CN102185827B - Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system - Google Patents
Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system Download PDFInfo
- Publication number
- CN102185827B CN102185827B CN201110032227.0A CN201110032227A CN102185827B CN 102185827 B CN102185827 B CN 102185827B CN 201110032227 A CN201110032227 A CN 201110032227A CN 102185827 B CN102185827 B CN 102185827B
- Authority
- CN
- China
- Prior art keywords
- terminal
- message
- encryption
- byte
- voice
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Telephonic Communication Services (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a firewall-penetrating method of a voice in a VOIP (Voice Over Internet Protocol) system, belonging to the technical field of realization of a network communication technology. The method comprises the following steps: an IP (Internet Protocol) terminal determines whether an encryption negotiation mechanism is started or not through a configuration interface; the IP terminal is connected with a VOIP server to obtain an encrypted key through the encryption mechanism while the encryption negotiation mechanism comes into effect and encrypts a signaling data packet sent by the IP terminal by using the encryption mechanism; and a terminal receiving a message identifies whether the received message is encrypted or not through the encryption negotiation mechanism, encrypts the message at the same time of decrypting the encrypted message by using the encryption mechanism and then sends the encrypted message out. By using the method disclosed by the invention, the normal voice communication can be assured while an uncontrollable voice firewall exists in a bearer network.
Description
Technical field
The present invention relates to the method for voice firewall-penetrating in a kind of VOIP system, belong to the technical field that realizes network communications technology, particularly a kind of solution causes the technical field of the undesired way to solve the problem of speech communication because the bearer network of VOIP communication system exists the setting of uncontrollable voice fire compartment wall.
Background technology:
A main characteristics of VOIP mechanics of communication is to control with carrying to separate that (VoIP is the abbreviation of Voice over Internet Protocol, refer to the sound signal of simulation after overcompression and package, carry out the transmission of speech sound signal at the environment of IP network with the form of data packet, the meaning of popular namely Internet Protocol telephone, the networking telephone or abbreviation IP phone.) therefore in actual VOIP system applies is disposed, the overwhelming majority is to utilize the bearer network of the existing Internet resources of user as VOIP system.For the VOIP user who has VOIP telephone remote intercommunication demand, its network of renting often other Virtual network operators is realized.But the network application environment of Virtual network operator is generally comparatively complicated, for example: some Virtual network operator can arrange fire compartment wall at the access point of its network for safety and stability or other objects of network, to limit some data flow to the larger application of network bandwidth consumption or some particular network application.For VOIP application, there is only a few Virtual network operator will in its network, dispose voice fire compartment wall with limiting VOIP transfer of data (as Fig. 1).
Common voice fire compartment wall principle is as follows:
1, by analyzing the signaling session of the SIP in VOIP communication process, obtain the both sides' that participate in communication the network address that will use in communication process, then to from or the packet that mails to these addresses abandon, distort or forge, cause communication normally to carry out (as shown in Figure 2).
2, by analyzing packet, according to the feature of VoP, determine the network address that participates in speech communication both sides, then, to abandoning from these address date bags, distort or forge, cause communication normally to carry out (as shown in Figure 3).
Summary of the invention
The present invention is directed to prior art provides the method for voice firewall-penetrating in a kind of VOIP system, make existing voice fire compartment wall cannot determine by analyzing the feature of VOIP signaling or VOIP VoP the network address of the terminal that participates in speech communication, thereby realize, voice fire compartment wall cannot normally be worked, and then guarantee the object that speech communication is normally carried out.
The method adopting for the object the present invention described in reaching is:
A method for voice firewall-penetrating in VOIP system, wherein IP terminal is by the configuration interface strive forward encrypted negotiation mechanism that determines whether to utter a sound or a word; In the time that this encrypted negotiation mechanism comes into force, IP terminal connects VOIP server and obtains the key of encrypting by encryption mechanism, and the signaling data bag that self is sent utilizes this encryption mechanism to be encrypted; Whether the terminal that receives message encrypts by the machine-processed message receiving of identifying of described encrypted negotiation, if the message of receiving is encrypted, encryption mechanism described in the utilization of encryption message is decrypted to processing, accordingly, after being encrypted, sends the encryption mechanism described in the message utilization that the terminal of this reception message is sent;
Described encrypted negotiation mechanism is followed following rule:
(a), determine according to the encryption configuration of terminal whether the calling of initiating utters a sound or a word with encryption mechanism for the terminal making a call; If terminal is configured to encrypt, calling procedure uses encryption mechanism, otherwise calling procedure does not use encryption mechanism;
(b), indicate and determine whether its subsequent process of calling receiving needs to encrypt according to the encryption of the call request message of receiving for the terminal of call accepted; Indicate if the call request message receiving has to encrypt, calling procedure uses encryption mechanism, otherwise calling procedure does not use encryption mechanism;
(c), when initiating or the terminal of call accepted determines that while using encryption mechanism, its SDP that sends SIP signaling carries a=x-encrypt:on encryption attribute and indicates, and indicates otherwise carry a=x-encrypt encryption attribute;
(d), when initiating or the terminal of call accepted receives that carrying a=x-encrypt:on encryption attribute in the SDP message of SIP signaling indicates, terminal determines that the voice of this call use encryption mechanism, otherwise does not use encryption mechanism;
Described encryption mechanism comprises signaling encryption/decryption processes, voice encryption/decrypting process and key securing mechanism.
