TWI906082B - System and method for voip communication - Google Patents
System and method for voip communicationInfo
- Publication number
- TWI906082B TWI906082B TW113148749A TW113148749A TWI906082B TW I906082 B TWI906082 B TW I906082B TW 113148749 A TW113148749 A TW 113148749A TW 113148749 A TW113148749 A TW 113148749A TW I906082 B TWI906082 B TW I906082B
- Authority
- TW
- Taiwan
- Prior art keywords
- time password
- voip communication
- call
- username
- sip
- Prior art date
Links
Landscapes
- Telephonic Communication Services (AREA)
Abstract
Description
本發明係關於一種網際網路協定語音(Voice over Internet Protocol,VoIP)通訊系統與方法,係透過區塊鏈存放企業間的通訊資訊,並使用公私鑰加解密的機制確保企業間的身份與傳送一次性會談初始協定(Session Initiation Protocol,SIP)通訊使用之密碼,且利用如企業間電子郵件傳送有時效性的使用者名稱,以使用動態帳號密碼進行SIP VoIP呼叫而大幅增加VoIP呼叫的安全性。 This invention relates to a Voice over Internet Protocol (VoIP) communication system and method. It stores inter-enterprise communication information via blockchain and uses a public-private key encryption/decryption mechanism to ensure the identity of enterprises and the password used for transmitting one-time Session Initiation Protocol (SIP) communications. Furthermore, it significantly enhances VoIP call security by utilizing time-sensitive usernames, similar to those sent via inter-enterprise email, to conduct SIP VoIP calls using dynamic usernames and passwords.
隨著網際網路協定(Internet Protocol,IP)網路的普及化,VoIP已成為企業間進行通訊的管道之一,但網際網路開放的特性使得網路上進行VoIP時充滿了被盜打或被冒名撥打等風險,且更改SIP埠(port)、帳號密碼認證、鎖定IP位址及憑證驗證等傳統方式已不足以防範駭客的惡意行為。 With the widespread adoption of Internet Protocol (IP) networks, VoIP has become one of the communication channels between enterprises. However, the open nature of the internet makes VoIP communication fraught with risks such as unauthorized calls and impersonation. Furthermore, traditional methods such as changing SIP ports, account and password authentication, IP address locking, and credential verification are no longer sufficient to prevent malicious hacking.
目前已經有多種可提高VoIP安全性的技術,但現有技術仍未臻完善,例如未慮及駭客能仿照並假冒SIP封包的風險,而不足以安全地檢驗被叫端身份,使認證的完整性顯有不足,或僅在SIP溝通流程中加入簽章驗證對方身份的機制,而未顧及SIP認證流程的安全性強化,一旦簽章驗證被破解,將可能發生假冒身份之通訊。 While various technologies exist to improve VoIP security, current technologies are still imperfect. For example, they often fail to consider the risk of hackers imitating and spoofing SIP packets, resulting in insufficient security for verifying the called party's identity and inadequate authentication integrity. Alternatively, they may merely add a signature verification mechanism to the SIP communication process without considering the security enhancements of the SIP authentication process itself. If signature verification is compromised, impersonation communication could occur.
由此可見,上述習用方式仍有諸多缺失,實非良善之設計,而亟待改良。 It is evident that the aforementioned practices still have many shortcomings and are not a sound design, thus requiring urgent improvement.
在VoIP通訊的趨勢下,企業間的通訊暴露在公眾網路上的風險,促成了安全通訊的需求。當前企業間的通訊雖然有設置防火牆以監控網路流量,進而阻止未經授權的訪問和攻擊,但盜撥和冒名撥打的資安事件仍層出不窮,故VoIP通訊的安全性在SIP信號層的認證需進一步增強,以杜絕非法與惡意的VoIP呼叫。 The rise of VoIP communication has increased the risk of enterprise communications being exposed to the public internet, creating a demand for secure communication. While enterprises currently employ firewalls to monitor network traffic and prevent unauthorized access and attacks, incidents of unauthorized and spoofed calls continue to occur. Therefore, VoIP communication security, particularly at the SIP signal layer, needs further enhancement in authentication to prevent illegal and malicious VoIP calls.
因此,本發明之目的為建立一種VoIP通訊系統與方法,利用區塊鏈分散式儲存技術達到去中心化的資訊共享,加上公私鑰的加解密,以確認對方身份與取得SIP呼叫認證的一次性密碼,搭配具有時效性的使用者名稱,可以有效利用既有的SIP呼叫認證機制進行VoIP通訊,以確保企業間不會有冒名通話的問題。 Therefore, the purpose of this invention is to establish a VoIP communication system and method that utilizes blockchain distributed storage technology to achieve decentralized information sharing. Combined with public and private key encryption and decryption to verify the other party's identity and obtain a one-time password for SIP call authentication, along with a time-limited username, this effectively leverages existing SIP call authentication mechanisms for VoIP communication, ensuring that there are no impersonation issues between enterprises.
