无法获得正常语音包的特征(RTP包头,固定长度),因此防火墙无法确定收到的包是否是语音包,无法进行干扰;The voice firewall of the network operator receives the encrypted voice data packets of the calling party and the called party. Since the encrypted voice data packets cannot obtain the characteristics of normal voice packets (RTP packet header, fixed length), the firewall cannot determine the received packets. Whether it is a voice packet, it cannot be interfered;

主被叫分别收到对方的语音包,对语音包进行解密后,按正常的语音数据处理,双方能正常听到对方的声音。The calling party and the called party respectively receive the voice packets of the other party, and after the voice packets are decrypted, they are processed according to normal voice data, and both parties can hear the voice of the other party normally.

Claims (9)

1.一种VOIP系统中语音穿透防火墙的方法,其特征在于IP终端通过配置界面决定是否启劢加密协商机制;当该加密协商机制生效时,IP终端连接VOIP服务器通过加密机制获得加密的密钥,并对自身发出的信令数据包利用该加密机制进行加密;接收报文的终端通过所述的加密协商机制识别接收到的报文是否加密,若收到的报文是加密的,对加密报文利用所述的加密机制进行解密处理,相应的,该接收报文的终端发出的报文利用所述的加密机制进行加密后发出;1. A method for voice penetration firewall in a VOIP system, characterized in that an IP terminal decides whether to start an encryption negotiation mechanism through a configuration interface; key, and use the encryption mechanism to encrypt the signaling data packets sent by itself; the terminal receiving the message identifies whether the received message is encrypted through the encryption negotiation mechanism, and if the received message is encrypted, the The encrypted message is decrypted by using the encryption mechanism, and correspondingly, the message sent by the terminal receiving the message is encrypted by the encryption mechanism and then sent; 所述的加密协商机制遵循如下规则:The encryption negotiation mechanism follows the following rules: (a)、对于发起呼叫的终端根据终端的加密配置决定发起的呼叫是否启用加密机制;若终端被配置为加密的,则呼叫过程使用加密机制,否则呼叫过程不使用加密机制;(a) For the terminal that initiates the call, decide whether to enable the encryption mechanism for the initiated call according to the encryption configuration of the terminal; if the terminal is configured to be encrypted, the encryption mechanism will be used during the call process, otherwise the encryption mechanism will not be used during the call process; (b)、对于接受呼叫的终端根据收到的呼叫请求报文的加密标示确定接收到的呼叫其后续过程是否需要加密;若接受到的呼叫请求报文有加密标示,则呼叫过程使用加密机制,否则呼叫过程不使用加密机制;(b) For the terminal receiving the call, determine whether the subsequent process of the received call needs to be encrypted according to the encryption mark of the received call request message; if the received call request message has an encryption mark, the call process uses an encryption mechanism , otherwise the call process does not use the encryption mechanism; (c)、当发起或接受呼叫的终端确定使用加密机制时,其发出SIP信令的SDP携带a=x-encrypt:on属性加密标示,否则携带a=x-encrypt属性加密标示;(c) When the terminal that initiates or accepts the call determines to use the encryption mechanism, the SDP that sends the SIP signaling carries the a=x-encrypt:on attribute encryption flag, otherwise it carries the a=x-encrypt attribute encryption flag; (d)、当发起或接受呼叫的终端收到SIP信令的SDP报文中携带a=x-encrypt:on属性加密标示,则终端确定本次通话的语音使用加密机制,否则不使用加密机制;(d) When the terminal initiating or accepting the call receives the SDP message of the SIP signaling carrying the a=x-encrypt:on attribute encryption flag, the terminal determines that the voice of this call uses the encryption mechanism, otherwise the encryption mechanism is not used ; 所述的加密机制包括信令加密/解密过程,语音加密/解密过程和密钥获取机制。The encryption mechanism includes signaling encryption/decryption process, voice encryption/decryption process and key acquisition mechanism. 2.