Nothing Special   »   [go: up one dir, main page]

WO2023206909A1 - Volte voice encrypted communication method, terminal and system - Google Patents

Volte voice encrypted communication method, terminal and system Download PDF

Info

Publication number
WO2023206909A1
WO2023206909A1 PCT/CN2022/117510 CN2022117510W WO2023206909A1 WO 2023206909 A1 WO2023206909 A1 WO 2023206909A1 CN 2022117510 W CN2022117510 W CN 2022117510W WO 2023206909 A1 WO2023206909 A1 WO 2023206909A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
management platform
call
voice
encrypted
Prior art date
Application number
PCT/CN2022/117510
Other languages
French (fr)
Chinese (zh)
Inventor
王丙磊
陈文俊
赵鹏
刘驰
王建
Original Assignee
中电信量子科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中电信量子科技有限公司 filed Critical 中电信量子科技有限公司
Priority to JP2023541525A priority Critical patent/JP2024520245A/en
Publication of WO2023206909A1 publication Critical patent/WO2023206909A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token

Definitions

  • the present invention relates to the field of wireless communication technology, and specifically relates to a VoLTE voice encrypted communication method, terminal and system.
  • VoLTE Voice over Long Term Evolution
  • IMS IP Multimedia Subsystem
  • VoLTE does not require a 2G/3G network, and all services are carried on the 4G network, which can achieve shorter wait time for connection and higher-quality, more natural voice and video call effects.
  • IMS itself provides a complex and relatively secure authentication and authentication mechanism.
  • VoLTE requires a special encryption mechanism to ensure the security of its calls.
  • the existing solution is to extend the SIP protocol stack and enable call session processes with preset conditions to support operations such as encrypted phone identification, clear and secret call identification, call response, and connection state interoperability control.
  • the entire IMS network needs to be checked, verified and modified to ensure that it can use transparent transmission by default for SIP extension fields to ensure that the terminal Modem chips of both communicating parties can recognize and process the SIP extension fields.
  • the terminal Modem chips need to be customized and modified.
  • This solution requires transformation of mobile phone terminals, modules, and IMS networks. It requires a large amount of transformation and cannot be automatically and smoothly upgraded as the terminal version evolves.
  • the invention patent application with the publication number CN114040385A discloses an encrypted call system and method based on VoLTE.
  • the system includes: a cloud encrypted call service management platform, an operator network and a mobile phone component; wherein, the cloud encrypted call
  • the business management platform is used to provide user management and certificate management based on VoLTE voice call services, as well as session key distribution;
  • the operator network is used to carry and transmit data between the cloud encrypted voice business management platform and the mobile phone;
  • the mobile phone component is used to provide encrypted call functions and real-time encryption and decryption of call data during the call.
  • This solution avoids the transformation of the telecom operator's IMS network and the extension of the signaling control protocol SIP protocol, and allows users to make VoLTE encrypted calls across the telecom operator's network.
  • the cloud encrypted voice business management platform is used to provide the API interface of the key management center client for identity verification when users log in and the issuance of the client's SM2 encryption certificate.
  • the certificate management module still needs to call the key management center.
  • the API interface is used for the application, download and destruction management operations of the user's SM2 encryption certificate.
  • the key transfer process relies on the certificate security mechanism.
  • the invention patent application with the publication number CN106941403A discloses a secure mobile communication system and method based on quantum keys, including a quantum key service station, several mobile terminals and a public communication network.
  • the quantum key service station and mobile terminals communicate through public communication Network communication; the quantum key service station is used to provide quantum key download services to mobile terminals and complete the security management and control of quantum keys.
  • the mobile terminal is used to implement basic call functions and additional secure communication functions, and the public communication network is used to implement Data transfer function.
  • this solution is an encrypted communication method in which the quantum key service station provides keys, in the specific method, electronic tags are used to monitor the keys of both mobile parties.
  • the mobile terminals of the calling party and the called party are at the quantum key service station.
  • the technical problem to be solved by this invention is how to solve the problem of certificate dependence in VoLTE handheld terminal authentication.
