[go: up one dir, main page]

CN1881869B - A method for realizing encrypted communication - Google Patents

A method for realizing encrypted communication Download PDF

Info

Publication number
CN1881869B
CN1881869B CN200510117145A CN200510117145A CN1881869B CN 1881869 B CN1881869 B CN 1881869B CN 200510117145 A CN200510117145 A CN 200510117145A CN 200510117145 A CN200510117145 A CN 200510117145A CN 1881869 B CN1881869 B CN 1881869B
Authority
CN
China
Prior art keywords
communication
communication node
encryption
node
capability
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200510117145A
Other languages
Chinese (zh)
Other versions
CN1881869A (en
Inventor
王鹏
王敬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200510117145A priority Critical patent/CN1881869B/en
Priority to PCT/CN2006/002932 priority patent/WO2007051415A1/en
Publication of CN1881869A publication Critical patent/CN1881869A/en
Application granted granted Critical
Publication of CN1881869B publication Critical patent/CN1881869B/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明公开了一种实现加密通信的方法,两个通信节点通信时第一通信节点将自身媒体能力信息和通信加密能力信息发送给第二通信节点;所述媒体能力信息代表通信节点具有的媒体能力,所述通信加密能力信息代表通信节点具有加密通信能力;第二通信节点根据来自第一通信节点的媒体能力信息和通信加密能力信息,判断自身是否具有通信加密能力以及与第一通信节点存在交集的媒体能力,如果具有,第一、第二通信节点确定相同的数据加密密钥,并应用所述媒体能力和确定的数据加密密钥进行加密通信。本发明方法保证第一、第二通信节点间的通信信息即使被非法获取,非法获取信息者也无法解析或直接读出获取的信息所包含的内容,提高了通信安全性和用户满意度。

The invention discloses a method for realizing encrypted communication. When two communication nodes communicate, the first communication node sends its own media capability information and communication encryption capability information to the second communication node; the media capability information represents the media capabilities of the communication nodes. Capability, the communication encryption capability information represents that the communication node has encrypted communication capability; the second communication node judges whether it has communication encryption capability and exists with the first communication node according to the media capability information and communication encryption capability information from the first communication node If there is an intersecting media capability, the first and second communication nodes determine the same data encryption key, and use the media capability and the determined data encryption key to perform encrypted communication. The method of the invention ensures that even if the communication information between the first and second communication nodes is obtained illegally, the person who obtains the information illegally cannot analyze or directly read out the content contained in the obtained information, thereby improving communication security and user satisfaction.

Description

一种实现加密通信的方法 A method for realizing encrypted communication

技术领域technical field

本发明涉及通信领域,具体涉及一种实现加密通信的方法。The invention relates to the communication field, in particular to a method for realizing encrypted communication.

背景技术Background technique

目前,RFC 2833协议描述了如何在实时传输协议(RTP)数据包中传输双音多频信号(DTMF)和其它网络信令和事件。Currently, the RFC 2833 protocol describes how to transmit dual-tone multi-frequency signals (DTMF) and other network signaling and events in real-time transport protocol (RTP) packets.

在应用RFC 2833所传输的上述信息中,有相当一部分信息对安全性要求较高。如:银行等商业部门的交易数据、用户个人信息等。在传输这些对安全性要求较高的信息时应进行加密,使得传输的信息即使被非法获取也无法被正确解析。Among the above-mentioned information transmitted by applying RFC 2833, a considerable part of the information requires high security. Such as: transaction data of commercial departments such as banks, user personal information, etc. Encryption should be carried out when transmitting these information with high security requirements, so that the transmitted information cannot be correctly analyzed even if it is obtained illegally.

然而,目前应用RFC 2833传输信息时并不对传输的信息加密,应用RFC2833通信的安全性较低。这种情况下,如果信息在传输时被非法获取,非法获取信息者可以直接读出获取的信息所包含的内容,这很可能对该信息的合法拥有者造成不利影响,进而降低用户满意度。However, the current application of RFC 2833 does not encrypt the transmitted information when transmitting information, and the security of communication using RFC 2833 is low. In this case, if the information is obtained illegally during transmission, the person who obtains the information illegally can directly read the content contained in the obtained information, which is likely to have a negative impact on the legal owner of the information, thereby reducing user satisfaction.

实际上,目前还有很多其它种类的通信协议无法实现信息的加密通信,应用这些通信协议进行通信的安全性同样很低,这很可能对信息的合法拥有者造成不利影响,进而降低用户满意度。In fact, there are still many other types of communication protocols that cannot realize encrypted communication of information, and the security of communication using these communication protocols is also very low, which is likely to have an adverse effect on the legal owner of information, thereby reducing user satisfaction .

发明内容Contents of the invention

有鉴于此,本发明的主要目的在于提供一种实现加密通信的方法,以提高通信安全性。In view of this, the main purpose of the present invention is to provide a method for implementing encrypted communication, so as to improve communication security.

为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, technical solution of the present invention is achieved in that way:

本发明公开了一种实现加密通信的方法,该方法用于针对RFC 2833协议数据包进行加密,包括以下步骤:The invention discloses a method for realizing encrypted communication, which is used for encrypting RFC 2833 protocol data packets, comprising the following steps:

a.两个通信节点通信时,第一通信节点将自身的媒体能力信息和通信加密能力信息发送给第二通信节点;a. When two communication nodes communicate, the first communication node sends its own media capability information and communication encryption capability information to the second communication node;

b.第二通信节点根据来自第一通信节点的媒体能力信息和通信加密能力信息,判断自身是否具有通信加密能力以及与第一通信节点存在交集的媒体能力,如果具有,第一、第二通信节点确定相同的数据加密密钥,并应用存在交集的所述媒体能力和确定的数据加密密钥进行加密通信。b. According to the media capability information and communication encryption capability information from the first communication node, the second communication node judges whether it has the communication encryption capability and the media capability that overlaps with the first communication node. If so, the first and second communications The nodes determine the same data encryption key, and use the media capability and the determined data encryption key that have an intersection to perform encrypted communication.

步骤b中,所述判断方法包括:In step b, the judging method includes:

第二通信节点获取自身具有的媒体能力,并比较获取的媒体能力与来自第一通信节点的媒体能力信息所对应的媒体能力是否存在交集,如果存在交集,第二通信节点确定自身具有与第一通信节点存在交集的媒体能力;The second communication node acquires the media capability it has, and compares whether there is an intersection between the acquired media capability and the media capability corresponding to the media capability information from the first communication node, and if there is an intersection, the second communication node determines that it has the same media capability as the first communication node. Communication nodes have overlapping media capabilities;

第二通信节点查询自身通信配置参数中有关通信加密能力的通信配置参数,如果查询到的通信配置参数支持通信加密,第二通信节点确定自身具有通信加密能力。The second communication node inquires communication configuration parameters related to communication encryption capability among its own communication configuration parameters, and if the queried communication configuration parameters support communication encryption, the second communication node determines that it has communication encryption capability.