在一實施例中,係搭配企業間使用的電子郵件傳送有時效性的使用者名稱,可以有效利用既有的SIP呼叫認證機制進行VoIP通訊。 In one implementation, time-sensitive usernames are used in conjunction with emails exchanged between businesses, effectively leveraging existing SIP call authentication mechanisms for VoIP communication.
欲達成前述目的之一種VoIP通訊系統與方法,係在企業通訊時加強企業端彼此間的身份確認和授權,利用企業的公私鑰實施身份驗證機制,並要求一次性密碼,再加上具有時效性的使用者名稱(雙因子認證),以確保僅授權的企業用戶可以訪問,進而防止未經授權的訪問。 One VoIP communication system and method aimed at achieving the aforementioned objectives involves strengthening identity verification and authorization between enterprise users during corporate communications. This is achieved by utilizing the enterprise's public and private keys to implement an identity verification mechanism, requiring a one-time password, and combining it with a time-limited username (two-factor authentication) to ensure that only authorized enterprise users can access the system, thereby preventing unauthorized access.
在一實施例中,係加上用電子郵件傳送具有時效性的使用者名稱,以確保僅授權的企業用戶可以訪問。 In one implementation, a time-sensitive username is sent via email to ensure that only authorized enterprise users can access the site.
根據本發明之第一態樣,本發明提供一種VoIP通訊系統,用於進行基於SIP之VoIP通訊,且設於該VoIP通訊之主叫端。該VoIP通訊系統包括一次性密碼處理單元、收發單元、以及呼叫與認證單元。該一次性密碼處理單元用於送出一次性密碼請求至該VoIP通訊之被叫端,再自該被叫端接收該一次性密碼請求之回應,其中,該一次性密碼請求係以該被叫端之公鑰加密,該回應包括呼叫識別碼與一次性密碼,且該回應係以該主叫端之公鑰加密。該收發單元用於接收使用者名稱。該呼叫與認證單元用於外撥SIP呼叫至該被叫端,再提供該呼叫識別碼、該一次性密碼與該使用者名稱以進行該SIP呼叫之認證。 According to a first aspect of the present invention, the present invention provides a VoIP communication system for conducting SIP-based VoIP communication, and is located at the calling end of the VoIP communication. The VoIP communication system includes a one-time password processing unit, a transceiver unit, and a call and authentication unit. The one-time password processing unit is used to send a one-time password request to the called end of the VoIP communication, and then receive a response to the one-time password request from the called end. The one-time password request is encrypted with the called end's public key, and the response includes a call identifier and a one-time password, and the response is encrypted with the calling end's public key. The transceiver unit is used to receive the username. The call and authentication unit is used to make outbound SIP calls to the called party, and then provides the call identifier, the one-time password, and the username to authenticate the SIP call.
在一實施例中,該收發單元係電子郵件收發單元,其中,該電子郵件收發單元用於自郵件伺服器接收電子郵件,再自該電子郵件取得使用者名稱。 In one embodiment, the transceiver unit is an email transceiver unit, which is used to receive emails from a mail server and then obtain the username from the emails.
本發明另提供一種VoIP通訊方法,用於進行基於SIP之VoIP通訊,且由該VoIP通訊之主叫端執行。該VoIP通訊方法包括:送出一次性密碼請求至該VoIP通訊之被叫端,其中,該一次性密碼請求係以該被叫端之公鑰加密;自該被叫端接收該一次性密碼請求之回應,其中,該回應包括呼叫識別碼與一次性密碼,且該回應係以該主叫端之公鑰加密;接收使用者名稱;外撥SIP呼叫至該被叫端;以及提供該呼叫識別碼、該一次性密碼與該使用者名稱以進行該SIP呼叫之認證。 This invention also provides a VoIP communication method for conducting SIP-based VoIP communication, performed by the calling end of the VoIP communication. The VoIP communication method includes: sending a one-time password request to the called end of the VoIP communication, wherein the one-time password request is encrypted with the called end's public key; receiving a response from the called end to the one-time password request, wherein the response includes a call identifier and a one-time password, and the response is encrypted with the calling end's public key; receiving a username; making an outgoing SIP call to the called end; and providing the call identifier, the one-time password, and the username to authenticate the SIP call.
在一實施例中,係自郵件伺服器接收電子郵件,再自該電子郵件取得使用者名稱。 In one embodiment, the email is received from a mail server, and the username is then obtained from that email.
上述之系統復包括區塊鏈儲存單元,用於將該主叫端和該被叫端之撥號前置碼、網際網路協定位址、所屬網域及公鑰儲存於區塊鏈上。 The aforementioned system further includes a blockchain storage unit for storing the caller's and called party's preamble, Internet Protocol address, domain name, and public key on the blockchain.
在一實施例中,係用於將該主叫端和該被叫端之撥號前置碼、網際網路協定位址、所屬網域、電子郵件地址及公鑰儲存於區塊鏈上。 In one embodiment, this is used to store the dialing preamble, Internet Protocol address, domain name, email address, and public key of the calling and called parties on the blockchain.