如权利要求1所述的VOIP系统中语音穿透防火墙的方法,其特征在于:2. the method for voice penetration firewall in the VOIP system as claimed in claim 1, is characterized in that: 该信令加/解密过程的加密过程为:The encryption process of the signaling encryption/decryption process is: 第一步、终端使用密钥获取机制获得加密密钥,对将要发出的SIP报文以字节为单位,依报文字节的先后顺序,对奇数位的字节和偶数位的字节分别使用不同的加密密钥按字节执行加密算法Dm=Do XOR De;其中Dm为密文字节,Do为明文字节,De为密钥字节;The first step, the terminal uses the key acquisition mechanism to obtain the encryption key. For the SIP message to be sent, the byte is used as the unit. According to the order of the message bytes, the odd-numbered bytes and even-numbered bytes are respectively Use different encryption keys to execute the encryption algorithm Dm=Do XOR De in bytes; where Dm is the ciphertext byte, Do is the plaintext byte, and De is the key byte; 第二步、对经过第一步处理的SIP报文加插报文头,使所述的报文按字节顺序依次包括加密标示,密文长度和密文三部分;Second step, add insert message header to the SIP message processed through the first step, make described message comprise encryption sign successively by byte order, ciphertext length and ciphertext three parts; 所述的加密标示为两个字节,指示该报文是加密报文,为固定值,第一字节为十六进制数EF,第二字节为十六进制数FE;The encryption mark is two bytes, indicating that the message is an encrypted message, which is a fixed value, the first byte is a hexadecimal number EF, and the second byte is a hexadecimal number FE; 所述的密文长度为两个字节,标示密文的长度;The length of the ciphertext is two bytes, indicating the length of the ciphertext; 所述的密文为经过该加密算法处理的SIP报文;The ciphertext is a SIP message processed by the encryption algorithm; 该信令加/解密过程的解密过程为:The decryption process of the signaling encryption/decryption process is: 终端使用密钥获取机制获得解密密钥,对收到的SIP报文根据报文头的第三、第四字节确定密文长度,去掉报文头部的四字节获得到完整密文,对密文以字节为单位,依密文字节的先后顺序,对奇数位的字节和偶数位的字节使用不同的解密密钥执行以下解密算法:Do=Dm XOR De;其中Do为明文字节,Dm为密文字节,De为密钥字节。The terminal uses the key acquisition mechanism to obtain the decryption key, determines the ciphertext length of the received SIP message according to the third and fourth bytes of the message header, and removes the four bytes of the message header to obtain the complete ciphertext. For the ciphertext in bytes, according to the order of the ciphertext bytes, use different decryption keys for odd-numbered bytes and even-numbered bytes to perform the following decryption algorithm: Do=Dm XOR De; where Do is the plaintext Byte, Dm is the ciphertext byte, De is the key byte. 3.如权利要求1所述的VOIP系统中语音穿透防火墙的方法,其特征在于:3. the method for voice penetration firewall in the VOIP system as claimed in claim 1, is characterized in that: 该语音加/解密过程的加密过程为:The encryption process of this voice encryption/decryption process is: 终端使用随机数生成算法生成0-10以内的随机数作为加密报文的填充字节长度;The terminal uses a random number generation algorithm to generate a random number within 0-10 as the padding byte length of the encrypted message; 终端使用随机数生成算法生成0-255以内的随机数作为加密报文的填充字节,根据填充字节长度,依次生成所有填充字节;The terminal uses a random number generation algorithm to generate a random number within 0-255 as the padding byte of the encrypted message, and generates all padding bytes in sequence according to the length of the padding byte; 形成的加密报文包括加密报文头和RTP格式封装的语音数据两部分;The formed encrypted message includes encrypted message header and voice data encapsulated in RTP format; 所述的加密报文头以字节形式顺序包括加密标示,填充数据长度和填充数据三部分;The encrypted message header includes three parts in order of bytes: encryption mark, padding data length and padding data; 该加密标示为两个字节,内容为固定值,第一字节为十六进制数EE,第二字节为十六进制数FF;The encryption is marked as two bytes, the content is a fixed value, the first byte is the hexadecimal number EE, and the second byte is the hexadecimal number FF; 该填充数据长度为一个字节,内容为随机值,范围为0-10内的任意自然数;The padding data length is one byte, the content is a random value, and the range is any natural number within 0-10; 该填充数据的长度由填充数据长度字节定义;该填充数据每字节内容为随机值,范围0-255之间的任意自然数;The length of the filling data is defined by the filling data length byte; the content of each byte of the filling data is a random value, any natural number ranging from 0 to 255; RTP格式封装的语音数据为VIOP通讯中的正常语音报文;The voice data encapsulated in RTP format is a normal voice message in VIOP communication; 该语音加/解密过程的解密过程为:The decryption process of this voice encryption/decryption process is: 终端对收到的语音加密报文根据报文头的第三字节确定报文头的随机字节长度,去掉报文头部分的字节,得到RTP格式封装的语音数据,解密完成。