所述媒体能力信息是通信协议名称,则所述第二通信节点确定自身是否具有与第一通信节点存在交集的媒体能力的方法是:The media capability information is a communication protocol name, then the method for the second communication node to determine whether it has a media capability that overlaps with the first communication node is:

第二通信节点获取自身支持的通信协议,并比较获取的通信协议的名称与来自第一通信节点的通信协议名称是否存在交集,如果存在交集,第二通信节点确定自身具有与第一通信节点存在交集的媒体能力。The second communication node obtains the communication protocol supported by itself, and compares whether there is an intersection between the name of the obtained communication protocol and the communication protocol name from the first communication node, and if there is an intersection, the second communication node determines that it has an intersection with the first communication node Intersecting media capabilities.

所述有关通信加密能力的通信配置参数是加密使能,则步骤b中,第二通信节点判断自身是否具有通信加密能力的方法是:The communication configuration parameter related to communication encryption capability is encryption enablement, then in step b, the method for the second communication node to judge whether it has communication encryption capability is:

第二通信节点查询自身通信配置参数中的加密使能,如果查询到的加密使能设置于使能状态,第二通信节点确定自身具有通信加密能力。The second communication node queries the encryption enablement in its own communication configuration parameters, and if the queried encryption enablement is set to an enabled state, the second communication node determines that it has communication encryption capability.

所述通信加密能力信息是第一通信节点生成的随机数或预先设置的公共密钥,则步骤b中,所述第一、第二通信节点确定数据加密密钥的方法包括:The communication encryption capability information is a random number generated by the first communication node or a preset public key, then in step b, the method for the first and second communication nodes to determine the data encryption key includes:

第二通信节点应用预先设置的加密策略对来自第一通信节点的随机数或公共密钥加密,并将加密结果作为后续与第一通信节点通信的数据加密密钥;第一通信节点应用预先设置的加密策略对自身生成的随机数或发送给第二通信节点的公共密钥加密,并将加密结果作为后续与第二通信节点通信的数据加密密钥。The second communication node applies a preset encryption policy to encrypt the random number or public key from the first communication node, and uses the encryption result as a data encryption key for subsequent communication with the first communication node; the first communication node applies a preset The encryption strategy encrypts the random number generated by itself or the public key sent to the second communication node, and uses the encryption result as the data encryption key for subsequent communication with the second communication node.

所述通信加密能力信息是第一通信节点应用预先设置的加密策略对其生成的随机数和预先设置的公共密钥加密后所得的加密结果,则步骤b中,所述第一、第二通信节点确定数据加密密钥的方法包括:The communication encryption capability information is the encryption result obtained after the first communication node applies a preset encryption policy to encrypt the random number generated by it and the preset public key, then in step b, the first and second communications Methods for nodes to determine data encryption keys include:

第二通信节点应用预先设置的加密策略和公共密钥对来自第一通信节点的通信加密能力信息进行解密,并将解密结果作为后续与第一通信节点通信的数据加密密钥;第一通信节点将所述加密结果作为后续与第二通信节点通信的数据加密密钥。The second communication node applies a preset encryption policy and public key to decrypt the communication encryption capability information from the first communication node, and uses the decryption result as a data encryption key for subsequent communications with the first communication node; the first communication node The encryption result is used as a data encryption key for subsequent communication with the second communication node.

所述通信加密能力信息是第一通信节点生成的随机数或预先设置的公共密钥,则步骤b中,所述第一、第二通信节点确定数据加密密钥的方法包括:The communication encryption capability information is a random number generated by the first communication node or a preset public key, then in step b, the method for the first and second communication nodes to determine the data encryption key includes:

第二通信节点直接将来自第一通信节点的随机数或公共密钥作为后续与第一通信节点通信的数据加密密钥;第一通信节点直接将自身生成的随机数或发送给第二通信节点的公共密钥作为后续与第二通信节点通信的数据加密密钥。The second communication node directly uses the random number or public key from the first communication node as the data encryption key for subsequent communication with the first communication node; the first communication node directly sends the random number or public key generated by itself to the second communication node The public key is used as a data encryption key for subsequent communication with the second communication node.

步骤b中,所述进行加密通信包括:In step b, the encrypted communication includes:

第一/第二通信节点应用所述数据加密密钥和预先设置的加密策略对发送给第二/第一通信节点的数据进行加密,并将加密后的加密数据发送给第二/第一通信节点;第二/第一通信节点应用所述数据加密密钥和所述加密策略对来自第一/第二通信节点的加密数据进行解密。The first/second communication node encrypts the data sent to the second/first communication node by applying the data encryption key and the preset encryption policy, and sends the encrypted encrypted data to the second/first communication node The node; the second/first communication node applies the data encryption key and the encryption policy to decrypt the encrypted data from the first/second communication node.

在步骤b前或步骤b中,进一步在第一通信节点与第二通信节点之间建立用于通信的媒体通道。Before step b or in step b, a media channel for communication is further established between the first communication node and the second communication node.

所述第一通信节点、第二通信节点是通信终端、网关或媒体控制器单元MCU。The first communication node and the second communication node are communication terminals, gateways or media controller units MCU.

第一通信节点与第二通信节点应用会话发起协议SIP或H323协议交互。The first communication node interacts with the second communication node using the session initiation protocol SIP or the H323 protocol.

与现有技术相比,本发明所提供的实现加密通信的方法,由第一通信节点与第二通信节点协商确定用于支持加密通信的媒体能力和加密通信能力;在第一、第二通信节点均具有通信加密能力以及存在交集的媒体能力时,由第一、第二通信节点确定相同的数据加密密钥,并应用所述媒体能力和确定的数据加密密钥进行加密通信。Compared with the prior art, in the method for implementing encrypted communication provided by the present invention, the media capability and encrypted communication capability for supporting encrypted communication are determined through negotiation between the first communication node and the second communication node; in the first and second communication When both nodes have communication encryption capabilities and overlapping media capabilities, the first and second communication nodes determine the same data encryption key, and use the media capabilities and the determined data encryption key to perform encrypted communication.

可见,即使第一、第二通信节点之间传输的信息被非法获取,本发明方法也可保证非法获取信息者无法正确解析或直接读出获取的信息所包含的内容,避免对该信息的合法拥有者可能造成的不利影响,提高了通信安全性和用户满意度.It can be seen that even if the information transmitted between the first and second communication nodes is obtained illegally, the method of the present invention can ensure that the illegally obtained information cannot correctly parse or directly read out the content contained in the obtained information, avoiding the legalization of the information. Possibly detrimental to the owner, improving communication security and user satisfaction.

附图说明Description of drawings

图1为本发明实现加密通信的流程图。Fig. 1 is a flow chart of implementing encrypted communication in the present invention.

具体实施方式Detailed ways

下面结合附图及具体实施例对本发明详细说明。The present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments.