The ciphering process of this signaling enciphering/deciphering process is:
The first step, terminal are used key securing mechanism to obtain encryption key, to the SIP message that will send take byte as unit, according to the sequencing of message byte, the byte to odd bits and the byte of even bit are used respectively different encryption keys to carry out cryptographic algorithm Dm=Do XOR De by byte; Wherein Dm is ciphertext byte, and Do is plaintext byte, and De is key byte;
Second step, the SIP message through first step processing is inserted to heading, make described message comprise successively encrypting by byte order and indicate, ciphertext length and ciphertext three parts;
Described encryption is denoted as two bytes, and indicating this message is to encrypt message, is fixed value, and the first byte is hexadecimal number EF, and the second byte is hexadecimal number FE;
Described ciphertext length is two bytes, indicates the length of ciphertext;
Described ciphertext is the SIP message through this cryptographic algorithm processing;
The decrypting process of this signaling enciphering/deciphering process is:
Terminal is used key securing mechanism to obtain decruption key, to the SIP message of receiving according to the 3rd of heading the, nybble determines ciphertext length, the nybble that removes header acquires complete ciphertext, to ciphertext take byte as unit, according to the sequencing of ciphertext byte, the byte to odd bits and the byte of even bit are used different decruption keys to carry out following decipherment algorithm: Do=Dm XOR De; Wherein Do is plaintext byte, and Dm is ciphertext byte, and De is key byte.
The ciphering process of this voice enciphering/deciphering process is:
Terminal is used Generating Random Number to generate 0-10 using interior random number as the byte of padding length of encrypting message;
Terminal is used Generating Random Number to generate 0-255 using interior random number as the byte of padding of encrypting message, according to byte of padding length, generates successively all byte of paddings;
The encryption message forming comprises speech data two parts of encrypting heading and the encapsulation of RTP form;
Described encryption heading comprises and encrypts sign, padding data length and padding data three parts with byte form order;
This encryption is denoted as two bytes, and content is fixed value, and the first byte is hexadecimal number EE, and the second byte is hexadecimal number FF;
This padding data length is a byte, and content is random value, and scope is the random natural number in 0-10;
The length of this padding data is defined by padding data length byte; The every byte content of this padding data is random value, the random natural number between scope 0-255;
The speech data of RTP form encapsulation is the normal voice message in VIOP communication;
The decrypting process of this voice enciphering/deciphering process is:
Terminal is determined the random bytes length of heading according to the 3rd byte of heading to the voice encryption message of receiving, remove the byte of heading part, obtains the speech data of RTP form encapsulation, and deciphering completes.
Described key securing mechanism is:
VOIP key is made up of two bytes, and every bytes range is the random natural number between 0-255; First byte is odd keys odd_key, for SIP signaling odd bytes is expressly encrypted or deciphered for the odd bytes to SIP signaling ciphertext; The second byte is even number key even_key, for SIP signaling even bytes is expressly encrypted or deciphered for the even bytes to SIP signaling ciphertext;
This two byte information is stored in the form of decimal system text in the cipher key configuration file of VOIP server, provides the modify feature to this key by the configuration management software of VOIP server by user interface; IP terminal can be obtained by the proprietary protocol of VOIP system the key of these two bytes to VOIP configuration management software simultaneously.
Content in this cipher key configuration file is odd keys odd_key=170 and even number key even_key=85.
This proprietary protocol is made up of request message and response message; Request message produces by the IP terminal that has realized encryption function the management software that sends to VOIP server; Response message is produced receiving after request message by the management software of VOIP server, and this response message has comprised key information, and is sent to requesting party.
The request message that is sent to VOIP configuration management software by IP terminal in this proprietary protocol be getkey r n; The response message that is sent to IP terminal by VOIP configuration management software in this proprietary protocol is okodd_key=170, even_key=85 r n.