The terminal determines the random byte length of the message header according to the third byte of the message header for the received voice encrypted message, removes the bytes of the message header part, and obtains the voice data encapsulated in RTP format, and the decryption is completed. 4.如权利要求1所述的VOIP系统中语音穿透防火墙的方法,其特征在于所述的密钥获取机制为:4. the method for voice penetration firewall in the VOIP system as claimed in claim 1, is characterized in that described key acquisition mechanism is: VOIP密钥由两个字节构成,每字节范围为0-255之间的任意自然数;第一个字节为奇数密钥odd_key,用于对SIP信令明文的奇数字节加密或用于对SIP信令密文的奇数字节解密;第二字节为偶数密钥even_key用于对SIP信令明文的偶数字节加密或用于对SIP信令密文的偶数字节解密;The VOIP key consists of two bytes, and each byte ranges from any natural number between 0-255; the first byte is an odd key odd_key, which is used to encrypt odd-numbered bytes of SIP signaling plaintext or to Decrypt the odd-numbered bytes of the SIP signaling ciphertext; the second byte is the even-numbered key even_key, which is used to encrypt the even-numbered bytes of the SIP signaling plaintext or to decrypt the even-numbered bytes of the SIP signaling ciphertext; 该两字节信息以十进制文本的形式存储于VOIP服务器的密钥配置文件中,由VOIP服务器的配置管理软件通过用户界面接口提供对该密钥的修改功能;同时IP终端可以通过VOIP系统的私有协议向VOIP配置管理软件获取这两个字节的密钥。The two-byte information is stored in the key configuration file of the VOIP server in the form of decimal text, and the configuration management software of the VOIP server provides the function of modifying the key through the user interface interface; at the same time, the IP terminal can use the private The protocol obtains the two-byte key from the VOIP configuration management software. 5.如权利要求4所述的VOIP系统中语音穿透防火墙的方法,其特征在于该密钥配置文件中的内容为奇数密钥odd_key=170和偶数密钥even_key=85。5. the method for voice penetration firewall in the VOIP system as claimed in claim 4 is characterized in that the content in the key configuration file is odd key odd_key=170 and even key even_key=85. 6.如权利要求4所述的VOIP系统中语音穿透防火墙的方法,其特征在于该私有协议由请求消息和应答消息构成;请求消息由实现了加密功能的IP终端产生发送给VOIP服务器的管理软件;应答消息由VOIP服务器的管理软件在收到请求消息后产生,该应答消息包含了密钥信息,并被发送到请求方。6. the method for voice penetration firewall in the VOIP system as claimed in claim 4 is characterized in that this private agreement is made of request message and response message; Request message is produced and sent to the management of VOIP server by the IP terminal that has realized encryption function Software; the response message is generated by the management software of the VOIP server after receiving the request message, and the response message contains key information and is sent to the requesting party. 7.如权利要求6所述的VOIP系统中语音穿透防火墙的方法,其特征在于该私有协议中由IP终端发向VOIP配置管理软件的请求消息为getkey\r\n;该私有协议中由VOIP配置管理软件发向IP终端的应答消息为ok odd_key=170,even_key=85\r\n。7. the method for voice penetration firewall in the VOIP system as claimed in claim 6 is characterized in that the request message sent to the VOIP configuration management software by the IP terminal is getkey\r\n in the private protocol; The response message sent by the VOIP configuration management software to the IP terminal is ok odd_key=170, even_key=85\r\n. 8.如权利要求1所述的VOIP系统中语音穿透防火墙的方法,其特征在于该发起呼叫的终端实施加密机制的步骤为:8. the method for voice penetration firewall in the VOIP system as claimed in claim 1, is characterized in that the terminal that this initiates a call implements the step of encryption mechanism is: (1)、用户通过IP终端上的配置界面接口配置该终端为加密通讯方式;(1) The user configures the terminal as an encrypted communication mode through the configuration interface interface on the IP terminal; (2)、用户通过该终端输入被叫终端号码后发起呼叫;(2) The user initiates a call after inputting the called terminal number through the terminal; (3)、IP终端判断是否被配置为加密通讯方式;若是,该终端使用密钥获取机制获得密钥后执行步骤4;否则执行步骤5;(3) The IP terminal judges whether it