本发明提供的实现加密通信的方法,由第一通信节点将自身的媒体能力信息和通信加密能力信息发送给第二通信节点;所述媒体能力信息代表通信节点所具有的媒体能力,所述通信加密能力信息代表通信节点具有加密通信能力;第二通信节点根据来自第一通信节点的媒体能力信息和通信加密能力信息,判断自身是否具有通信加密能力以及与第一通信节点存在交集的媒体能力,如果具有,第一、第二通信节点确定相同的数据加密密钥,并应用所述媒体能力和确定的数据加密密钥进行加密通信。其中,第一通信节点可以是主叫通信节点,第二通信节点可以是被叫通信节点。In the method for implementing encrypted communication provided by the present invention, the first communication node sends its own media capability information and communication encryption capability information to the second communication node; the media capability information represents the media capability of the communication node, and the communication The encryption capability information represents that the communication node has encrypted communication capability; the second communication node judges whether it has the communication encryption capability and the media capability that overlaps with the first communication node according to the media capability information and communication encryption capability information from the first communication node, If so, the first and second communication nodes determine the same data encryption key, and use the media capability and the determined data encryption key to perform encrypted communication. Wherein, the first communication node may be a calling communication node, and the second communication node may be a called communication node.

参见图1,图1为本发明实现加密通信的流程图,该流程包括以下步骤:Referring to Fig. 1, Fig. 1 realizes the flow chart of encrypted communication for the present invention, and this flow process comprises the following steps:

步骤101:主、被叫通信节点中预先设置有相同的公共密钥和加密策略。主叫通信节点向被叫通信节点发送呼叫建立请求,该呼叫建立请求可以由Q931协议的Setup消息实现。Step 101: The same public key and encryption strategy are preset in the calling and called communication nodes. The calling communication node sends a call establishment request to the called communication node, and the call establishment request can be implemented by a Setup message of the Q931 protocol.

步骤102:被叫通信节点收到来自主叫通信节点的呼叫建立请求后,向主叫通信节点发送呼叫处理响应,通知主叫通信节点呼叫正在处理中。所述呼叫处理响应可以由Q931协议的CallProceeding消息实现。Step 102: After receiving the call establishment request from the calling communication node, the called communication node sends a call processing response to the calling communication node, notifying the calling communication node that the call is being processed. The call processing response can be realized by the CallProceeding message of the Q931 protocol.

步骤103:被叫通信节点向主叫通信节点发送振铃消息,通知主叫通信节点被叫通信节点正在振铃。所述振铃消息可以由Q931协议的Alerting消息实现。Step 103: The called communication node sends a ringing message to the calling communication node, notifying the calling communication node that the called communication node is ringing. The ringing message may be implemented by an Alerting message of the Q931 protocol.

步骤104:当被叫通信节点以摘机等方式接受来自主叫通信节点的呼叫时,被叫通信节点向主叫通信节点发送呼叫应答响应。Step 104: When the called communication node accepts the call from the calling communication node by off-hook, etc., the called communication node sends a call response response to the calling communication node.

步骤105:主、被叫通信节点之间进行连接建立过程,以建立用于支持主、被叫通信节点间通信的通信连接。Step 105: A connection establishment process is performed between the calling and called communication nodes, so as to establish a communication connection for supporting communication between the calling and called communication nodes.

具体的连接建立过程通常包括:被叫通信节点向主叫通信节点发送至少包含被叫通信节点通信标识的连接建立请求;主叫通信节点收到来自被叫通信节点的连接建立请求后,确定与该连接建立请求中包含的通信标识所对应的通信节点通信,并向被叫通信节点发送包含主叫通信节点通信标识的连接建立响应;被叫通信节点收到来自主叫通信节点的连接建立响应后,确定与该连接建立响应中包含的通信标识所对应的通信节点通信。当然,如果步骤101中的呼叫建立请求中携带有主叫通信节点通信标识,被叫通信节点则在收到该通信标识后确定与该通信标识所对应的通信节点通信,主叫通信节点不需要在上述连接建立响应中携带所述通信标识。The specific connection establishment process usually includes: the called communication node sends a connection establishment request including at least the communication identification of the called communication node to the calling communication node; after the calling communication node receives the connection establishment request from the called communication node, it determines and The communication node corresponding to the communication identification included in the connection establishment request communicates, and sends a connection establishment response containing the communication identification of the calling communication node to the called communication node; the called communication node receives the connection establishment response from the calling communication node After that, it is determined to communicate with the communication node corresponding to the communication identification contained in the connection establishment response. Of course, if the call setup request in step 101 carries the communication identification of the calling communication node, the called communication node determines to communicate with the communication node corresponding to the communication identification after receiving the communication identification, and the calling communication node does not need to The communication identifier is carried in the above connection establishment response.

上述的连接建立过程可以由Q931协议的Connect消息实现,也可以由H245协议实现。如果由H245协议实现,所述通信标识则包含H245网际协议(IP)地址和H245协议支持的监听端口号。The above connection establishment process can be implemented by the Connect message of the Q931 protocol, or by the H245 protocol. If implemented by the H245 protocol, the communication identifier includes an H245 Internet Protocol (IP) address and a listening port number supported by the H245 protocol.

步骤106:当主叫通信节点具有通信加密能力时,主叫通信节点发起与被叫通信节点之间的通信加密能力协商过程。该协商过程所包含的操作主要为:主叫通信节点向被叫通信节点发送通信加密能力协商请求,该通信加密能力协商请求中至少包含主叫通信节点的媒体能力信息和通信加密能力信息。其中,媒体能力信息代表主叫通信节点所具有的媒体能力,具体而言,所述媒体能力信息代表主叫通信节点进行数据通信时所具有的媒体编解码能力;通信加密能力信息代表主叫通信节点具有加密通信能力。所述通信加密能力信息可以以一个扩展字段表示。Step 106: When the calling communication node has communication encryption capability, the calling communication node initiates a communication encryption capability negotiation process with the called communication node. The operations included in the negotiation process mainly include: the calling communication node sends a communication encryption capability negotiation request to the called communication node, and the communication encryption capability negotiation request includes at least media capability information and communication encryption capability information of the calling communication node. Wherein, the media capability information represents the media capability of the calling communication node. Specifically, the media capability information represents the media encoding and decoding capability of the calling communication node during data communication; the communication encryption capability information represents the calling communication Nodes have encrypted communication capabilities. The communication encryption capability information may be represented by an extension field.

被叫通信节点收到来自主叫通信节点的通信加密能力协商请求后,判断自身是否具有通信加密能力以及与主叫通信节点存在交集的媒体能力,如果具有,被叫通信节点向主叫通信节点发送通信加密能力协商响应,该通信加密能力协商响应中可以携带有被叫通信节点的媒体能力信息和通信加密能力信息;否则,被叫通信节点向主叫通信节点发送协商失败消息,主叫通信节点收到该协商失败消息后停止与被叫通信节点进行后续有关加密通信的操作。主、被叫通信节点中通常预先设置有通信加密能力和各自具有的媒体能力。After the called communication node receives the communication encryption capability negotiation request from the calling communication node, it judges whether it has the communication encryption capability and the intersecting media capability with the calling communication node. Send a communication encryption capability negotiation response, which may carry the media capability information and communication encryption capability information of the called communication node; otherwise, the called communication node sends a negotiation failure message to the calling communication node, and the calling communication node After receiving the negotiation failure message, the node stops subsequent operations related to encrypted communication with the called communication node. The communication encryption capability and the respective media capabilities are usually preset in the calling and called communication nodes.