The step that the terminal that this makes a call is implemented encryption mechanism is:
(1), user is encryption communication mode by this terminal of configuration interface interface configuration in IP terminal;
(2), user makes a call after inputting called terminal number by this terminal;
(3), whether IP terminal judges is configured to encryption communication mode; If so, this terminal performs step 4 after using key securing mechanism to obtain key; Otherwise execution step 5;
(4), this terminal generates the SIP message making a call, Zhong the SDP of message attribute, Pinch enters a=x-encrypt:on attribute, performs step 6 after SIP message is carried out to signaling ciphering process;
(5), terminal generates the SIP message making a call, Zhong the SDP of message attribute, Pinch enters a=x-encrypt attribute; Execution step 6;
(6), signaling message after treatment is issued terminal called by terminal;
(7), terminal is received the call answering message that terminal called is encrypted, execution signaling decrypting process;
(8), in terminal judges call answering message SDP, whether there is a=x-encrypt:on attribute; The voice of determining this call if having need to encrypt; Otherwise determine that this call voice does not need to encrypt;
(9), call setup; According to the judgement of step 8, voice encryption/decrypting process is carried out or do not carried out to voice; Start sending/receiving voice.
The step that the terminal of this receipt of call is implemented encryption mechanism is:
(1), IP terminal receives SIP call request message;
(2), judge whether the SIP message that this terminal is received has the sign of encryption; If so, terminal is used key securing mechanism to obtain key decrypted message; Otherwise carry out normal SIP calling procedure, this program stops;
(3) in the SDP of the SIP message that, terminal inspection receives, whether there is a=x-encrypt:on attribute; If have this call voice of determining to need to encrypt, execution step 4; Otherwise, determine that this call voice does not need to encrypt, execution step 5;
(4), terminal generates and receives the SIP message of answering call, Zhong the SDP of message attribute, Pinch enters a=x-encrypt:on attribute, carries out signaling ciphering process, execution step 6;
(5), terminal generates and receives the SIP message of answering call, Zhong the SDP of message attribute, Pinch enters a=x-encrypt attribute, execution step 6;
(6), signaling message after treatment is issued calling terminal by terminal;
(7), call setup; According to the judgement of step 3, voice encryption/decrypting process is carried out or do not carried out to voice, start sending/receiving voice.
Adopt method of the present invention because IP terminal is by the configuration interface strive forward encrypted negotiation mechanism of uttering a sound or a word; In the time that this encrypted negotiation mechanism comes into force, IP terminal connects VOIP server and obtains the key of encrypting by encryption mechanism, and the signaling data bag that self is sent utilizes this encryption mechanism to be encrypted; Whether the terminal that receives message encrypts by the machine-processed message receiving of identifying of described encrypted negotiation, if the message of receiving is encrypted, encryption mechanism described in the utilization of encryption message is decrypted to processing, accordingly, after being encrypted, sends the encryption mechanism described in the message utilization that the terminal of this reception message is sent; Make by this method existing voice fire compartment wall cannot determine by analyzing the feature of signaling or VoP the network address of the terminal that participates in speech communication, thereby voice fire compartment wall cannot normally be worked, and assurance speech communication is normally carried out.
Accompanying drawing explanation
Fig. 1 is the schematic network structure of having disposed voice fire compartment walls in prior art;
Fig. 2 be in prior art voice fire compartment wall according to signaling catching voice packet principle schematic;
Fig. 3 is that in prior art, voice fire compartment wall is tackled voice packet principle schematic according to voice packet feature;
Fig. 4 is the flow chart that the terminal that makes a call of the present invention is implemented encryption mechanism;
Fig. 5 is the flow chart that the terminal of call accepted of the present invention is implemented encryption mechanism.
Embodiment
In the IP telephony system of prior art, VOIP call signaling uses SDP agreement (mono-of Session Description Protocol-is used for describing the application layer control protocol of Multimedia session) to describe; SDP describes and is made up of many line of text, the form of line of text is < type >=< value >, < type > is a letter, < value > is structurized text string, and its form is determined according to < type >; < type >=<value>[CRLF].
The < type > multipurpose letter a that is used for describing terminal media capabilities attribute in SDP represents, so that SDP terminal media capabilities attribute is described the general type of line of text is as follows:
A=attribute or a=attribute:value
Wherein attribute is media capability attribute, represents with text string form, and value is its value; And the setting of media capability attribute attribute can need to be determined voluntarily according to user.That is to say that to get what attribute name inessential, as long as be convenient to distinguish, importantly setting and the judgement of the value of the inside.