is configured as an encrypted communication mode; if so, the terminal uses the key acquisition mechanism to obtain the key and then executes step 4; otherwise, executes step 5; (4)、该终端生成发起呼叫的SIP报文,在报文的SDP属性中插入a=x-encrypt:on属性,对SIP报文执行信令加密过程后执行步骤6;(4), the terminal generates a SIP message for initiating a call, inserts the a=x-encrypt:on attribute into the SDP attribute of the message, and performs step 6 after performing the signaling encryption process on the SIP message; (5)、终端生成发起呼叫的SIP报文,在报文的SDP属性中插入a=x-encrypt属性;执行步骤6;(5) The terminal generates a SIP message for initiating a call, and inserts the a=x-encrypt attribute into the SDP attribute of the message; perform step 6; (6)、终端将处理后的信令报文发给被叫终端;(6) The terminal sends the processed signaling message to the called terminal; (7)、终端收到被叫终端加密的呼叫应答报文,执行信令解密过程;(7) The terminal receives the encrypted call response message from the called terminal, and executes the signaling decryption process; (8)、终端判断呼叫应答报文SDP中是否有a=x-encrypt:on属性;若有确定本次通话的语音需要加密;否则确定本次通话语音不需要加密;(8) The terminal judges whether there is a=x-encrypt:on attribute in the call response message SDP; if there is, it is determined that the voice of this call needs to be encrypted; otherwise, it is determined that the voice of this call does not need to be encrypted; (9)、呼叫建立;根据步骤8的判断,对语音执行或不执行语音加密/解密过程;开始发送/接收语音。(9) Call establishment; according to the judgment in step 8, perform or not perform the voice encryption/decryption process on the voice; start to send/receive the voice. 9.如权利要求1所述的VOIP系统中语音穿透防火墙的方法,其特征在于该接收呼叫的终端实施加密机制的步骤为:9. the method for speech penetration firewall in the VOIP system as claimed in claim 1, is characterized in that the terminal that this receives calling implements the step of encryption mechanism is: (1)、IP终端接收SIP呼叫请求报文;(1) The IP terminal receives the SIP call request message; (2)、判断该终端收到的SIP报文是否有加密标示;若是,终端使用密钥获取机制获得密钥并解密报文;否则执行正常的SIP呼叫过程,本程序终止;(2) Determine whether the SIP message received by the terminal has an encryption mark; if so, the terminal uses the key acquisition mechanism to obtain the key and decrypt the message; otherwise, the normal SIP call process is executed, and the program is terminated; (3)、终端检查接收的SIP报文的SDP中是否有a=x-encrypt:on属性;若有确定本次通话语音需要加密,执行步骤4;否则,确定本次通话语音不需要加密,执行步骤5;(3) The terminal checks whether there is a=x-encrypt:on attribute in the SDP of the received SIP message; if it is determined that the voice of this call needs to be encrypted, go to step 4; otherwise, it is determined that the voice of this call does not need to be encrypted, Execute step 5; (4)、终端生成接收应答呼叫的SIP报文,在报文的SDP属性中插入a=x-encrypt:on属性,执行信令加密过程,执行步骤6;(4) The terminal generates a SIP message for receiving and answering the call, inserts the a=x-encrypt:on attribute into the SDP attribute of the message, performs the signaling encryption process, and performs step 6; (5)、终端生成接收应答呼叫的SIP报文,在报文的SDP属性中插入a=x-encrypt属性,执行步骤6;(5) The terminal generates a SIP message for receiving and answering the call, inserts the a=x-encrypt attribute into the SDP attribute of the message, and performs step 6; (6)、终端将处理后的信令报文发给主叫终端;(6) The terminal sends the processed signaling message to the calling terminal; (7)、呼叫建立;根据步骤3的判断,对语音执行或不执行语音加密/解密过程,开始发送/接收语音。(7) Call establishment; according to the judgment in step 3, the voice encryption/decryption process is performed or not performed on the voice, and the voice is sent/received.
CN201110032227.0A 2011-01-30 2011-01-30 Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system Expired - Fee Related CN102185827B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110032227.0A CN102185827B (en) 2011-01-30 2011-01-30 Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110032227.0A CN102185827B (en) 2011-01-30 2011-01-30 Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system