  • the present invention proposes a VoLTE voice encrypted communication method.
  • Security chips are integrated into the calling terminal and the called terminal respectively.
  • the method includes:
  • the calling terminal and the called terminal respectively complete the identity authentication to the key management platform to which they belong through the authentication keys stored in their corresponding security chips;
  • the calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;
  • the calling terminal and the called terminal play prompt tones and apply to their respective key management platforms for session keys for this call based on the encrypted call identification.
  • the session keys are provided by the quantum key distribution network. distribution;
  • the calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call;
  • the calling terminal and the called terminal send encrypted end messages to end this key call.
  • the calling terminal and the called terminal are both integrated with security chips.
  • the calling terminal and the called terminal use the authentication keys stored in their respective internally integrated security chips to complete identity authentication to the key management platform to which they belong.
  • the key management platform stores session key pairs distributed through the quantum key distribution network. It uses symmetric key algorithms to achieve VoLTE terminal authentication and key distribution. It does not require a certificate management module and has faster calculation speed than the certificate system. , High safety features.
  • the encrypted call is initiated by VoLTE.
  • the clear call is connected first and then the key negotiation process is carried out. This avoids premature key negotiation and avoids the problem of users answering the phone too quickly and having too high key negotiation requirements.
  • a prompt tone is played at one end first, and the actual encrypted conversation is carried out after key negotiation. For the user, only the encrypted conversation is perceived, and the user experience is good.
  • the key synchronization time can be synchronized through the media channel to improve synchronization efficiency.
  • the calling terminal and the called terminal respectively complete the identity authentication to the key management platform through the authentication keys stored in their corresponding security chips, including:
  • the security chips respectively obtain the identification of the key management platform to which they belong;
  • the calling terminal and the called terminal respectively call the authentication keys stored in their corresponding security chips to complete the identity authentication to the key management platform to which they belong;
  • the calling terminal and the called terminal upload the identification of the key management platform to which they belong and their own terminal identification to the cloud encrypted voice service management platform, so that the cloud key service management platform generates the terminal identification and key Manage and store the comparison table of platform identifiers.
  • the calling terminal initiates a call
  • the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform, including:
  • the calling terminal and the called terminal report the calling number and the called number of the current call to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform can use the calling number and the called number according to the calling number and the called number.
  • the number generates the secret code ID for this call
  • the cloud encrypted voice service management platform determines that the key management platform identities of the calling terminal and the called terminal are inconsistent based on the comparison table, the calling terminal and the called terminal obtain the cloud encrypted voice service.
  • the session key is provided by Quantum key distribution system distribution, including:
  • the called terminal sends a first key request to the key management platform to which it belongs, so that the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal.
  • the first key The request carries the secret conversation identifier and the identifier of the key management platform to which the peer belongs;
  • the called terminal pushes the key identifier and the encrypted call identifier to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform Push to the calling terminal;
  • the calling terminal sends a second key request to the key management platform to which it belongs, so that the key management platform returns the session key to the calling terminal, and the second key request carries the key Identity and said secret phrase identification.
  • the key management platform obtains the key identification from the encryption machine and returns it to the called terminal, including:
  • the key management platform sends a first key application to the cryptographic machine, so that the cryptographic machine initiates a second key application to the QKD network to which it is connected based on the first key application, wherein the first key application is sent to the cryptographic machine.
  • the information carried in the first key application includes the encrypted call identifier, the calling number, the called number and the identification of the key management platform to which the opposite end belongs, and the information carried in the second key application includes the key management platform to which the opposite end belongs.
  • the identification of the key management platform includes the encrypted call identifier, the calling number, the called number and the identification of the key management platform to which the opposite end belongs, and the information carried in the second key application includes the key management platform to which the opposite end belongs.
  • the QKD network obtains a symmetric key of the QKD node to which the calling terminal and the called terminal belong based on the second key application, and returns the symmetric key to the cryptographic machine;
  • the cryptographic machine returns the symmetric key and key identification to the called terminal through the key management platform.