The method of voice firewall-penetrating in a kind of VOIP system of the present invention, its IP terminal is by the configuration interface strive forward encrypted negotiation mechanism that determines whether to utter a sound or a word; In the time that this encrypted negotiation mechanism comes into force, IP terminal connects VOIP server and obtains the key of encrypting by encryption mechanism, and the signaling data bag that self is sent utilizes this encryption mechanism to be encrypted; Whether the terminal that receives message encrypts by the machine-processed message receiving of identifying of described encrypted negotiation, if the message of receiving is encrypted, encryption mechanism described in the utilization of encryption message is decrypted to processing, accordingly, after being encrypted, sends the encryption mechanism described in the message utilization that the terminal of this reception message is sent;
Described encrypted negotiation mechanism is followed following rule:
(a), determine according to the encryption configuration of terminal whether the calling of initiating utters a sound or a word with encryption mechanism for the terminal making a call; If terminal is configured to encrypt, calling procedure uses encryption mechanism, otherwise calling procedure does not use encryption mechanism;
(b), indicate and determine whether its subsequent process of calling receiving needs to encrypt according to the encryption of the call request message of receiving for the terminal of call accepted; Indicate if the call request message receiving has to encrypt, calling procedure uses encryption mechanism, otherwise calling procedure does not use encryption mechanism;
(c), in the time that the terminal of initiation or call accepted determines that calling needs to encrypt use encryption mechanism, its SDP(that sends SIP signaling (a kind of VOIP call signaling) describes the message of local terminal medium property) carry " a=x-encrypt:on " encryption attribute sign, indicate otherwise carry " a=x-encrypt " encryption attribute;
(d), when initiating or the terminal of call accepted receives that carrying " a=x-encrypt:on " encryption attribute in the SDP message of SIP signaling indicates, terminal determines that the voice of this call use encryption mechanism, voice need to encrypt, otherwise do not use encryption mechanism;
In the time that terminal determines that calling procedure need to be encrypted, use this encryption mechanism.Described encryption mechanism comprises signaling encryption/decryption processes, voice encryption/decrypting process and key securing mechanism.
Signaling enciphering/deciphering process:
This process is implemented ciphering process for the SIP message in call encryption by the terminal of sending message, implements decrypting process by the terminal that receives message.
(1) ciphering process:
1, terminal is used " key securing mechanism " to obtain encryption key, to the SIP message that will send take byte as unit, according to the sequencing of message byte, the byte to odd bits and the byte of even bit are used the encryption key that identical cryptographic algorithm is different to carry out following cryptographic algorithm:
Dm=Do XOR De (Dm: ciphertext byte, Do: expressly byte, De: key byte)
VOIP key is made up of two bytes, every byte value scope is random natural number between 0-255, first byte is odd keys odd_key, for SIP signaling odd bytes is expressly encrypted or is deciphered for the odd bytes to SIP signaling ciphertext, the second byte is even number key even_key, for SIP signaling even bytes is expressly encrypted or deciphered for the even bytes to SIP signaling ciphertext.This two byte information is stored in the form of decimal system text in the cipher key configuration file of VOIP server, and the configuration management software of VOIP server can provide the modify feature to this key by user interface.IP terminal can be obtained by the proprietary protocol of VOIP system the key of these two bytes to VOIP configuration management software simultaneously.For example: the content in the cipher key configuration file in VOIP system can be defined as follows:
odd_key=170
even_key=85
Agreement between IP terminal and VOIP configuration management software can be as follows with the formal definition of line of text:
1., request message (IP terminal is sent to VOIP configuration management software): getkey r n;
2., response message (VOIP configuration management software is sent to IP terminal): ok odd_key=170, even_key=85 r n;
2, as follows to the encryption message after the SIP message Jia Pinch heading , Jia Pinch of first step processing:
| Encrypt and indicate | Ciphertext length | Ciphertext |
Encrypt and indicate: two bytes, indicating this message is to encrypt message, should be fixed value, the first byte is EF(hexadecimal numerical value), the second byte is FE(hexadecimal numerical value);
Ciphertext length: two bytes, the length of sign ciphertext;
Ciphertext: through the SIP message of cryptographic algorithm processing;
(2), decrypting process:
Terminal is used " key securing mechanism " to obtain encryption key, to the SIP message of receiving according to 3 of heading, 4 bytes are determined ciphertext length, the nybble that removes header acquires complete ciphertext, to ciphertext take byte as unit, according to the sequencing of ciphertext byte, the byte to odd bits and the byte of even bit are used the different decruption key of identical decipherment algorithm to carry out following decipherment algorithm:
Do=Dm XOR De (Do: expressly byte, Dm: ciphertext byte, De: key byte)
Voice enciphering/deciphering process:
This process is implemented ciphering process for the voice message in encryption communication by the terminal that sends message, implements decrypting process by the terminal that receives message.
(1), ciphering process:
Terminal is used " Generating Random Number " to generate 0-10 using interior random (natural number) number as the byte of padding length of encrypting message;
Terminal is used " Generating Random Number " to generate 0-255 and as the byte of padding of encrypting message, according to byte of padding length, generates successively all byte of paddings using interior random (natural number) number;
Encrypt message according to following structure assembling:
Encrypt and indicate: two bytes, content is fixed value, the first byte EE(hexadecimal numerical value), the second byte FF(hexadecimal numerical value)
Padding data length a: byte, content is random value, scope: 0-10(comprises 0 and 10) between random natural number;
Padding data: its length is by " padding data length " Field Definition, and every byte content is random value, and scope 0-255(comprises 0 and 10) between random natural number;
The speech data of RTP form encapsulation: the normal voice message in VIOP communication; RTP is the abbreviation of real time transport protocol (Real-time Transport Protocol), and it represents the agreement of an Internet Transmission, is the common protocol of crossing on audio frequency, video.