可见,图1所示流程是以通信加密能力协商成功为例的。It can be seen that the process shown in FIG. 1 is an example of successful communication encryption capability negotiation.

所述被叫通信节点判断自身是否具有通信加密能力的方法有多种,如:在被叫通信节点的通信配置参数中添加加密使能,并由操作人员预先将该加密使能设置为使能或禁止。那么,当被叫通信节点查询自身的通信配置参数时,如果获知加密使能当前为使能状态,被叫通信节点确定自身具有通信加密能力;否则,被叫通信节点确定自身不具有通信加密能力。There are many ways for the called communication node to judge whether it has communication encryption capability, such as: adding encryption enablement in the communication configuration parameters of the called communication node, and setting the encryption enablement as enabling in advance by the operator or prohibited. Then, when the called communication node queries its own communication configuration parameters, if it is known that the encryption enablement is currently enabled, the called communication node determines that it has communication encryption capability; otherwise, the called communication node determines that it does not have communication encryption capability .

如果将上述通信加密能力协商过程的主要操作具体化,则主叫通信节点发起的与被叫通信节点之间的通信加密能力协商过程可以有多种,第一种通信加密能力协商过程为:If the main operations of the above-mentioned communication encryption capability negotiation process are embodied, there can be multiple communication encryption capability negotiation processes between the calling communication node and the called communication node. The first communication encryption capability negotiation process is:

主叫通信节点向被叫通信节点发送包含媒体能力信息和通信加密能力信息的通信加密能力协商请求,并且所述通信加密能力信息以公共密钥表示,即:所述通信加密能力协商请求中包含的公共密钥代表主叫通信节点具有通信加密能力。被叫通信节点收到来自主叫通信节点的通信加密能力协商请求后,应用现有技术获取自身具有的媒体能力,并比较获取的媒体能力与所述通信加密能力协商请求中包含的媒体能力信息所代表的媒体能力是否存在交集,如果存在交集,被叫通信节点确定自身具有与主叫通信节点存在交集的媒体能力;否则,被叫通信节点确定自身不具有与主叫通信节点存在交集的媒体能力。The calling communication node sends a communication encryption capability negotiation request including media capability information and communication encryption capability information to the called communication node, and the communication encryption capability information is represented by a public key, that is, the communication encryption capability negotiation request includes The public key represents that the calling communication node has communication encryption capability. After receiving the communication encryption capability negotiation request from the calling communication node, the called communication node applies the existing technology to obtain its own media capability, and compares the obtained media capability with the media capability information contained in the communication encryption capability negotiation request Whether there is an intersection of the represented media capabilities, if there is an intersection, the called communication node determines that it has a media capability that intersects with the calling communication node; otherwise, the called communication node determines that it does not have a media capability that intersects with the calling communication node ability.

被叫通信节点还确定自身是否具有通信加密能力,如果具有,被叫通信节点应用预先设置的所述加密策略对所述通信加密能力协商请求中包含的公共密钥进行加密,并将加密结果作为后续与主叫通信节点通信时的被叫侧数据加密密钥。之后,被叫通信节点向主叫通信节点发送通信加密能力协商响应,通知主叫通信节点被叫通信节点具有通信加密能力以及与主叫通信节点存在交集的媒体能力;主叫通信节点收到来自被叫通信节点的通信加密能力协商响应后,确定可以与主叫通信节点进行加密通信,并应用预先设置的所述加密策略对所述公共密钥进行加密,并将加密结果作为后续与被叫通信节点通信时的主叫侧数据加密密钥。The called communication node also determines whether it has the communication encryption capability, and if so, the called communication node applies the preset encryption strategy to encrypt the public key contained in the communication encryption capability negotiation request, and uses the encrypted result as The called side data encryption key for subsequent communication with the calling communication node. Afterwards, the called communication node sends a communication encryption capability negotiation response to the calling communication node, informing the calling communication node that the called communication node has the communication encryption capability and the media capability that overlaps with the calling communication node; After the communication encryption capability negotiation response of the called communication node, it is determined that encrypted communication can be performed with the calling communication node, and the encryption strategy is applied to encrypt the public key, and the encrypted result is used as a subsequent communication with the called communication node. The calling side data encryption key when the communication node communicates.

当然,主、被叫通信节点也可以不应用所述加密策略对所述公共密钥进行加密,而是分别将所述公共密钥直接作为后续通信时的主、被叫侧数据加密密钥。Of course, the calling and called communication nodes may not use the encryption strategy to encrypt the public key, but directly use the public key as the data encryption key of the calling side and the called side in subsequent communication respectively.

在实际应用中,所述通信加密能力协商响应中可以携带有所述被叫侧数据加密密钥,主叫通信节点则应用所述加密策略对收到的通信加密能力协商响应中包含的被叫侧数据加密密钥进行解密,并判断解密所得结果是否与所述公共密钥相同,如果相同,主叫通信节点向被叫通信节点发送确认消息;否则,主叫通信节点向被叫通信节点发送协商失败消息。In practical applications, the communication encryption capability negotiation response may carry the called side data encryption key, and the calling communication node applies the encryption strategy to the called party data contained in the communication encryption capability negotiation response received. side data encryption key to decrypt, and judge whether the decrypted result is the same as the public key, if the same, the calling communication node sends a confirmation message to the called communication node; otherwise, the calling communication node sends a confirmation message to the called communication node Negotiation failure message.

当然,主叫通信节点收到所述通信加密能力协商响应后,也可以不进行所述解密操作,而是直接判断收到的响应中包含的被叫侧数据加密密钥是否与自身生成的主叫侧数据加密密钥相同,如果相同,主叫通信节点向被叫通信节点发送确认消息;否则,主叫通信节点向被叫通信节点发送协商失败消息。Certainly, after the calling communication node receives the communication encryption capability negotiation response, it may not perform the decryption operation, but directly judges whether the called side data encryption key contained in the received response is consistent with the calling side data encryption key generated by itself. The data encryption keys on the calling side are the same, if they are the same, the calling communication node sends a confirmation message to the called communication node; otherwise, the calling communication node sends a negotiation failure message to the called communication node.

所述通信加密能力协商响应中还可以进一步携带有被叫通信节点具有的与主叫通信节点存在交集的媒体能力所对应的媒体能力信息。The communication encryption capability negotiation response may further carry media capability information corresponding to the media capability of the called communication node that overlaps with the calling communication node.

第二种通信加密能力协商过程为:主叫通信节点向被叫通信节点发送包含媒体能力信息和通信加密能力信息的通信加密能力协商请求,并且所述通信加密能力信息以主叫通信节点任意生成的随机数表示,即:所述通信加密能力协商请求中包含的随机数代表主叫通信节点具有通信加密能力。被叫通信节点确定自身是否具有与主叫通信节点存在交集的媒体能力,具体的确定方法与第一种通信加密能力协商过程中的相应确定方法相同。The second communication encryption capability negotiation process is: the calling communication node sends a communication encryption capability negotiation request including media capability information and communication encryption capability information to the called communication node, and the communication encryption capability information is arbitrarily generated by the calling communication node The random number indicates that the random number contained in the communication encryption capability negotiation request represents that the calling communication node has the communication encryption capability. The called communication node determines whether it has media capabilities that overlap with the calling communication node, and the specific determination method is the same as the corresponding determination method in the first communication encryption capability negotiation process.