上述之系統復包括區塊鏈接取單元,用於查詢該區塊鏈儲存單元,以自該區塊鏈取得該被叫端之公鑰,其中,該一次性密碼處理單元係於送出該一次性密碼請求之前,使用該被叫端之公鑰加密該一次性密碼請求,且於接收該回應之後,使用該主叫端之私鑰解密該回應。 The aforementioned system further includes a blockchain access unit for querying the blockchain storage unit to obtain the called party's public key from the blockchain. The one-time password processing unit encrypts the one-time password request using the called party's public key before sending it, and decrypts the response using the calling party's private key after receiving the response.
上述之系統與方法中,該使用者名稱係由該被叫端藉由電子郵件及電子郵件加密技術發送至該主叫端。 In the aforementioned system and method, the username is sent from the called party to the calling party via email and email encryption technology.
上述之系統與方法中,該使用者名稱具有一有效時段,且該使用者名稱僅能在該有效時段內通過該SIP呼叫之認證。 In the aforementioned system and method, the username has a valid time period, and the username can only be authenticated via the SIP call within that valid time period.
上述之系統與方法中,該被叫端係於該有效時段開始之前即提前將該使用者名稱發送至該主叫端。 In the aforementioned system and method, the called party sends the username to the calling party well before the start of the effective time period.
在一實施例中,係將包含該使用者名稱之電子郵件發送至該主叫端。 In one embodiment, an email containing the user's name is sent to the calling party.
根據本發明之第二態樣,本發明提供一種VoIP通訊系統,用於進行基於SIP之VoIP通訊,且設於該VoIP通訊之被叫端。該VoIP通訊系統包括一次性密碼處理單元、收發單元、以及呼叫與認證單元。該一次性密碼處理單元用於接收來自該VoIP通訊之主叫端的一次性密碼請求,產生對應該一次性密碼請求中之呼叫識別碼的一次性密碼,再將該一次性密碼請求之回應傳送至該主叫端,其中,該回應包括該呼叫識別碼與該一次性密碼,且該回應係以該主叫端之公鑰加密。該收發單元用於將使用者名稱發送至該主叫端。該呼叫與認證單元 用於等待該主叫端發起之SIP呼叫,再根據該呼叫識別碼、該一次性密碼與該使用者名稱,進行該SIP呼叫之認證。 According to a second aspect of the present invention, the present invention provides a VoIP communication system for conducting SIP-based VoIP communication, and is located at the called end of the VoIP communication. The VoIP communication system includes a one-time password processing unit, a transceiver unit, and a call and authentication unit. The one-time password processing unit is used to receive a one-time password request from the calling end of the VoIP communication, generate a one-time password corresponding to the call identification code in the one-time password request, and then send a response to the one-time password request to the calling end, wherein the response includes the call identification code and the one-time password, and the response is encrypted with the calling end's public key. The transceiver unit is used to send the username to the calling end. This call and authentication unit waits for a SIP call initiated by the calling party and then authenticates the SIP call based on the call identifier, the one-time password, and the username.
在一實施例中,該收發單元係電子郵件收發單元,其中,該電子郵件收發單元用於通過郵件伺服器將包含使用者名稱之電子郵件發送至該主叫端。 In one embodiment, the transceiver unit is an email transceiver unit, which is used to send an email containing a username to the calling client via a mail server.
本發明另提供一種VoIP通訊方法,用於進行基於SIP之VoIP通訊,且由該VoIP通訊之被叫端執行,該VoIP通訊方法包括:接收來自該VoIP通訊之主叫端的一次性密碼請求;產生對應該一次性密碼請求中之呼叫識別碼的一次性密碼;將該一次性密碼請求之回應傳送至該主叫端,其中,該回應包括該呼叫識別碼與該一次性密碼,且該回應係以該主叫端之公鑰加密;將使用者名稱發送至該主叫端;等待該主叫端發起之SIP呼叫;以及根據該呼叫識別碼、該一次性密碼與該使用者名稱,進行該SIP呼叫之認證。 This invention also provides a VoIP communication method for conducting SIP-based VoIP communication, performed by the called end of the VoIP communication. The VoIP communication method includes: receiving a one-time password request from the calling end of the VoIP communication; generating a one-time password corresponding to a call identifier in the one-time password request; sending a response to the one-time password request to the calling end, wherein the response includes the call identifier and the one-time password, and the response is encrypted with the calling end's public key; sending a username to the calling end; waiting for a SIP call initiated by the calling end; and authenticating the SIP call based on the call identifier, the one-time password, and the username.
在一實施例中,係通過郵件伺服器將包含使用者名稱之電子郵件發送至該主叫端。 In one embodiment, an email containing the user's name is sent to the calling client via a mail server.
上述之系統復包括區塊鏈儲存單元及區塊鏈接取單元。該區塊鏈儲存單元用於將該主叫端和該被叫端之撥號前置碼、網際網路協定位址、所屬網域及公鑰儲存於區塊鏈上。 The aforementioned system further includes a blockchain storage unit and a blockchain access unit. The blockchain storage unit is used to store the dialing preamble, Internet Protocol address, domain name, and public key of the calling and called parties on the blockchain.