(2), decrypting process:
Terminal is determined the random bytes length of heading according to the 3rd byte of heading to the voice encryption message of receiving, remove header byte, obtains the speech data of RTP form encapsulation, and deciphering completes.
Key securing mechanism:
For signaling enciphering/deciphering process, first terminal need to obtain the key of encryption and decryption, and this key is divided into for odd bytes encryption and decryption key with for the key of even bytes encryption and decryption.In the present invention, these key storages, in VOIP exchange (server), are configured and are read by VOIP exchange configuration management software, need the terminal of encryption communication to obtain this key by proprietary protocol to VOIP exchange configuration management software asks.
Proprietary protocol in literary composition refers to: obtain cipher key function and realizing the agreement defining between the IP terminal of encryption function and the management software of VOIP server from VOIP server in order to realize IP terminal.This agreement is not followed any existing disclosed consensus standard of communication field, defines in order to realize this specific function completely.This agreement is made up of request message and response message: request message produces by the IP terminal that has realized encryption function the management software that sends to VOIP server; Response message is produced receiving after request message by the management software of VOIP server, and this response message has comprised key information, and is sent to requesting party.
Respectively the present invention is made a call as follows with the procedure declaration of receipt of call enforcement encryption mechanism below in conjunction with drawings and Examples.Wherein initiating terminal is IP phone A, and receiving terminal is IP phone B;
If Fig. 4 is the flow chart that the terminal that makes a call is implemented encryption mechanism;
1. user's configuration of IP phone A terminal is encryption communication mode;
2. user utilizes the called number of IP phone A input IP phone B, makes a call;
Whether 3.IP phone A terminal judges is configured to encryption communication mode, and if so, IP phone A terminal is used " key securing mechanism " to obtain key, execution step 4; Otherwise execution step 5;
4.IP phone A terminal generates the SIP message making a call, and Zhong the SDP of message attribute, Pinch enters " a=x-encrypt:on " attribute, and SIP message is carried out to " signaling ciphering process ", execution step 6;
5.IP phone A terminal generates the SIP message making a call, and Zhong the SDP of message attribute, Pinch enters " a=x-encrypt " attribute, execution step 6;
Signaling message after treatment is issued terminal called IP phone B by 6.IP phone A terminal;
7.IP phone A terminal is received the call answering message that terminal called IP phone B encrypts, and carries out " signaling decrypting process ";
In 8.IP phone A terminal judges call answering message SDP, whether have " a=x-encrypt:on " attribute, determine this call if having, voice need to encrypt, otherwise determine that this call voice does not need to encrypt;
9. call setup (IP phone A and IP phone B); Start sending/receiving voice, according to the judgement of step 8, voice encryption/decryption process is carried out or do not carried out to voice.
As Fig. 5 terminal that is receipt of call is implemented the flow chart of encryption mechanism;
1.IP phone B terminal receives the SIP call request message of IP phone A;
Whether the SIP message that 2.IP phone B terminal is received has to encrypt to indicate is determined whether subsequent voice calls process needs signaling to encrypt, and if so, IP phone A terminal is used " key securing mechanism " to obtain key, and IP phone B deciphers SIP signaling; Otherwise carry out normal SIP calling procedure (this process subsequent step omits);
In the SDP of the SIP message that the inspection of 3.IP phone B terminal receives, whether have " a=x-encrypt:on " attribute, determine this call if having, voice need to encrypt, execution step 4; Otherwise, determine that this call voice does not need to encrypt, execution step 5;
4.IP phone B terminal generates the SIP message of replying receipt of call, and Zhong the SDP of message attribute, Pinch enters " a=x-encrypt:on " attribute, carries out " signaling ciphering process " execution step 6;
5.IP phone B terminal generates the SIP message of replying receipt of call, and Zhong the SDP of message attribute, Pinch enters " a=x-encrypt " attribute, execution step 6;
Signaling message after treatment is issued IP phone A calling terminal by 6.IP phone B terminal;
7. call setup; Start sending/receiving voice, according to the judgement of step 3, voice encryption/decryption process is carried out or do not carried out to voice.