被叫通信节点还确定自身是否具有通信加密能力,在确定具有通信加密能力之后生成被叫侧数据加密密钥并进行后续的向主叫通信节点发送通信加密能力协商响应等操作,具体的操作方法与第一种通信加密能力协商过程中的相应方法大体相同,区别在于进行的操作不再针对所述公共密钥而是针对所述随机数。The called communication node also determines whether it has the communication encryption capability, generates the data encryption key on the called side after determining that it has the communication encryption capability, and performs subsequent operations such as sending a communication encryption capability negotiation response to the calling communication node. The specific operation method It is substantially the same as the corresponding method in the communication encryption capability negotiation process of the first kind, except that the operation performed is no longer directed to the public key but to the random number.

应用随机数进行加密通信的好处在于:主、被叫通信节点之间每次进行新会话等新一次通信时,均可随机生成新的随机数,并应用该随机数生成所述数据加密密钥。可见,每当主、被叫通信节点进行新一次通信时,生成的所述数据加密密钥都与前次的不同,这种数据加密密钥生成的灵活性使得非法获取信息者即使在一次通信中破译了数据加密密钥,也无法应用相同方法破译每次通信中所使用的数据加密密钥,这能够进一步提高通信安全性。The advantage of using random numbers for encrypted communication is that a new random number can be randomly generated every time a new communication such as a new session is carried out between the calling and called communication nodes, and the data encryption key can be generated by using the random number . It can be seen that whenever the calling and called communication nodes conduct a new communication, the generated data encryption key is different from the previous one. The flexibility of this kind of data encryption key generation makes it possible for the person who illegally obtains information even in a communication Even if the data encryption key is deciphered, the same method cannot be applied to decipher the data encryption key used in each communication, which can further improve communication security.

当然,主叫通信节点可以将所述随机数作为后续与被叫通信节点通信时的主叫侧数据加密密钥,并应用设置的所述公共密钥和加密策略对该随机数加密,将加密结果作为通信加密能力信息携带于所述通信加密能力协商请求中,发送给被叫通信节点。被叫通信节点收到该通信加密能力协商请求并确定自身有加密能力后,应用设置的所述公共密钥和加密策略对收到的通信加密能力协商请求中包含的通信加密能力信息解密,并将解密结果作为后续与主叫通信节点通信时的被叫侧数据加密密钥。可见,该被叫侧数据加密密钥与主叫通信节点发送的所述随机数相同。Of course, the calling communication node can use the random number as the calling side data encryption key when communicating with the called communication node, and apply the set public key and encryption strategy to encrypt the random number, and the encrypted The result is carried in the communication encryption capability negotiation request as communication encryption capability information, and sent to the called communication node. After the called communication node receives the communication encryption capability negotiation request and determines that it has encryption capability, it applies the set public key and encryption strategy to decrypt the communication encryption capability information contained in the communication encryption capability negotiation request received, and The decryption result is used as the data encryption key of the called side during subsequent communication with the calling communication node. It can be seen that the data encryption key on the called side is the same as the random number sent by the calling communication node.

第三种通信加密能力协商过程为:主叫通信节点向被叫通信节点发送包含媒体能力信息和通信加密能力信息的预协商请求,并且所述通信加密能力信息以通信加密能力标记表示,该通信加密能力标记用于通知被叫通信节点主叫通信节点具有通信加密能力。比如:主叫通信节点发送的通信加密能力标记为1时,代表主叫通信节点具有通信加密能力。The third communication encryption capability negotiation process is: the calling communication node sends a pre-negotiation request containing media capability information and communication encryption capability information to the called communication node, and the communication encryption capability information is represented by a communication encryption capability flag, the communication The encryption capability flag is used to inform the called communication node that the calling communication node has communication encryption capability. For example, when the communication encryption capability flag sent by the calling communication node is 1, it means that the calling communication node has the communication encryption capability.

被叫通信节点收到来自主叫通信节点的预协商请求后,确定自身是否具有与主叫通信节点存在交集的媒体能力,具体的确定方法与第一种通信加密能力协商过程中的相应确定方法大体相同,区别在于当前进行的确定方法针对的是预协商请求.被叫通信节点还确定自身是否具有通信加密能力,并在确定自身具有通信加密能力之后向主叫通信节点发送预协商响应.主叫通信节点收到来自被叫通信节点的预协商响应后,同被叫通信节点进行与第二或第三种通信加密能力协商过程基本相同的操作.当然,由于被叫通信节点已经确定自身是否具有所述媒体能力和通信加密能力,因此被叫通信节点不需要再进行第二和第三种通信加密能力协商过程中所述确定媒体能力和通信加密能力的操作.After receiving the pre-negotiation request from the calling communication node, the called communication node determines whether it has the media capability that overlaps with the calling communication node. The specific determination method is the same as the corresponding determination method in the first communication encryption capability negotiation process Basically the same, the difference is that the current determination method is aimed at the pre-negotiation request. The called communication node also determines whether it has the communication encryption capability, and sends a pre-negotiation response to the calling communication node after determining that it has the communication encryption capability. After receiving the pre-negotiation response from the called communication node, the calling communication node performs basically the same operation as the second or third communication encryption capability negotiation process with the called communication node. Of course, since the called communication node has determined whether it is With the media capability and communication encryption capability, the called communication node does not need to perform the operation of determining the media capability and communication encryption capability in the second and third communication encryption capability negotiation processes.

步骤107:当被叫通信节点具有通信加密能力时被叫通信节点发起与主叫通信节点之间的通信加密能力协商过程,该通信加密能力协商过程所包含的操作与步骤106中的操作大体相同,区别在于:步骤107相对于步骤106发生了操作主体的互换。当然,被叫通信节点中设置的通信加密能力所对应的通信加密能力信息代表被叫通信节点具有加密通信能力;被叫通信节点中设置的媒体能力所对应的媒体能力信息代表被叫通信节点所具有的媒体能力,具体而言,所述媒体能力信息代表被叫通信节点进行数据通信时所具有的媒体编解码能力。Step 107: When the called communication node has communication encryption capability, the called communication node initiates a communication encryption capability negotiation process with the calling communication node, and the operations involved in the communication encryption capability negotiation process are substantially the same as those in step 106 , the difference is that: step 107 has an exchange of operation subjects relative to step 106 . Of course, the communication encryption capability information corresponding to the communication encryption capability set in the called communication node represents that the called communication node has encryption communication capability; the media capability information corresponding to the media capability set in the called communication node represents The media capability it has, specifically, the media capability information represents the media codec capability that the called communication node has when performing data communication.

步骤107与步骤106没有严格的时间先后关系。Step 107 and step 106 have no strict time sequence relationship.