在一實施例中,係用於將該主叫端和該被叫端之撥號前置碼、網際網路協定位址、所屬網域、電子郵件地址及公鑰儲存於區塊鏈上。 In one embodiment, this is used to store the dialing preamble, Internet Protocol address, domain name, email address, and public key of the calling and called parties on the blockchain.
此外,該區塊鏈接取單元用於查詢該區塊鏈儲存單元,以自該區塊鏈取得該主叫端之公鑰,其中,該一次性密碼處理單元係於接收該一次性密碼 請求之後,使用該被叫端之私鑰解密該一次性密碼請求,且於傳送該回應之前,使用該主叫端之公鑰加密該回應。 Furthermore, the blockchain access unit queries the blockchain storage unit to obtain the calling party's public key from the blockchain. The one-time password processing unit, upon receiving the one-time password request, decrypts the request using the called party's private key, and encrypts the response using the calling party's public key before sending it.
本發明利用區塊鏈網路儲存企業間互撥所需之相關資訊,可以免除集中式資料庫的管理與維運。在本發明的技術方案中,企業各自保存自己的私鑰,並接取區塊鏈以獲得其他企業的公鑰,使用公鑰加密與私鑰解密的機制,再加上呼叫識別碼、一次性密碼、以及具時效性的使用者名稱,以加強SIP認證的安全性,進而有效防止盜撥和冒名撥打。 This invention utilizes blockchain networks to store information needed for inter-enterprise communication, eliminating the need for centralized database management and maintenance. In this technical solution, each enterprise stores its own private key and accesses the blockchain to obtain public keys from other enterprises. A public-key encryption and private-key decryption mechanism, along with call identification codes, one-time passwords, and time-limited usernames, enhances the security of SIP authentication, effectively preventing unauthorized and impersonated calls.
在一實施例中,係進一步利用電子郵件傳送的具時效性的使用者名稱,以加強SIP認證的安全性 In one implementation, time-sensitive usernames transmitted via email are used to further enhance the security of SIP authentication.
110:跨企業認證VoIP通訊模組 110: Cross-enterprise certified VoIP communication module
111:一次性密碼處理單元 111: One-time password processing unit
112:區塊鏈接取單元 112: Blockchain Access Unit
113:呼叫與認證單元 113: Call and Authentication Unit
114:收發單元 114: Receiving and Dispatching Unit
115:區塊鏈儲存單元 115: Blockchain Storage Unit
116:郵件伺服器 116: Mail Server
117:外部企業 117: External Enterprises
201~209,301~311:步驟 201~209, 301~311: Steps
圖1為本發明一種VoIP通訊系統之架構圖。 Figure 1 is an architecture diagram of a VoIP communication system according to the present invention.
圖2為本發明一種VoIP通訊方法之企業主叫端流程圖。 Figure 2 is a flowchart of the enterprise calling party process according to a VoIP communication method of this invention.
圖3為本發明一種VoIP通訊方法之企業被叫端流程圖。 Figure 3 is a flowchart of the enterprise called party in a VoIP communication method according to the present invention.
為使本發明的目的、技術方案及優點更加清楚,以下結合附圖及實施例,進一步詳細說明本發明。應當理解,此處所描述的具體實施例僅用以解釋本發明,而不用於限定本發明。 To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the invention.
圖1為本發明之一種VoIP通訊系統之架構圖,該系統包含跨企業認證VoIP通訊模組110、區塊鏈儲存單元115與郵件伺服器116。 Figure 1 is an architecture diagram of a VoIP communication system according to the present invention. The system includes a cross-enterprise authentication VoIP communication module 110, a blockchain storage unit 115, and a mail server 116.
在一實施例中,跨企業認證VoIP通訊模組110、區塊鏈儲存單元115與外部企業117彼此間互相通訊連接,郵件伺服器116則通訊連接跨企業認證VoIP通訊模組110與外部企業117。 In one embodiment, the cross-enterprise authentication VoIP communication module 110, the blockchain storage unit 115, and the external enterprise 117 are interconnected, while the mail server 116 communicates between the cross-enterprise authentication VoIP communication module 110 and the external enterprise 117.
在一實施例中,跨企業認證VoIP通訊模組110與外部企業117透由區塊鏈儲存單元115進行撥號前置碼(prefix)、IP位址/網域(domain)、企業電子郵件與加密訊息的公鑰等資訊的存取。 In one embodiment, the cross-enterprise authentication VoIP communication module 110 and the external enterprise 117 access information such as dialing prefixes, IP addresses/domains, and public keys for corporate emails and encrypted messages through blockchain storage unit 115.
跨企業認證VoIP通訊模組110包括四個單元:一次性密碼處理單元111、區塊鏈接取單元112、呼叫與認證單元113、以及收發單元114。 The cross-enterprise authentication VoIP communication module 110 comprises four units: a one-time password processing unit 111, a blockchain access unit 112, a call and authentication unit 113, and a transceiver unit 114.