  • the calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call, including:
  • the calling terminal and the called terminal obtain the session key
  • the calling terminal and the called terminal synchronize the notification information of key acquisition to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform transparently transmits the notification information to the calling terminal and the called terminal.
  • the called terminal completes key acquisition status synchronization.
  • the method further includes:
  • the cloud encrypted call service management platform and the IMS network complete a user synchronization interface and an encrypted call identification push interface
  • the cloud encrypted call service management platform or the IMS network generates the encrypted call identifier, and the IMS network delivers the corresponding encrypted call identifier to the SIP terminal.
  • the SIP terminal includes a key middleware and Voice middleware;
  • the voice middleware obtains the secret speech identifier processed by the baseband chip, calls the key middleware, and applies to the key management platform to obtain the session key.
  • the present invention also proposes a VoLTE voice encrypted communication terminal.
  • the terminal is provided with a security chip and an intermediate component.
  • An authentication key is stored in the security chip.
  • the intermediate component includes a key middleware and a business middleware.
  • software and voice middleware including:
  • the key middleware is used to use the authentication key stored in the security chip to complete the identity authentication to the key management platform to which it belongs.
  • the business middleware requests login from the cloud encrypted voice business management platform.
  • the voice Middleware performs self-starting;
  • the business middleware is used to send a verification request to the cloud encrypted call service management platform after both parties initiate a call to obtain the encrypted call identifier returned by the cloud encrypted call service management platform; the business middleware is used to After the call is connected and the terminal plays the prompt tone, it calls the key middleware and applies to the key management platform to which it belongs for the session key for this call based on the secret speech identifier.
  • the session key is provided by Quantum key distribution network distribution;
  • the key middleware is used to transfer the session key to the voice middleware, and after the voice middleware uses the media channel to complete the key acquisition status synchronization of both parties, the two parties conduct encrypted voice calls;
  • the voice middleware is used to send an encrypted end message after the call is hung up to end the key call.
  • the business middleware includes a UI display module, a secret conversation notification module, a secret conversation identification synchronization module and a key negotiation initiation module, wherein:
  • the UI display module is used to display the judgment information for coordinating user signing with the cloud secret conversation service management platform, the notification and identification synchronization information of this secret conversation, and the key negotiation status of the start of this secret conversation;
  • the secret call notification module is used to interact with the interface of the cloud secret call service management platform
  • the secret conversation identification synchronization module is used to obtain the secret conversation identification and the peer acquisition status returned by the cloud secret conversation service management platform after the cloud secret conversation service management platform determines that both parties have the qualifications and conditions for a secret conversation call. , complete the issuance and synchronization of the secret call ID;
  • the key negotiation initiating module is configured to initiate a key request to the key middleware based on the key identification and obtain the corresponding key negotiation status after completing the key identification synchronization.
  • the key middleware includes an external service interface, a general cryptographic service module and a cryptographic device service module, wherein:
  • the external service interface is used to connect external applications through inter-process communication
  • the general cryptographic service module is used to provide key management, identity authentication and key calculation interfaces
  • the cryptographic device service module is used to obtain the authentication key stored in the security chip.
  • the voice middleware includes a voice interception module, a voice rate filtering module, a voice encryption module and a voice backhaul module, wherein:
  • the voice interception module is used to monitor the voice data transmission channel in the current terminal system, intercept and return voice call data;
  • the voice rate screening module is used to receive and detect the voice call data transmitted by the voice interception module to obtain AMR payload data;
  • the voice encryption module is used for key processing, session key status negotiation, and voice data encryption and decryption to send and receive;
  • the voice return module is used to send the AMR payload data to the voice encryption module in a single frame, and return the voice encryption data processed by the voice encryption module to the voice rate screening module. .
  • the present invention also proposes a VoLTE voice encrypted communication system, which includes: a quantum key distribution network, a calling terminal, a called terminal, a first key management platform, a second key management platform, a first Cipher machine, second cipher machine, cloud encrypted voice service management platform and operator network;
  • the calling terminal and the called terminal are respectively integrated with security chips, and an authentication key is stored in the security chip;
  • the calling terminal is connected to the first key management platform
  • the called terminal is connected to the second key management platform
  • the first key management platform is connected to the quantum computer via the first cryptographic machine.