在实际应用中,也可以只执行步骤107或步骤106中的一个步骤,这不会影响后续的数据加密通信。In practical applications, only one of step 107 or step 106 may be executed, which will not affect subsequent data encryption communications.

步骤108:应用现有技术建立主、被叫通信节点之间的媒体通道,具体的媒体通道建立过程通常为:主/被叫通信节点向被/主叫通信节点发送至少包含主/被叫通信节点IP地址和通信端口号的媒体通道建立请求;被/主叫通信节点接收来自主/被叫通信节点的媒体通道建立请求,并在接受该请求后向主/被叫通信节点发送至少包含被/主叫通信节点IP地址和通信端口号的媒体通道建立响应。这样,主、被叫通信节点就彼此获取了对方用于进行数据通信的地址信息,可以根据该地址信息进行后续的数据通信了。Step 108: Apply existing technology to establish a media channel between the calling and called communication nodes. The specific media channel establishment process is usually: the calling/called communication node sends at least the calling/called communication node to the called/called communication node. The media channel establishment request of the node IP address and the communication port number; / The media channel establishment response of the IP address of the calling communication node and the communication port number. In this way, the calling and called communication nodes obtain the address information used by the other party for data communication, and can perform subsequent data communication according to the address information.

当然,如果被/主叫通信节点拒绝了所述媒体通道建立请求,则向主/被叫通信节点发送通道建立拒绝消息,该通道建立拒绝消息中还可以携带有拒绝原因。Certainly, if the called/called communication node rejects the media channel establishment request, a channel establishment rejection message is sent to the calling/called communication node, and the channel establishment rejection message may also carry a reason for the rejection.

步骤109:主、被叫通信节点间应用建立的所述媒体通道进行加密数据通信过程。具体操作为:Step 109: The calling and called communication nodes use the established media channel to perform encrypted data communication. The specific operation is:

主/被叫通信节点应用所述主/被叫侧数据加密密钥和所述加密策略对发送给被/主叫通信节点的数据进行加密,并将加密后的加密数据发送给被/主叫通信节点;被/主叫通信节点应用所述被/主叫侧数据加密密钥和所述加密策略对来自主/被叫通信节点的加密数据进行解密,并应用现有技术根据完成解密的数据进行后续处理。The calling/called communication node encrypts the data sent to the called/called communication node by applying the calling/called side data encryption key and the encryption policy, and sends the encrypted encrypted data to the called/called Communication node; the called/called communication node applies the data encryption key of the called/calling side and the encryption strategy to decrypt the encrypted data from the calling/called communication node, and applies the prior art to complete the decryption according to the data Follow up.

步骤101至步骤105可以由Q931等通信协议实现,并可以进一步包含其它信令交互。Steps 101 to 105 may be implemented by communication protocols such as Q931, and may further include other signaling interactions.

步骤106至步骤109通常是由H245协议实现的,所述通信加密能力协商请求可以由终端能力请求(Terminal Capability Set,TCS)实现,所述通信加密能力协商响应可以由终端能力请求确认(Terminal Capability Set Ack,TCS Ack)实现,所述媒体通道建立请求可以由开放逻辑通道(Open LogicChannel)消息实现,所述媒体通道建立响应可以由开放逻辑通道响应(OpenLogic Channel Ack)实现,所述通道建立拒绝消息可以由开放逻辑通道拒绝(Open Logic Channel Reject)消息实现。Steps 106 to 109 are usually implemented by the H245 protocol. The communication encryption capability negotiation request can be implemented by a terminal capability request (Terminal Capability Set, TCS), and the communication encryption capability negotiation response can be confirmed by a terminal capability request (Terminal Capability Set, TCS). Set Ack, TCS Ack) realizes, and described media channel establishment request can be realized by open logical channel (Open LogicChannel) message, and described media channel establishes response and can be realized by open logical channel response (OpenLogic Channel Ack), and described channel establishes refusal The message can be implemented by an Open Logic Channel Reject message.

当然,步骤106至步骤109可以进一步包含其它信令交互,也可以由其它通信协议实现;并且步骤106、步骤107还可以由会话描述协议(SessionDescription Protocol,SDP)实现。Of course, steps 106 to 109 may further include other signaling interactions, and may also be implemented by other communication protocols; and steps 106 and 107 may also be implemented by a Session Description Protocol (SessionDescription Protocol, SDP).

步骤106和/或步骤107可以在步骤109之前的任意时刻进行。Step 106 and/or step 107 can be performed at any time before step 109 .

所述媒体能力信息可以是主、被叫通信节点支持的任一种通信协议名称,以保证接收方获知发送方支持哪种通信协议。如:G.711、G.723、H.263、RFC 2833等。这样,主叫通信节点就可以将自身支持的通信协议的名称作为媒体能力信息发送给被叫通信节点;被叫通信节点则获取自身支持的通信协议,并比较获取的通信协议的名称与收到的通信协议名称是否存在交集,如果存在交集,被叫通信节点确定自身具有与主叫通信节点存在交集的媒体能力。无论所述媒体能力信息以哪些内容表示,为了保证主、被叫通信节点能正常通信,主、被叫通信节点均要应用存在交集的所述媒体能力通信。The media capability information may be the name of any communication protocol supported by the calling and called communication nodes, so as to ensure that the receiver knows which communication protocol the sender supports. Such as: G.711, G.723, H.263, RFC 2833, etc. In this way, the calling communication node can send the name of the communication protocol supported by itself as media capability information to the called communication node; the called communication node obtains the communication protocol supported by itself, and compares the name of the communication protocol obtained with the received Whether there is an intersection between the names of the communication protocols, and if there is an intersection, the called communication node determines that it has media capabilities that overlap with the calling communication node. Regardless of the content of the media capability information, in order to ensure that the calling and called communication nodes can communicate normally, the calling and called communication nodes must use the overlapping media capabilities for communication.

所述主、被叫通信节点可以是通信终端、网关或媒体控制器单元(MCU)等。The calling and called communication nodes may be a communication terminal, a gateway or a media controller unit (MCU) and the like.

所述加密策略可以是目前常用的异或算法、取反算法、MD5算法等。The encryption strategy may be an XOR algorithm, an inversion algorithm, an MD5 algorithm, etc. commonly used at present.

图1所示流程可以由会话发起协议(SIP)、H323协议等通信协议实现,步骤109中的加密通信通常是针对RFC 2833协议数据包加密。当图1所示流程由SIP实现时,可以不进行步骤107,并且将步骤106中的关键操作拆分到步骤101、步骤104中分别进行。具体拆分方式为:将步骤106中主叫通信节点向被叫通信节点发送通信加密能力协商请求的操作放到步骤101中进行;将步骤106中被叫通信节点向主叫通信节点发送通信加密能力协商响应的操作放到步骤104中进行。再有,当图1所示流程由SIP实现时,不执行步骤105。Flow process shown in Fig. 1 can be realized by communication protocols such as Session Initiation Protocol (SIP), H323 agreement, and the encrypted communication in the step 109 is usually for RFC 2833 protocol packet encryption. When the process shown in FIG. 1 is implemented by SIP, step 107 may not be performed, and the key operations in step 106 are divided into steps 101 and 104 to be performed respectively. The specific splitting method is: put the operation of the calling communication node sending the communication encryption capability negotiation request to the called communication node in step 106 into step 101; The operation of the capability negotiation response is performed in step 104 . Furthermore, when the process shown in FIG. 1 is implemented by SIP, step 105 is not executed.