在一實施例中,該收發單元114係電子郵件收發單元。 In one embodiment, the transceiver unit 114 is an email transceiver unit.
圖1所示之各模組與單元111~115均可為軟體、硬體或韌體;若為硬體,則可為具有資料處理與運算能力之處理單元、處理器、電腦或伺服器;若為軟體或韌體,則可包括處理單元、處理器、電腦或伺服器可執行之指令,且可安裝於同一硬體裝置或分布於不同的複數硬體裝置。 The modules and units 111-115 shown in Figure 1 can be software, hardware, or firmware. If hardware, they can be processing units, processors, computers, or servers with data processing and computing capabilities. If software or firmware, they can include instructions executable by processing units, processors, computers, or servers, and can be installed on the same hardware device or distributed across multiple different hardware devices.
一次性密碼處理單元111用於在處理對外呼叫時,向被叫端傳送請求此通SIP呼叫所需之一次性密碼請求(以被叫端公鑰加密)或處理收到之一次性密碼請求(以企業自己之私鑰解密),且用於回應SIP呼叫識別碼(Call-ID)與一次性密碼(以主叫端公鑰加密)給主叫端。 The one-time password processing unit 111 is used, when processing outbound calls, to send a one-time password request (encrypted with the called party's public key) to the called party requesting the necessary one-time password for this SIP call, or to process received one-time password requests (decrypted with the enterprise's own private key), and to respond to the calling party with the SIP call identifier (Call-ID) and the one-time password (encrypted with the calling party's public key).
區塊鏈接取單元112用於接取外部網路上之區塊鏈儲存單元115,以取得被叫端企業的撥號前置碼(prefix)、IP位址/所屬網域(domain)、企業電子郵件地址與加密訊息的公鑰等相關資訊,且用於上傳企業端(主叫端)之上述相關資訊至區塊鏈儲存單元115。區塊鏈儲存單元115使用區塊鏈分散式儲存技術,將被叫端企業和主叫端企業的上述相關資訊儲存於區塊鏈上。 Blockchain access unit 112 accesses blockchain storage unit 115 on an external network to obtain information such as the dialing prefix, IP address/domain, email address, and public key for encrypted messages of the called party company. This information is then used to upload to the blockchain storage unit 115. Blockchain storage unit 115 uses distributed blockchain storage technology to store the aforementioned information of both the called and called parties on the blockchain.
此外,區塊鏈儲存單元115亦可將各企業VoIP通訊的一些資訊儲存於區塊鏈上,例如:是否支援影像通訊、是否支援低頻寬語音通話、以及是否支援某些特殊語音或視訊的編解碼器(codec)等資訊。這些資訊可影響SIP呼叫的影音規格或品質。 In addition, the blockchain storage unit 115 can also store information about various enterprise VoIP communications on the blockchain, such as whether video conferencing is supported, whether low-bandwidth voice calls are supported, and whether certain special voice or video codecs are supported. This information can affect the audio and video specifications or quality of SIP calls.
呼叫與認證單元113用於根據一次性密碼處理單元111提供之呼叫識別碼(Call-ID)與一次性密碼和收發單元114提供之使用者名稱,向被叫端企業發起SIP呼叫,且用於根據一次性密碼處理單元111提供之呼叫識別碼與一次性密碼和收發單元114提供之使用者名稱,對收到之SIP訊息做認證動作。 The call and authentication unit 113 initiates a SIP call to the called party enterprise based on the call ID and one-time password provided by the one-time password processing unit 111 and the username provided by the transceiver unit 114. It also authenticates the received SIP messages based on the call ID and one-time password provided by the one-time password processing unit 111 and the username provided by the transceiver unit 114.
收發單元114(如電子郵件收發單元)用於接收被叫端企業送出之電子郵件(其內容包含一有效時段與一被叫端企業SIP認證所需之使用者名稱),且用於從區塊鏈接取單元112取得外部企業117之電子郵件地址並發送電子郵件(其內容包含一有效時段與企業端SIP認證所需之使用者名稱)給欲撥打本企業的外部企業117。上述接收與發送電子郵件皆透過郵件伺服器116。 The transceiver unit 114 (such as an email transceiver unit) is used to receive emails sent by the called party (containing a valid time period and a username required for the called party's SIP authentication), and to obtain the email address of the external company 117 from the blockchain access unit 112 and send an email (containing a valid time period and a username required for the company's SIP authentication) to the external company 117 that wants to call this company. Both receiving and sending emails are done through the mail server 116.
圖2為本發明之一種VoIP通訊方法之流程圖,其中,企業端為發起呼叫端,即主叫端。此方法可由跨企業認證VoIP通訊模組110執行。 Figure 2 is a flowchart of one VoIP communication method according to the present invention, wherein the enterprise end is the initiating end, i.e., the calling end. This method can be executed by the cross-enterprise authenticated VoIP communication module 110.
在步驟201,呼叫與認證單元113發起SIP呼叫。 In step 201, the call and authentication unit 113 initiates a SIP call.