  • Key distribution network the second key management platform is connected to the quantum key distribution network via the second encryption machine
  • the calling terminal and the called terminal are respectively connected via the operator network
  • the cloud encrypted voice business management platform
  • the calling terminal and the called terminal are both provided with intermediate components.
  • the intermediate components include key middleware, service middleware and voice middleware.
  • the key middleware and the first key management The platform or the second key management platform is connected, the business middleware is connected with the cloud encrypted voice business management platform, and the voice middleware is connected with the underlying data transmission channel;
  • the key middleware is used to use the authentication key stored in the corresponding security chip to complete the identity authentication to the key management platform to which it belongs, and the business middleware requests login from the cloud encrypted voice business management platform , the voice middleware performs self-starting;
  • the service middleware is used to send a verification request to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;
  • the calling terminal and the called terminal play prompt tones, and the business middleware calls the key middleware and applies to the key management platform to which it belongs for the session secret for this call based on the secret conversation identifier.
  • the session key is distributed by the quantum key distribution network;
  • the key middleware transfers the session key to the voice middleware, and after the voice middleware uses the media channel to complete the key acquisition status synchronization of the calling terminal and the called terminal, the calling terminal and the called terminal Call the terminal to make an encrypted voice call;
  • the voice middleware After the call is hung up, the voice middleware sends an encrypted end message to end this key call.
  • the calling terminal and the called terminal are both integrated with security chips.
  • the calling terminal and the called terminal use the authentication keys stored in their respective internally integrated security chips to complete the authentication to the key management platform to which they belong.
  • Identity authentication the key management platform stores session key pairs distributed through the quantum key distribution network, and uses symmetric key algorithms to achieve VoLTE terminal authentication and key distribution without the need for a certificate management module. Compared with the certificate system, it has It has the characteristics of fast calculation speed and high security.
  • the encrypted call is initiated by VoLTE.
  • the clear call is connected first and then the key negotiation process is carried out. This avoids premature key negotiation and avoids the problem of users answering the phone too quickly and having too high key negotiation requirements.
  • a prompt tone is played at one end first, and the actual encrypted conversation is carried out after key negotiation. For the user, only the encrypted conversation is perceived, and the user experience is good.
  • the key synchronization time can be synchronized through the media channel and the synchronization efficiency can be improved.
  • the present invention can complete an end-to-end example from the perspective of terminal internal processing flow, cloud encrypted voice business management platform, key management platform and corresponding quantum key distribution network.
  • the present invention can solve the problem of VoLTE interoperability under key interaction between different key management platforms under two QKD nodes.
  • FIG. 1 is a schematic flow chart of the VoLTE voice encrypted communication method in the first embodiment of the present invention
  • Figure 2 is a schematic diagram of the subdivision steps of step S10 in the first embodiment of the present invention.
  • FIG. 3 is a schematic diagram of the subdivided steps of step S20 in the first embodiment of the present invention.
  • Figure 4 is a schematic diagram of the subdivided steps of step S30 in the first embodiment of the present invention.
  • FIG. 5 is a schematic diagram of the subdivided steps of step S40 in the first embodiment of the present invention.
  • FIG. 6 is a schematic structural diagram of a VoLTE voice encrypted communication terminal in the second embodiment of the present invention.
  • Figure 7 is a schematic diagram of the connection of intermediate components in the second embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of the VoLTE voice encrypted communication system in the third embodiment of the present invention.
  • the first embodiment of the present invention proposes a VoLTE voice encrypted communication method.
  • Security chips are integrated in the calling terminal and the called terminal respectively.
  • the method includes the following steps:
  • the calling terminal and the called terminal respectively complete the identity authentication to their respective key management platforms through the authentication keys stored in their corresponding security chips;
  • each key management platform uses the charging function to charge the security chip connected to it.