由以上所述可以看出,本发明所提供的实现加密通信的方法,提高了通信安全性和用户满意度。It can be seen from the above description that the method for implementing encrypted communication provided by the present invention improves communication security and user satisfaction.

Claims (10)

1.一种实现加密通信的方法,其特征在于,该方法用于针对RFC 2833协议数据包进行加密,包括以下步骤:1. A method for realizing encrypted communication is characterized in that, the method is used for encrypting at RFC 2833 protocol packets, comprising the following steps: a.两个通信节点通信时,第一通信节点将自身的媒体能力信息和通信加密能力信息发送给第二通信节点;a. When two communication nodes communicate, the first communication node sends its own media capability information and communication encryption capability information to the second communication node; b.第二通信节点根据来自第一通信节点的媒体能力信息和通信加密能力信息,判断自身是否具有通信加密能力以及与第一通信节点存在交集的媒体能力,如果具有,第一、第二通信节点确定相同的数据加密密钥,并应用存在交集的所述媒体能力和确定的数据加密密钥进行加密通信;b. According to the media capability information and communication encryption capability information from the first communication node, the second communication node judges whether it has the communication encryption capability and the media capability that overlaps with the first communication node. If so, the first and second communications The node determines the same data encryption key, and uses the intersecting media capabilities and the determined data encryption key to perform encrypted communication; 其中,所述判断方法包括:Wherein, the judgment method includes: 第二通信节点获取自身具有的媒体能力,并比较获取的媒体能力与来自第一通信节点的媒体能力信息所对应的媒体能力是否存在交集,如果存在交集,第二通信节点确定自身具有与第一通信节点存在交集的媒体能力;The second communication node acquires the media capability it has, and compares whether there is an intersection between the acquired media capability and the media capability corresponding to the media capability information from the first communication node, and if there is an intersection, the second communication node determines that it has the same media capability as the first communication node. Communication nodes have overlapping media capabilities; 第二通信节点查询自身通信配置参数中有关通信加密能力的通信配置参数,如果查询到的通信配置参数支持通信加密,第二通信节点确定自身具有通信加密能力。The second communication node inquires communication configuration parameters related to communication encryption capability among its own communication configuration parameters, and if the queried communication configuration parameters support communication encryption, the second communication node determines that it has communication encryption capability. 2.如权利要求1所述的方法,其特征在于,所述媒体能力信息是通信协议名称,则所述第二通信节点确定自身是否具有与第一通信节点存在交集的媒体能力的方法是:2. The method according to claim 1, wherein the media capability information is a communication protocol name, and then the method for the second communication node to determine whether itself has a media capability that overlaps with the first communication node is: 第二通信节点获取自身支持的通信协议,并比较获取的通信协议的名称与来自第一通信节点的通信协议名称是否存在交集,如果存在交集,第二通信节点确定自身具有与第一通信节点存在交集的媒体能力。The second communication node obtains the communication protocol supported by itself, and compares whether there is an intersection between the name of the obtained communication protocol and the communication protocol name from the first communication node, and if there is an intersection, the second communication node determines that it has an intersection with the first communication node Intersecting media capabilities. 3.如权利要求1或2所述的方法,其特征在于,所述有关通信加密能力的通信配置参数是加密使能,则步骤b中,第二通信节点判断自身是否具有通信加密能力的方法是:3. The method according to claim 1 or 2, wherein the communication configuration parameter related to communication encryption capability is encryption enablement, then in step b, the second communication node judges whether it has communication encryption capability yes: 第二通信节点查询自身通信配置参数中的加密使能,如果查询到的加密使能设置于使能状态,第二通信节点确定自身具有通信加密能力。The second communication node queries the encryption enablement in its own communication configuration parameters, and if the queried encryption enablement is set to an enabled state, the second communication node determines that it has communication encryption capability. 4.如权利要求1或2所述的方法,其特征在于,所述通信加密能力信息是第一通信节点生成的随机数或预先设置的公共密钥,则步骤b中,所述第一、第二通信节点确定数据加密密钥的方法包括:4. The method according to claim 1 or 2, wherein the communication encryption capability information is a random number generated by the first communication node or a preset public key, then in step b, the first, The method for the second communication node to determine the data encryption key includes: 第二通信节点应用预先设置的加密策略对来自第一通信节点的随机数或公共密钥加密,并将加密结果作为后续与第一通信节点通信的数据加密密钥;第一通信节点应用预先设置的加密策略对自身生成的随机数或发送给第二通信节点的公共密钥加密,并将加密结果作为后续与第二通信节点通信的数据加密密钥。The second communication node applies a preset encryption policy to encrypt the random number or public key from the first communication node, and uses the encryption result as a data encryption key for subsequent communication with the first communication node; the first communication node applies a preset The encryption strategy encrypts the random number generated by itself or the public key sent to the second communication node, and uses the encryption result as the data encryption key for subsequent communication with the second communication node. 5.如权利要求1或2所述的方法,其特征在于,所述通信加密能力信息是第一通信节点应用预先设置的加密策略和预先设置的公共密钥对其生成的随机数加密后所得的加密结果,则步骤b中,所述第一、第二通信节点确定数据加密密钥的方法包括:5. The method according to claim 1 or 2, wherein the communication encryption capability information is obtained by encrypting the random number generated by the first communication node by applying a preset encryption policy and a preset public key encryption result, then in step b, the method for determining the data encryption key by the first and second communication nodes includes: 第二通信节点应用预先设置的加密策略和公共密钥对来自第一通信节点的通信加密能力信息进行解密,并将解密结果作为后续与第一通信节点通信的数据加密密钥;第一通信节点将所述生成的随机数作为后续与第二通信节点通信的数据加密密钥。The second communication node applies a preset encryption policy and public key to decrypt the communication encryption capability information from the first communication node, and uses the decryption result as a data encryption key for subsequent communications with the first communication node; the first communication node The generated random number is used as a data encryption key for subsequent communication with the second communication node. 6.如权利要求1或2所述的方法,其特征在于,所述通信加密能力信息是第一通信节点生成的随机数或预先设置的公共密钥,则步骤b中,所述第一、第二通信节点确定数据加密密钥的方法包括:6. The method according to claim 1 or 2, wherein the communication encryption capability information is a random number generated by the first communication node or a preset public key, then in step b, the first, The method for the second communication node to determine the data encryption key includes: 第二通信节点直接将来自第一通信节点的随机数或公共密钥作为后续与第一通信节点通信的数据加密密钥;第一通信节点直接将自身生成的随机数或发送给第二通信节点的公共密钥作为后续与第二通信节点通信的数据加密密钥。The second communication node directly uses the random number or public key from the first communication node as the data encryption key for subsequent communication with the first communication node; the first communication node directly sends the random number or public key generated by itself to the second communication node The public key is used as a data encryption key for subsequent communication with the second communication node. 7.如权利要求1或2所述的方法,其特征在于,步骤b中,所述进行加密通信包括:7. The method according to claim 1 or 2, wherein in step b, said performing encrypted communication comprises: 第一/第二通信节点应用所述数据加密密钥和预先设置的加密策略对发送给第二/第一通信节点的数据进行加密,并将加密后的加密数据发送给第二/第一通信节点;第二/第一通信节点应用所述数据加密密钥和所述加密策咯对来自第一/第二通信节点的加密数据进行解密。The first/second communication node encrypts the data sent to the second/first communication node by applying the data encryption key and the preset encryption policy, and sends the encrypted encrypted data to the second/first communication node a node; a second/first communication node to decrypt encrypted data from the first/second communication node by applying said data encryption key and said encryption policy. 8.如权利要求1所述的方法,其特征在于,在步骤b前或步骤b中,进一步在第一通信节点与第二通信节点之间建立用于通信的媒体通道。8. The method according to claim 1, characterized in that, before step b or in step b, a media channel for communication is further established between the first communication node and the second communication node. 9.如权利要求1所述的方法,其特征在于,所述第一通信节点、第二通信节点是通信终端、网关或媒体控制器单元MCU。9. The method according to claim 1, wherein the first communication node and the second communication node are a communication terminal, a gateway or a media controller unit (MCU). 10.如权利要求1所述的方法,其特征在于,第一通信节点与第二通信节点应用会话发起协议SIP或H323协议交互。10. The method according to claim 1, wherein the first communication node interacts with the second communication node using the Session Initiation Protocol (SIP) or the H323 protocol.
CN200510117145A 2005-11-01 2005-11-01 A method for realizing encrypted communication Expired - Fee Related CN1881869B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200510117145A CN1881869B (en) 2005-11-01 2005-11-01 A method for realizing encrypted communication
PCT/CN2006/002932 WO2007051415A1 (en) 2005-11-01 2006-11-01 Mobile communication system, and information transmitting method and device wherein