Operating process in actual application:
Calling terminal arranges encryption communication function, makes a call;
Calling terminal generates call request signaling message, and the media negotiation part of this message arranges media encryption and indicates, and encrypts after signaling message, sends;
The voice fire compartment wall of Virtual network operator is received the signaling message after the encryption that caller sends, and because message is to adopt privately owned cryptographic protocol to encrypt, fire compartment wall cannot be analyzed, and therefore cannot obtain by signaling message the media network address of caller;
Terminal called is received encryption signaling message, judge message encryption according to heading, according to decipherment algorithm, message is decrypted, message after deciphering is processed according to normal call flow, be provided with after media encryption request in acquisition caller, determine that this communication need to be encrypted voice, and generate back message using, after being encrypted response to caller;
The voice fire compartment wall of Virtual network operator is received the call response signaling message after called encryption of sending, and because message is to adopt privately owned cryptographic protocol to encrypt, fire compartment wall cannot be analyzed, and therefore cannot obtain called media network address by signaling message;
The back message using after called encryption is received in caller, judge message encryption according to heading, according to decipherment algorithm, message is decrypted, message after deciphering is processed according to normal call flow, obtaining called being provided with after media encryption request, determine that this communication need to be encrypted voice, so far call setup;
Calling and called start to send the VoP after encrypting;
The voice fire compartment wall of Virtual network operator is received the VoP after the encryption of calling and called, because the VoP after encrypting cannot obtain feature (RTP packet header of normal voice bag, regular length), therefore fire compartment wall cannot determine whether the bag of receiving is voice packet, cannot disturb;
Calling and called are received respectively the other side's voice packet, and after voice packet is decrypted, by normal language data process, both sides can normally hear the other side's sound.
Claims (9)
1. a method for voice firewall-penetrating in VOIP system, is characterized in that IP terminal determines whether to open strive forward encrypted negotiation mechanism by configuration interface; In the time that this encrypted negotiation mechanism comes into force, IP terminal connects VOIP server and obtains the key of encrypting by encryption mechanism, and the signaling data bag that self is sent utilizes this encryption mechanism to be encrypted; Whether the terminal that receives message encrypts by the machine-processed message receiving of identifying of described encrypted negotiation, if the message of receiving is encrypted, encryption mechanism described in the utilization of encryption message is decrypted to processing, accordingly, after being encrypted, sends the encryption mechanism described in the message utilization that the terminal of this reception message is sent;
Described encrypted negotiation mechanism is followed following rule:
(a), determine whether encryption enabled mechanism of the calling initiated for the terminal making a call according to the encryption configuration of terminal; If terminal is configured to encrypt, calling procedure uses encryption mechanism, otherwise calling procedure does not use encryption mechanism;
(b), indicate and determine whether its subsequent process of calling receiving needs to encrypt according to the encryption of the call request message of receiving for the terminal of call accepted; Indicate if the call request message receiving has to encrypt, calling procedure uses encryption mechanism, otherwise calling procedure does not use encryption mechanism;
(c), when initiating or the terminal of call accepted determines that while using encryption mechanism, its SDP that sends SIP signaling carries a=x-encrypt:on encryption attribute and indicates, and indicates otherwise carry a=x-encrypt encryption attribute;
(d), when initiating or the terminal of call accepted receives that carrying a=x-encrypt:on encryption attribute in the SDP message of SIP signaling indicates, terminal determines that the voice of this call use encryption mechanism, otherwise does not use encryption mechanism;
Described encryption mechanism comprises signaling encryption/decryption processes, voice encryption/decrypting process and key securing mechanism.
2. the method for voice firewall-penetrating in VOIP system as claimed in claim 1, is characterized in that:
The ciphering process of this signaling enciphering/deciphering process is:
The first step, terminal are used key securing mechanism to obtain encryption key, to the SIP message that will send take byte as unit, according to the sequencing of message byte, the byte to odd bits and the byte of even bit are used respectively different encryption keys to carry out cryptographic algorithm Dm=Do XOR De by byte; Wherein Dm is ciphertext byte, and Do is plaintext byte, and De is key byte;
Second step, the SIP message through first step processing is inserted to heading, make described message comprise successively encrypting by byte order and indicate, ciphertext length and ciphertext three parts;
Described encryption is denoted as two bytes, and indicating this message is to encrypt message, is fixed value, and the first byte is hexadecimal number EF, and the second byte is hexadecimal number FE;
Described ciphertext length is two bytes, indicates the length of ciphertext;
Described ciphertext is the SIP message through this cryptographic algorithm processing;
The decrypting process of this signaling enciphering/deciphering process is:
Terminal is used key securing mechanism to obtain decruption key, to the SIP message of receiving according to the 3rd of heading the, nybble determines ciphertext length, the nybble that removes header acquires complete ciphertext, to ciphertext take byte as unit, according to the sequencing of ciphertext byte, the byte to odd bits and the byte of even bit are used different decruption keys to carry out following decipherment algorithm: Do=Dm XOR De; Wherein Do is plaintext byte, and Dm is ciphertext byte, and De is key byte.