  • the calling terminal and the called terminal obtain the charging key respectively, use the charging key as the authentication key, and charge
  • this embodiment uses a security chip prefabricated key as the authentication key to solve the problem of certificate dependence in VoLTE handheld terminal authentication and realize the one-time authentication and one-key function.
  • the calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;
  • the called terminal starts to ring.
  • the calling terminal and the called terminal apply to the cloud encrypted call service management platform to verify the contract information of both parties.
  • the cloud encrypted call service management platform uses its own business system The record determines whether both parties to the call have signed up for the secret call service. After the verification is completed, a unique identifier for this call, that is, the secret call ID, is generated based on the accounts of the calling party and the called party and is sent to the calling terminal and the called terminal.
  • the session key is composed of a quantum key distribution network distribution
  • the calling terminal and the called terminal first play the key negotiation prompt tone before conducting clear communication.
  • the two parties are temporarily unable to talk, and then based on the secret key
  • the call ID applies to its key management platform for the session key of this call.
  • the key management platform applies to the respective connected cryptographic machines for the session key of this call.
  • the quantum keys stored in the cryptographic machines are distributed by the quantum key distribution network. Distributed as the session key for this call.
  • the calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call;
  • the key synchronization time can be synchronized through the media channel and the synchronization efficiency can be improved.
  • the voice begins to be intercepted and the qualified voice data is encrypted and transmitted.
  • the calling terminal and the called terminal send encrypted end messages to end this key call.
  • the calling terminal and the called terminal are both integrated with security chips.
  • the calling terminal and the called terminal use the authentication keys stored in their respective internally integrated security chips to complete identity authentication to the key management platform to which they belong.
  • the key management platform stores session key pairs distributed through the quantum key distribution network.
  • VoLTE terminal authentication and key distribution are achieved by using a symmetric key algorithm. There is no need for a certificate management module, and it is faster than the certificate system. Fast and safe.
  • the encrypted call is initiated by VoLTE.
  • the clear call is connected first and then the key negotiation process is carried out. This avoids premature key negotiation and avoids the problem of users answering the phone too quickly and having too high key negotiation requirements.
  • a prompt tone is played at one end first, and the actual encrypted conversation is carried out after key negotiation. For the user, only the encrypted conversation is perceived, and the user experience is good.
  • the key synchronization time can be synchronized through the media channel and the synchronization efficiency can be improved.
  • this invention directly uses the key management platform to charge the security chips of the calling party and the called party with keys as authentication keys.
  • Its main function is to enable both the called party and the called party to use the keys stored in their respective chips to achieve identity authentication to the key management platform, thereby achieving one-time one-time padding for identity authentication.
  • the key management platform will use a new key in the security chip of the calling party and the called party as a protection key to issue the session key.
  • the session key is The plain text of the key is consistent, but because the authentication keys stored in the security chips of the calling party and the called party are different, the key ciphertext obtained by the calling party and the called party is inconsistent. It provides a one-time pad function for session key distribution; and the entire The process does not use a tag system, which reduces the interaction process. The entire process does not require the keys of the calling party and the called party to be consistent. It realizes the decoding of the root key filled in the security chip of the calling party and the called party and the session key required for actual voice communication. Coupling provides more adaptability and is more in line with actual business conditions.
  • step S10 includes the following subdivided steps:
  • the security chips respectively obtain the identification of the key management platform to which they belong;
  • each key management platform uses the charging function to charge the security chip connected to it.
  • the charging process writes the identification of the key management platform into the connected security chip. This identification is in the quantum key.
  • the distribution QKD network is unique.
  • the calling terminal and the called terminal respectively call the authentication keys stored in their corresponding security chips to complete the identity authentication to the key management platform to which they belong;
  • the authentication key stored in the security chip is called to complete the login authentication to the key management platform to which it belongs, and the terminal also provides key services to the outside world.
  • the calling terminal and the called terminal upload the identification of the key management platform to which they belong and their own terminal identification to the cloud encrypted voice service management platform, so that the cloud key service management platform generates the terminal identification and Comparison table of key management platform identification and storage.