在步驟202,區塊鏈接取單元112查詢區塊鏈儲存單元115以取得被叫端公鑰。 In step 202, blockchain access unit 112 queries blockchain storage unit 115 to obtain the called party's public key.
在步驟203,一次性密碼處理單元111送出該呼叫之一次性密碼請求(request),該請求包括呼叫識別碼,並以被叫端公鑰加密。 In step 203, the one-time password processing unit 111 sends a one-time password request for the call, which includes a call identifier and is encrypted with the called party's public key.
在步驟204,一次性密碼處理單元111接收被叫端回傳的該一次性密碼請求之回應(response),該回應包含呼叫識別碼與一次性密碼,並以主叫端私鑰解密。 In step 204, the one-time password processing unit 111 receives a response from the called party regarding the one-time password request. This response includes the call identifier and the one-time password, and decrypts it using the calling party's private key.
在步驟205,一次性密碼處理單元111判斷是否已取得對應呼叫識別碼之一次性密碼,若無法取得,則呼叫與認證單元113執行步驟209以終止呼叫,若成功取得一次性密碼,則收發單元114(如電子郵件收發單元)執行步驟206以查詢被叫端送來之電子郵件。 In step 205, the one-time password processing unit 111 determines whether the one-time password corresponding to the call identification code has been obtained. If it cannot be obtained, the call and authentication unit 113 executes step 209 to terminate the call. If the one-time password is successfully obtained, the transceiver unit 114 (such as an email transceiver unit) executes step 206 to query the email sent by the called party.
在步驟207,收發單元114(如電子郵件收發單元)由電子郵件取得上述有效時段允許之使用者名稱。若已取得使用者名稱,則流程進入步驟208。若無法取得使用者名稱,則呼叫與認證單元113執行步驟209以終止呼叫。 In step 207, the transceiver unit 114 (e.g., an email transceiver unit) obtains the username permitted during the aforementioned valid time period via email. If the username has been obtained, the process proceeds to step 208. If the username cannot be obtained, the call and authentication unit 113 executes step 209 to terminate the call.
上述電子郵件係由被叫端發送至主叫端,該電子郵件內容包含不同時段所使用之不同使用者名稱。例如,被叫端可以每一小時送出一封電子郵件,該電子郵件之內容列出該SIP呼叫在該小時內每5分鐘所使用的一個使用者名稱。如此,每一個使用者名稱皆具有一個5分鐘長度的有效時段,且每一個使用者名稱僅能在其有效時段內通過該SIP呼叫之認證。此外,被叫端發送該電子郵件時,可使用電子郵件加密技術,以提高破解該電子郵件的複雜度。 The aforementioned emails are sent from the called party to the calling party, and the email content contains different usernames used at different times. For example, the called party can send an email every hour, listing one username used by the SIP call every 5 minutes within that hour. Thus, each username has a valid 5-minute period, and each username can only be authenticated by the SIP call within its valid period. Furthermore, the called party can use email encryption technology when sending the email to increase the complexity of cracking it.
當目前的使用者名稱的有效時段結束,則該使用者名稱失效,並開始下一個使用者名稱的有效時段。被叫端發送該電子郵件時可依前述有效時段之規劃,在某一個使用者名稱的有效時段開始前的一段時間(例如10分鐘之前)即提前傳送包含該使用者名稱的電子郵件,以避免電子郵件有延遲而影響SIP認證。 When the validity period of the current username ends, the username becomes invalid, and the validity period of the next username begins. When sending an email, the called party can, according to the aforementioned validity period plan, send an email containing the username a certain amount of time before the start of a particular username's validity period (e.g., 10 minutes in advance) to avoid email delays that could affect SIP authentication.
除了使用電子郵件傳送SIP認證所需之使用者名稱外,在另一實施例中,亦可用簡訊等其他形式傳送使用者名稱。此外,除了通過郵件伺服器等中介伺服器傳送使用者名稱外,在另一實施例中,亦可不通過中介伺服器而在主叫端和被叫端之間直接傳送。 In addition to transmitting the username required for SIP authentication via email, another embodiment may also transmit the username using other methods such as SMS. Furthermore, besides transmitting the username through an intermediary server such as a mail server, another embodiment may also transmit it directly between the calling and called parties without using an intermediary server.
在步驟208,呼叫與認證單元113外撥SIP呼叫至被叫端,並使用前述步驟取得之呼叫識別碼、使用者名稱與一次性密碼作為SIP認證的相關認證參數,此認證流程遵循標準的SIP認證程序。 In step 208, the call and authentication unit 113 makes an outbound SIP call to the called party and uses the call identifier, username, and one-time password obtained in the preceding steps as the relevant authentication parameters for SIP authentication. This authentication process follows standard SIP authentication procedures.
圖3為本發明之一種VoIP通訊方法之流程圖,其中,企業端為被叫端。 Figure 3 is a flowchart of one VoIP communication method of the present invention, in which the enterprise end is the called end.
在步驟301,呼叫與認證單元113接收SIP呼叫。 In step 301, the call and authentication unit 113 receives a SIP call.