3. the method for voice firewall-penetrating in VOIP system as claimed in claim 1, is characterized in that:
The ciphering process of this voice enciphering/deciphering process is:
Terminal is used Generating Random Number to generate 0-10 using interior random number as the byte of padding length of encrypting message;
Terminal is used Generating Random Number to generate 0-255 using interior random number as the byte of padding of encrypting message, according to byte of padding length, generates successively all byte of paddings;
The encryption message forming comprises speech data two parts of encrypting heading and the encapsulation of RTP form;
Described encryption heading comprises and encrypts sign, padding data length and padding data three parts with byte form order;
This encryption is denoted as two bytes, and content is fixed value, and the first byte is hexadecimal number EE, and the second byte is hexadecimal number FF;
This padding data length is a byte, and content is random value, and scope is the random natural number in 0-10;
The length of this padding data is defined by padding data length byte; The every byte content of this padding data is random value, the random natural number between scope 0-255;
The speech data of RTP form encapsulation is the normal voice message in VIOP communication;
The decrypting process of this voice enciphering/deciphering process is:
Terminal is determined the random bytes length of heading according to the 3rd byte of heading to the voice encryption message of receiving, remove the byte of heading part, obtains the speech data of RTP form encapsulation, and deciphering completes.
4. the method for voice firewall-penetrating in VOIP system as claimed in claim 1, is characterized in that described key securing mechanism is:
VOIP key is made up of two bytes, and every bytes range is the random natural number between 0-255; First byte is odd keys odd_key, for SIP signaling odd bytes is expressly encrypted or deciphered for the odd bytes to SIP signaling ciphertext; The second byte is that even number key even_key is for encrypting or decipher for the even bytes to SIP signaling ciphertext SIP signaling even bytes expressly;
This two byte information is stored in the form of decimal system text in the cipher key configuration file of VOIP server, provides the modify feature to this key by the configuration management software of VOIP server by user interface; IP terminal can be obtained by the proprietary protocol of VOIP system the key of these two bytes to VOIP configuration management software simultaneously.
5. the method for voice firewall-penetrating in VOIP system as claimed in claim 4, is characterized in that the content in this cipher key configuration file is odd keys odd_key=170 and even number key even_key=85.
6. the method for voice firewall-penetrating in VOIP system as claimed in claim 4, is characterized in that this proprietary protocol is made up of request message and response message; Request message produces by the IP terminal that has realized encryption function the management software that sends to VOIP server; Response message is produced receiving after request message by the management software of VOIP server, and this response message has comprised key information, and is sent to requesting party.
7. the method for voice firewall-penetrating in VOIP system as claimed in claim 6, it is characterized in that in this proprietary protocol the request message that is sent to VOIP configuration management software by IP terminal be getkey r n; The response message that is sent to IP terminal by VOIP configuration management software in this proprietary protocol is ok odd_key=170, even_key=85 r n.
8. the method for voice firewall-penetrating in VOIP system as claimed in claim 1, is characterized in that the step that this terminal making a call is implemented encryption mechanism is:
(1), user is encryption communication mode by this terminal of configuration interface interface configuration in IP terminal;
(2), user makes a call after inputting called terminal number by this terminal;
(3), whether IP terminal judges is configured to encryption communication mode; If so, this terminal performs step 4 after using key securing mechanism to obtain key; Otherwise execution step 5;
(4), this terminal generates the SIP message making a call, and in the SDP of message attribute, inserts a=x-encrypt:on attribute, performs step 6 after SIP message is carried out to signaling ciphering process;
(5), terminal generates the SIP message making a call, and in the SDP of message attribute, inserts a=x-encrypt attribute; Execution step 6;
(6), signaling message after treatment is issued terminal called by terminal;
(7), terminal is received the call answering message that terminal called is encrypted, execution signaling decrypting process;
(8), in terminal judges call answering message SDP, whether there is a=x-encrypt:on attribute; The voice of determining this call if having need to encrypt; Otherwise determine that this call voice does not need to encrypt;
(9), call setup; According to the judgement of step 8, voice encryption/decrypting process is carried out or do not carried out to voice; Start sending/receiving voice.