  • the cloud encrypted voice business management platform stores the corresponding relationship between user terminals and each key management platform, and serves as a user resource information library for multiple key management platforms to provide cross-key management platform key negotiation query services.
  • step S20 includes the following subdivided steps:
  • the calling terminal and the called terminal report the calling number and called number of this call to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform can use the calling number and the called number according to the calling number and the called number.
  • the called number generates the secret call identifier for this call;
  • the cloud encrypted call service management platform determines that the key management platform identifiers of the calling terminal and the called terminal are inconsistent based on the comparison table, the calling terminal and the called terminal obtain the cloud encrypted call service management platform.
  • the calling terminal and the called terminal report the calling and called numbers of this call to the cloud encrypted call service management platform.
  • the cloud encrypted call service management platform determines the call based on the status of the encrypted call contract between the calling and the called parties. Whether the conditions for entering the secret call are met; at the same time, the cloud secret call service management platform checks the last login status of the calling party and the called party. If the status of both parties is found to be normal, it generates a secret call identification for this call based on the calling/called number; and at the same time, according to the comparison table, check the identity of the key management platform to which both parties belong to the call. If they are inconsistent, the cloud encrypted call service management platform returns the identity of the key platform to which the other end belongs and the encrypted call identifier to the terminal.
  • the acquisition of the encrypted voice ID in this embodiment can be adapted to the problem of VoLTE service interoperability on a multi-key platform under the QKD network, because under a multi-key management platform, the service ID cannot directly act as a proxy for the key ID.
  • step S30 includes the following subdivided steps:
  • the called terminal sends a first key request to the key management platform to which it belongs, so that the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal.
  • the first The key request carries the encryption key identifier and the identifier of the key management platform to which the peer belongs;
  • the called terminal generally serves as the active terminal, and it requests a key from the key management platform to which it belongs based on the parameters (identity of the platform to which the opposite terminal belongs, and encryption key identification).
  • the called terminal pushes the key identifier and the encrypted call identifier to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform sends the key identifier and the encrypted call service management platform.
  • the calling terminal sends a second key request to the key management platform to which it belongs, so that the key management platform returns the session key to the calling terminal.
  • the second key request carries the The key identifier and the secret key identifier.
  • the secret speech identifier can be directly used as the key identifier to complete the double-ended key acquisition. Both the calling and the called parties can use the secret speech identifier. Go to the same key management platform to obtain the key.
  • the key management platform mainly relies on providing a key interface through the QKD network to complete double-ended key negotiation, a key is negotiated and a key identifier is returned. At this time, the active end of the key application can This key ID is obtained, but the other end cannot use the same secret key ID to uniquely identify a key, and key synchronization cannot be achieved.
  • This embodiment realizes the association between the key identification after QKD remote key negotiation and the encrypted voice identification between this VoLTE call, realizes the key distribution problem under the multi-key management platform, and truly realizes key synchronization. .
  • step S31 the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal, including:
  • the key management platform sends a first key application to the cryptographic machine, so that the cryptographic machine initiates a second key application to the QKD network to which it is connected based on the first key application, wherein the first key application is sent to the cryptographic machine.
  • the information carried in the first key application includes the encrypted call identifier, the calling number, the called number and the identification of the key management platform to which the opposite end belongs, and the information carried in the second key application includes the key management platform to which the opposite end belongs.
  • the identification of the key management platform includes the encrypted call identifier, the calling number, the called number and the identification of the key management platform to which the opposite end belongs, and the information carried in the second key application includes the key management platform to which the opposite end belongs.
  • the QKD network obtains a symmetric key of the QKD node to which the calling terminal and the called terminal belong based on the second key application, and returns the symmetric key to the cryptographic machine;
  • the cryptographic machine returns the symmetric key and key identification to the called terminal through the key management platform.
  • this embodiment can complete an end-to-end instance from the perspective of terminal internal processing flow, cloud encrypted voice business management platform, key management platform and corresponding quantum key distribution network; and can implement two QKD nodes.