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200510117145A CN1881869B (en) 2005-11-01 2005-11-01 A method for realizing encrypted communication

Publications (2)

Publication Number Publication Date
CN1881869A CN1881869A (en) 2006-12-20
CN1881869B true CN1881869B (en) 2010-05-05

Family

ID=37519863

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200510117145A Expired - Fee Related CN1881869B (en) 2005-11-01 2005-11-01 A method for realizing encrypted communication

Country Status (1)

Country Link
CN (1) CN1881869B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9084231B2 (en) 2008-03-13 2015-07-14 Qualcomm Incorporated Methods and apparatus for acquiring and using multiple connection identifiers
CN102694753A (en) * 2011-03-25 2012-09-26 国基电子(上海)有限公司 Gateway device, system and method for encrypted data transmission
CN104038930B (en) * 2013-03-04 2017-10-10 北京信威通信技术股份有限公司 A kind of method of Duan Dao centers IP packets encryption
CN104284328A (en) * 2013-07-09 2015-01-14 北京鼎普科技股份有限公司 Method and device for encrypting mobile phone communication content
CN105871790B (en) * 2015-01-23 2019-02-01 华为技术有限公司 Method, apparatus and system for transmitting data
CN108833943B (en) * 2018-04-24 2020-12-08 苏州科达科技股份有限公司 Code stream encryption negotiation method and device and conference terminal
CN110557593A (en) * 2018-06-01 2019-12-10 中兴通讯股份有限公司 A media transmission method and H323-SIP gateway

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6064741A (en) * 1995-04-13 2000-05-16 Siemens Aktiengesellschaft Method for the computer-aided exchange of cryptographic keys between a user computer unit U and a network computer unit N
CN1360780A (en) * 1999-07-12 2002-07-24 艾利森电话股份有限公司 Method and system for exchanging information between multimedia network nodes
US6470085B1 (en) * 1996-10-29 2002-10-22 Matsushita Electric Industrial Co., Ltd. Application package and system for permitting a user to use distributed application package on the term of the use thereof
CN1479489A (en) * 2002-08-29 2004-03-03 ����ͨѶ�ɷ����޹�˾ A method of transmitting broadband multimedia data over ISDN
CN1564509A (en) * 2004-03-23 2005-01-12 中兴通讯股份有限公司 Key consaltation method in radio LAN

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6064741A (en) * 1995-04-13 2000-05-16 Siemens Aktiengesellschaft Method for the computer-aided exchange of cryptographic keys between a user computer unit U and a network computer unit N
US6470085B1 (en) * 1996-10-29 2002-10-22 Matsushita Electric Industrial Co., Ltd. Application package and system for permitting a user to use distributed application package on the term of the use thereof
CN1360780A (en) * 1999-07-12 2002-07-24 艾利森电话股份有限公司 Method and system for exchanging information between multimedia network nodes
CN1479489A (en) * 2002-08-29 2004-03-03 ����ͨѶ�ɷ����޹�˾ A method of transmitting broadband multimedia data over ISDN
CN1564509A (en) * 2004-03-23 2005-01-12 中兴通讯股份有限公司 Key consaltation method in radio LAN

Also Published As

Publication number Publication date
CN1881869A (en) 2006-12-20

Similar Documents

Publication Publication Date Title
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
CN102006294B (en) IP multimedia subsystem (IMS) multimedia communication method and system as well as terminal and IMS core network
CN104683304B (en) A kind of processing method of secure traffic, equipment and system
CN1602611A (en) Lawful interception of end-to-end encrypted data traffic
US7813509B2 (en) Key distribution method
WO2011022999A1 (en) Method and system for encrypting video conference data by terminal
US20060168210A1 (en) Facilitating legal interception of ip connections
WO2011041962A1 (en) Method and system for end-to-end session key negotiation which support lawful interception
US20090041006A1 (en) Method and system for providing internet key exchange
CN106658486A (en) Enciphered call making method, enciphered call making device and terminal
CN104683098B (en) A kind of implementation method of secure traffic, equipment and system
CN106713261A (en) VoLTE encrypted call identification method, apparatus and system
CN100571133C (en) Realization method of secure transmission of media stream
CN100544247C (en) Security Capability Negotiation Method
WO2012024905A1 (en) Method, terminal and ggsn for encrypting and decrypting data in mobile communication network
CN1881869B (en) A method for realizing encrypted communication
CN107395552A (en) A kind of data transmission method and device
CN101547269A (en) Calling control method and voice terminal
WO2011131051A1 (en) Method and device for security communication negotiation
CN100334829C (en) Method for implementing information transmission
CN1983921A (en) Method and system for realizing end to end media fluid safety
CN104753869A (en) SIP protocol based session encryption method
WO2007000089A1 (en) A method for transfering content in media gateway control protocol calling
CN100583733C (en) Method and communication system for realizing media stream security
CN101123504A (en) An identification method for a communication terminal and a response source

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100505

CF01 Termination of patent right due to non-payment of annual fee