在步驟302,一次性密碼處理單元111接收一次性密碼請求,該請求之內容包含該SIP呼叫將使用之呼叫識別碼。 In step 302, the one-time password processing unit 111 receives a one-time password request containing the call identifier that will be used in the SIP call.
在步驟303,一次性密碼處理單元111以企業端之私鑰解密一次性密碼請求,若解密失敗,則呼叫與認證單元113執行步驟311以終止呼叫,若解密成功,則一次性密碼處理單元111執行步驟304以產生對應此呼叫識別碼之一次性密碼。 In step 303, the one-time password processing unit 111 decrypts the one-time password request using the enterprise's private key. If decryption fails, the call and authentication unit 113 executes step 311 to terminate the call. If decryption succeeds, the one-time password processing unit 111 executes step 304 to generate a one-time password corresponding to this call identification code.
在步驟305,區塊鏈接取單元112查詢區塊鏈儲存單元115以取得主叫端公鑰。 In step 305, blockchain access unit 112 queries blockchain storage unit 115 to obtain the calling party's public key.
在步驟306,一次性密碼處理單元111送出包含呼叫識別碼與一次性密碼之回應(response),以回應該一次性密碼請求,該回應係以主叫端公鑰加密。 In step 306, the one-time password processing unit 111 sends a response containing the call identifier and the one-time password to acknowledge the one-time password request. This response is encrypted with the caller's public key.
在步驟307,收發單元114(如電子郵件收發單元)檢查發送給主叫端之電子郵件,以取得上述有效時段允許之主叫端使用者名稱。 In step 307, the transceiver unit 114 (such as an email transceiver unit) checks the emails sent to the calling party to obtain the calling party's username permitted during the aforementioned valid time period.
在步驟308,呼叫與認證單元113等待SIP來話呼叫。 In step 308, the call and authentication unit 113 awaits a SIP call.
在步驟309,呼叫與認證單元113使用上述步驟之呼叫識別碼、使用者名稱與一次性密碼進行SIP認證,若認證失敗,則呼叫與認證單元113執行步驟311以終止呼叫,若認證成功,則呼叫與認證單元113執行步驟310以接受此SIP呼叫。 In step 309, the call and authentication unit 113 performs SIP authentication using the call identifier, username, and one-time password from the previous steps. If authentication fails, the call and authentication unit 113 executes step 311 to terminate the call; if authentication succeeds, the call and authentication unit 113 executes step 310 to accept the SIP call.
本發明提供的一種VoIP通訊系統與方法,與其他習用技術相互比較時,更具備下列優點: The VoIP communication system and method provided by this invention have the following advantages compared with other conventional technologies:
第一,本發明之一種VoIP通訊系統與方法,利用區塊鏈網路的特性,讓各企業以去中心化方式儲存VoIP通訊所需之相關資訊,如撥號前置碼(prefix)、IP/Domain、企業電子郵件地址與加密訊息的公鑰等,可免除集中式資料庫的建置與維運,並提高其他企業加入VoIP通訊的便利性。 First, this invention provides a VoIP communication system and method that utilizes the characteristics of blockchain networks to allow enterprises to store VoIP communication-related information in a decentralized manner, such as dialing prefixes, IP/Domains, enterprise email addresses, and public keys for encrypted messages. This eliminates the need for building and maintaining a centralized database and improves the ease with which other enterprises can join VoIP communication.
第二,本發明之一種VoIP通訊系統與方法,通過公私鑰加解密的機制,使企業間傳送的一次性密碼請求受到安全的保護,也能確保真正擁有私鑰的企業收到給該企業的訊息。 Secondly, the VoIP communication system and method of this invention, through a public-private key encryption and decryption mechanism, securely protects one-time password requests transmitted between enterprises and ensures that the enterprise that truly possesses the private key receives the messages addressed to it.
第三,本發明之一種VoIP通訊系統與方法,藉由區塊鏈上的電子郵件訊息,傳送電子郵件給欲進行通訊之企業,電子郵件內容包含一有效時段與企業端SIP認證所需之使用者名稱,在不同時段使用不同的SIP認證使用者名稱,可以有效防止帳號被破解的風險。 Third, this invention provides a VoIP communication system and method that transmits emails to businesses wishing to communicate via blockchain email messages. The email content includes a valid time period and the username required for SIP authentication on the business side. Using different SIP authentication usernames at different times effectively prevents the risk of account compromise.
第四,本發明之一種VoIP通訊系統與方法,係利用原有SIP認證之機制,加上一次性密碼的協商與依時段改變的SIP認證使用者名稱,是一種公私鑰加上電子郵件的雙因子認證機制,可有效增加VoIP通訊時被駭的困難度。 Fourth, the VoIP communication system and method of this invention utilizes the existing SIP authentication mechanism, combined with one-time password negotiation and a time-varying SIP authentication username. This constitutes a two-factor authentication mechanism combining public and private keys with email, effectively increasing the difficulty of hacking during VoIP communication.