  • step S40 includes the following subdivided steps:
  • the calling terminal and the called terminal synchronize the notification information of key acquisition to the cloud encrypted voice service management platform, so that the cloud encrypted voice service management platform transparently transmits the notification information to the calling party.
  • the terminal and the called terminal complete key acquisition status synchronization.
  • this embodiment can realize an optimized instance of key synchronization that does not rely on media information flow through the terminal push mechanism, and can realize the synchronization of the key acquisition status of both parties under the same key platform or under different key platforms, which has certain Adaptability.
  • SIP terminal a customized terminal based on the SIP extended field request to distribute the encryption ID
  • non-SIP terminal a customized terminal that does not rely on the SIP extended field.
  • SIP terminals have been modified on the module side to have the ability to process SIP extended fields.
  • key middleware and voice middleware structures to implement key negotiation and voice encryption and decryption. Therefore, it is only necessary to complete the connection between the cloud management platform and the service AS (service authentication platform) of IMS responsible for key identification distribution, and the VoLTE interoperability function can be realized without modifying the terminal.
  • This solution can support the existing two types of terminals. No modifications, easy to implement. Specific implementation steps include:
  • the IMS component is responsible for the service AS (business authentication platform) of key identification distribution and the cloud encrypted voice business management platform to complete the user synchronization interface and encrypted voice identity push interface;
  • the call request will be sent to the service AS (service authentication platform) responsible for key identification distribution in the IMS network.
  • the AS will query the local synchronization database to determine the account terminal type. If the encryption conditions are met, the corresponding encrypted message will be generated. Identify and send the identification to the cloud encrypted call service management platform.
  • the cloud encrypted call service management platform will push the encrypted call identifier to the peer terminal. For SIP terminals, the AS will continue to use the encrypted call identifier issued by the AS to complete the encryption.
  • the peer is a SIP terminal.
  • the cloud encrypted call service management platform generates the encrypted call identifier and pushes the corresponding encrypted call identifier to the service AS (service authentication platform) responsible for key identifier distribution in the IMS network.
  • the AS delivers the corresponding encryption ID to the corresponding SIP expansion solution terminal to complete the encryption.
  • the SIP terminal After the encryption ID is issued, the SIP terminal will pass the encryption ID processed by the baseband chip to the voice middleware.
  • the voice middleware will call the key middleware to obtain the key from the key management platform based on the encryption ID.
  • the key is obtained by pushing the encryption ID to the key middleware according to the business middleware.
  • Both the calling party and the called party use the key middleware to obtain the key and follow the steps S40 to S50 to implement the voice encryption function.
  • the second embodiment of the present invention proposes a VoLTE voice encrypted communication terminal.
  • the terminal is provided with a security chip 4 and an intermediate component.
  • the security chip 4 stores an authentication key.
  • the middle components include key middleware 3, business middleware 1 and voice middleware 2, where:
  • the key middleware 3 is used to use the authentication key stored in the security chip 4 to complete the identity authentication to the key management platform to which it belongs, and the business middleware 1 requests login to the cloud encrypted voice business management platform, The voice middleware 2 performs self-starting;
  • the business middleware 1 is used to send a verification request to the cloud encrypted call service management platform after both parties initiate a call to obtain the encrypted call identifier returned by the cloud encrypted call service management platform; the business middleware 1, It is used to call the key middleware after the call is connected and the terminal plays the prompt tone, and apply to the key management platform to which it belongs for the session key for this call based on the secret conversation identifier.
  • the key is distributed by the quantum key distribution network;
  • the key middleware 3 is used to transfer the session key to the voice middleware, and after the voice middleware 2 uses the media channel to complete the dual key acquisition status synchronization of the calling parties, the two parties conduct encrypted voice calls. ;
  • the voice middleware 2 is used to send an encryption end message after the call is hung up to end this key call.
  • the key within the security chip is relied upon to implement entity authentication between the middleware and between the middleware and the platform.
  • the key within the security chip is used to achieve entity authentication. It realizes one-time authentication of the key and has the characteristics of fast authentication speed.