9. the method for voice firewall-penetrating in VOIP system as claimed in claim 1, is characterized in that the step of the terminal enforcement encryption mechanism of this receipt of call is:
(1), IP terminal receives SIP call request message;
(2), judge whether the SIP message that this terminal is received has the sign of encryption; If so, terminal is used key securing mechanism to obtain key decrypted message; Otherwise carry out normal SIP calling procedure, this program stops;
(3) in the SDP of the SIP message that, terminal inspection receives, whether there is a=x-encrypt:on attribute; If have this call voice of determining to need to encrypt, execution step 4; Otherwise, determine that this call voice does not need to encrypt, execution step 5;
(4), terminal generates and receives the SIP message of answering call, in the SDP of message attribute, inserts a=x-encrypt:on attribute, carries out signaling ciphering process, execution step 6;
(5), terminal generates and receives the SIP message of answering call, inserts a=x-encrypt attribute, execution step 6 in the SDP of message attribute;
(6), signaling message after treatment is issued calling terminal by terminal;
(7), call setup; According to the judgement of step 3, voice encryption/decrypting process is carried out or do not carried out to voice, start sending/receiving voice.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110032227.0A CN102185827B (en) | 2011-01-30 | 2011-01-30 | Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110032227.0A CN102185827B (en) | 2011-01-30 | 2011-01-30 | Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102185827A CN102185827A (en) | 2011-09-14 |
| CN102185827B true CN102185827B (en) | 2014-05-14 |
Family
ID=44571897
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110032227.0A Active CN102185827B (en) | 2011-01-30 | 2011-01-30 | Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102185827B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9515995B2 (en) * | 2013-12-27 | 2016-12-06 | Futurewei Technologies, Inc. | Method and apparatus for network address translation and firewall traversal |
| CN104753876A (en) * | 2013-12-30 | 2015-07-01 | 北京大唐高鸿数据网络技术有限公司 | Flexible and controllable session encryption method |
| CN115567209B (en) * | 2022-09-29 | 2023-09-22 | 中电信量子科技有限公司 | VoIP encryption and decryption method by adopting transparent proxy and quantum key pre-filling |
| CN118118276B (en) * | 2024-04-26 | 2024-08-06 | 广东安创信息科技开发有限公司 | Speech encryption near-end device, far-end device, system and encryption and decryption method based on coprocessor |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101009740A (en) * | 2007-01-17 | 2007-08-01 | 广州市高科通信技术股份有限公司 | System and method for implementing simultaneous data and voice access of the dual PPPOE |
| CN101018229A (en) * | 2007-02-12 | 2007-08-15 | 华为技术有限公司 | A method and firewall for the media service to penetrate the firewall |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8935416B2 (en) * | 2006-04-21 | 2015-01-13 | Fortinet, Inc. | Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer |
-
2011
- 2011-01-30 CN CN201110032227.0A patent/CN102185827B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101009740A (en) * | 2007-01-17 | 2007-08-01 | 广州市高科通信技术股份有限公司 | System and method for implementing simultaneous data and voice access of the dual PPPOE |
| CN101018229A (en) * | 2007-02-12 | 2007-08-15 | 华为技术有限公司 | A method and firewall for the media service to penetrate the firewall |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102185827A (en) | 2011-09-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8824684B2 (en) | Dynamic, selective obfuscation of information for multi-party transmission | |
| CN101197674B (en) | Encrypted communication method, server and encrypted communication system | |
| US7827398B2 (en) | Method for offloading encryption and decryption of a message received at a message server to remote end devices | |
| CN101335615B (en) | Method used in key consultation of USB KEY audio ciphering and deciphering device | |
| US20090138697A1 (en) | USER AGENT PROVIDING SECURE VoIP COMMUNICATION AND SECURE COMMUNICATION METHOD USING THE SAME | |
| CN101471769B (en) | Enciphering/deciphering method for VoIP medium transmission | |
| CN105792193B (en) | Mobile terminal sound End to End Encryption method based on iOS operating system | |
| CN101800734B (en) | Session information interacting method, device and system | |
| CN113347215B (en) | Encryption method for mobile video conference | |
| KR101297936B1 (en) | Method for security communication between mobile terminals and apparatus for thereof | |
| CN102185827B (en) | Firewall-penetrating method of voice in VOIP (Voice Over Internet Protocol) system | |
| JP5979263B2 (en) | Secret communication device, method and program | |
| CN108833943A (en) | The encrypted negotiation method, apparatus and conference terminal of code stream | |
| JP2005504479A (en) | Method for encrypting and decrypting communication data | |
| Tang et al. | Audio steganography with AES for real-time covert voice over internet protocol communications | |
| CN107517184A (en) | Message transmitting method, apparatus and system | |
| US7570765B1 (en) | Method and an apparatus to perform secure real-time transport protocol-on-the-fly | |
| WO2017197968A1 (en) | Data transmission method and device | |
| JP5163187B2 (en) | Call center system | |
| CN101247221A (en) | Signal watermarking in the presence of encryption | |
| CN101547208A (en) | Session enciphering method and voice terminal | |
| KR20120087550A (en) | Encrypted Communication Method and Encrypted Communication System Using the Same | |
| TWI725636B (en) | VoIP END-TO-END VOICE ENCRYPTION COMMUNICATION METHOD, SYSTEM AND COMPUTER READABLE STORAGE MEDIUM | |
| CN112953964B (en) | Voice signaling encryption processing system and encryption processing method | |
| Sankar et al. | Implementation and integration of efficient ECDH key exchanging mechanism in software based VoIP network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20190715 Address after: 519000. A District 1, 15A, conference center, 1 Software Road, Tang Wan Town, Zhuhai hi tech Zone, Guangdong, 1 Patentee after: Guangdong Jiami Technology Co., Ltd. Address before: 519080, B5, 4th floor, South Software Park, Zhuhai high tech Zone, Guangdong Patentee before: Guangdong Jiahe Communication Technology Co., Ltd. |