上列詳細說明乃針對本發明之一可行實施例進行具體說明,惟該實施例並非用以限制本發明之專利範圍,凡未脫離本發明技藝精神所為之等效實施或變更,均應包含於本案之專利範圍中。 The above detailed description is a specific illustration of one feasible embodiment of the present invention. However, this embodiment is not intended to limit the scope of the patent. All equivalent embodiments or modifications that do not depart from the spirit and technique of the present invention should be included within the scope of this patent.
綜上所述,本案不僅於技術思想上確屬創新,並具備習用之傳統方法所不及之上述多項功效,已充分符合新穎性及進步性之法定發明專利要件,爰依法提出申請,懇請 貴局核准本件發明專利申請案,以勵發明,至感德便。 In conclusion, this invention is not only innovative in its technical concept but also possesses numerous benefits that conventional methods cannot achieve. It fully meets the statutory requirements for novelty and progress in an invention patent. Therefore, this application is filed in accordance with the law, and we earnestly request your authority to approve this invention patent application to encourage further invention. We are deeply grateful for your assistance.
110:跨企業認證VoIP通訊模組 110: Cross-enterprise certified VoIP communication module
111:一次性密碼處理單元 111: One-time password processing unit
112:區塊鏈接取單元 112: Blockchain Access Unit
113:呼叫與認證單元 113: Call and Authentication Unit
114:收發單元 114: Receiving and Dispatching Unit
115:區塊鏈儲存單元 115: Blockchain Storage Unit
116:郵件伺服器 116: Mail Server
117:外部企業 117: External Enterprises
Claims (9)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW113148749A TWI906082B (en) | 2024-12-13 | 2024-12-13 | System and method for voip communication |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| TW113148749A TWI906082B (en) | 2024-12-13 | 2024-12-13 | System and method for voip communication |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| TWI906082B true TWI906082B (en) | 2025-11-21 |
Family
ID=98603806
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW113148749A TWI906082B (en) | 2024-12-13 | 2024-12-13 | System and method for voip communication |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI906082B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102215238A (en) * | 2011-07-27 | 2011-10-12 | 中国电信股份有限公司 | Service processing method and system fused with video conference and user terminal |
| CN111770048A (en) * | 2020-05-08 | 2020-10-13 | 厦门亿联网络技术股份有限公司 | Method for preventing SIP equipment from being attacked, calling equipment and called equipment |
| WO2024160384A1 (en) * | 2023-02-01 | 2024-08-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Verifying a calling party |
-
2024
- 2024-12-13 TW TW113148749A patent/TWI906082B/en active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102215238A (en) * | 2011-07-27 | 2011-10-12 | 中国电信股份有限公司 | Service processing method and system fused with video conference and user terminal |
| CN111770048A (en) * | 2020-05-08 | 2020-10-13 | 厦门亿联网络技术股份有限公司 | Method for preventing SIP equipment from being attacked, calling equipment and called equipment |
| WO2024160384A1 (en) * | 2023-02-01 | 2024-08-08 | Telefonaktiebolaget Lm Ericsson (Publ) | Verifying a calling party |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102077550B (en) | Limitations of communication in VOIP address discovery system | |
| CN112235235B (en) | SDP authentication protocol implementation method based on cryptographic algorithm | |
| JP4294268B2 (en) | Method and system for incorporating a security mechanism into a session initiation protocol request message for client proxy authentication | |
| JP5651313B2 (en) | SIP signaling that does not require continuous re-authentication | |
| US20060090067A1 (en) | Method and apparatus for performing a secure transaction in a trusted network | |
| US20090025080A1 (en) | System and method for authenticating a client to a server via an ipsec vpn and facilitating a secure migration to ssl vpn remote access | |
| US8402511B2 (en) | LDAPI communication across OS instances | |
| US8923279B2 (en) | Prevention of voice over IP spam | |
| CN101542965A (en) | Authentication delegation based on re-verification of cryptographic evidence | |
| US7813509B2 (en) | Key distribution method | |
| CN102651739A (en) | Login verification method, system and instant messaging (IM) server | |
| WO2006000144A1 (en) | The session initial protocol identification method | |
| JP2007318806A (en) | Protecting data traffic in a mobile network environment | |
| US20080137859A1 (en) | Public key passing | |
| CN102083066B (en) | Unified safety authentication method and system | |
| US12238086B2 (en) | Systems and methods for preventing toll fraud in a SIP environment | |
| US8085937B1 (en) | System and method for securing calls between endpoints | |
| TWI906082B (en) | System and method for voip communication | |
| Zhao et al. | Design of single sign-on | |
| Vesterinen | User authentication in SIP | |
| CN101094063A (en) | Security interaction method for the roam terminals to access soft switching network system | |
| WO2011017851A1 (en) | Method for accessing message storage server securely by client and related devices | |
| ÇAMTEPE | Kerberos Based Security System for Session Initiation Protocol | |
| CN119697155A (en) | A method for implementing software-defined boundaries based on hierarchical scheduling | |
| CN119449459A (en) | A dual authentication security protection method and system based on SIP protocol |