Publications (2)

Publication Number Publication Date
CN102185827A CN102185827A (en) 2011-09-14
CN102185827B true CN102185827B (en) 2014-05-14

Family

ID=44571897

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110032227.0A Expired - Fee Related CN102185827B (en) 2011-01-30 2011-01-30 Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system

Country Status (1)

Country Link
CN (1) CN102185827B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9515995B2 (en) * 2013-12-27 2016-12-06 Futurewei Technologies, Inc. Method and apparatus for network address translation and firewall traversal
CN104753876A (en) * 2013-12-30 2015-07-01 北京大唐高鸿数据网络技术有限公司 Flexible and controllable session encryption method
CN115567209B (en) * 2022-09-29 2023-09-22 中电信量子科技有限公司 VoIP encryption and decryption method by adopting transparent proxy and quantum key pre-filling
CN118118276B (en) * 2024-04-26 2024-08-06 广东安创信息科技开发有限公司 Speech encryption near-end device, far-end device, system and encryption and decryption method based on coprocessor

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009740A (en) * 2007-01-17 2007-08-01 广州市高科通信技术股份有限公司 System and method for implementing simultaneous data and voice access of the dual PPPOE
CN101018229A (en) * 2007-02-12 2007-08-15 华为技术有限公司 A method and firewall for the media service to penetrate the firewall

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8935416B2 (en) * 2006-04-21 2015-01-13 Fortinet, Inc. Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101009740A (en) * 2007-01-17 2007-08-01 广州市高科通信技术股份有限公司 System and method for implementing simultaneous data and voice access of the dual PPPOE
CN101018229A (en) * 2007-02-12 2007-08-15 华为技术有限公司 A method and firewall for the media service to penetrate the firewall

Also Published As

Publication number Publication date
CN102185827A (en) 2011-09-14

Similar Documents

Publication Publication Date Title
CN104486077B (en) A kind of end-to-end cryptographic key negotiation method of VoIP real time datas safe transmission
US8291118B2 (en) Globally unique identification in communications protocols and databases
CN101232368B (en) A method and multimedia subsystem for distributing media stream keys
US7986773B2 (en) Interactive voice response system security
KR20100107033A (en) Method and apparatus to enable lawful intercept of encrypted traffic
Wang et al. A dependable privacy protection for end-to-end VoIP via Elliptic-Curve Diffie-Hellman and dynamic key changes
CN110650260B (en) System and method for intercommunication of network terminal audio internal and external networks
CN105792193A (en) End-to-end encryption method for mobile terminal voice based on iOS operating system
CN101800734A (en) Session information interaction method, device and system
CN1838590A (en) Method and system for providing internet key exchange during session initiation protocol signaling
CN102185827B (en) Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system
CN108833943A (en) The encrypted negotiation method, apparatus and conference terminal of code stream
US20150150076A1 (en) Method and device for instructing and implementing communication monitoring
WO2017215443A1 (en) Message transmission method, apparatus and system
WO2017197968A1 (en) Data transmission method and device
US20080109652A1 (en) Method, media gateway and system for transmitting content in call established via media gateway control protocol
CN101222612A (en) A method and system for securely transmitting media streams
Sadiwala Analysis of security threats of VoIP systems
CN102801725B (en) The method of audio-video frequency media transmission is carried out in SIP audio/video conference
CN114900500B (en) Call control method, application server, communication system and storage medium
JP5267169B2 (en) Gateway, information processing method, program, and data encryption terminal
CN1881869B (en) Method for realizing encryption communication
KR101210938B1 (en) Encrypted Communication Method and Encrypted Communication System Using the Same
KR101121230B1 (en) Sip base voip service protection system and the method
CN106534044A (en) Method and device for encrypting voice call

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20190715

Address after: 519000. A District 1, 15A, conference center, 1 Software Road, Tang Wan Town, Zhuhai hi tech Zone, Guangdong, 1

Patentee after: GUANGDONG JIAMI TECHNOLOGY Co.,Ltd.

Address before: 519080, B5, 4th floor, South Software Park, Zhuhai high tech Zone, Guangdong

Patentee before: GUANGDONG JIAHE COMMUNICATION TECHNOLOGY Co.,Ltd.

TR01 Transfer of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140514

CF01 Termination of patent right due to non-payment of annual fee