  • the key middleware is used to interact with the security chip integrated in the terminal, and supports multiple channel protocols to realize the reading and operation of keys in different types of security chips. Since most security chips are single-channel, the key middleware needs to have unified external service functions and can complete application authentication, access control, scheduling and other functions for access applications; at the same time, the key middleware can also interact with the key management platform Complete the identity authentication, key negotiation, session key acquisition, encryption and destruction functions based on the security chip, and realize the unified management, control and service of password security capabilities by the middleware.
  • the business middleware is used to interact with the cloud encrypted call service management platform to complete VoLTE encrypted call notification, encrypted call identification synchronization, and call the password middleware to complete the key negotiation function.
  • the security chip can be charged into the platform.
  • the cloud encrypted voice business management platform can build a corresponding relationship between global users and the key management platform based on the reported information.
  • the business middleware can feedback the current call progress according to the status of the call process.
  • the business middleware is also an independent process in the mobile phone, has the ability to start automatically when the phone is turned on, and prevents the process from being killed by the mobile phone system.
  • the voice middleware runs in the mobile phone middleware as an independent process, and mainly completes the interaction with the underlying mobile phone voice processing and transmission module to realize the shutdown of the silence detection mechanism and the recording function during encrypted calls; monitors the voice call status at the bottom of the mobile phone system, and
  • the cryptographic operation interface provided by the cryptographic middleware can be called to implement the encryption and decryption function of the voice stream.
  • the service middleware includes a UI display module, a secret conversation notification module, a secret conversation identification synchronization module and a key negotiation initiation module, wherein:
  • the UI display module is used to display the judgment information for coordinating user signing with the cloud secret conversation service management platform, the notification and identification synchronization information of this secret conversation, and the key negotiation status of the start of this secret conversation;
  • the secret call notification module is used to interact with the interface of the cloud secret call service management platform
  • the secret conversation identification synchronization module is used to obtain the secret conversation identification and the peer acquisition status returned by the cloud secret conversation service management platform after the cloud secret conversation service management platform determines that both parties have the qualifications and conditions for a secret conversation call. , complete the issuance and synchronization of the secret call ID;
  • the key negotiation initiating module is configured to initiate a key request to the key middleware based on the key identification and obtain the corresponding key negotiation status after completing the key identification synchronization.
  • the UI display module is used for UI display at each stage during the secret call establishment process, mainly including the display of user contract information and judgment information coordinated with the cloud secret call service management platform, the display of this secret call notification and identification synchronization information, this The sub-encryption key negotiation status display and other processes are displayed.
  • the secret call notification module includes interaction with the cloud secret call service management platform interface to realize the secret call signing qualification judgment of the caller and the called party, the judgment of the current network status of both parties, and the message push function with the cloud secret call service management platform.
  • the secret call identifier synchronization module is used to determine that both parties have the qualifications and conditions for a secret call call on the cloud secret call service management platform.
  • the cloud secret call service management platform generates an identifier for this call and pushes it to the business middleware.
  • the business middleware Obtain the peer acquisition status through the cloud encrypted call service management platform, and complete the issuance and synchronization of encrypted call identification.
  • This interface is mainly used for VoLTE calls between users belonging to multiple key management platforms. Users of the same key platform cannot communicate with each other before. This feature is required.
  • the key negotiation initiation module is configured to, after completing the key identification synchronization interface, the business middleware use the identification to initiate a key application request to the key middleware and obtain the corresponding key negotiation status.
  • the key middleware includes an external service interface, a general cryptographic service module and a cryptographic device service module, wherein:
  • the external service interface is used to connect external applications through inter-process communication
  • the general cryptographic service module is used to provide key management, identity authentication and key calculation interfaces
  • the cryptographic device service module is used to obtain the authentication key stored in the security chip.
  • the external services mainly include external application authentication, access control, process communication and other functions to realize secure access of external applications, and external applications access the key middleware through inter-process communication.
  • the general cryptographic service module mainly includes key management, identity authentication, and key calculation interfaces to implement key services for external applications.
  • the key middleware will obtain the key in the security chip through the cryptographic device service interface, and use a key in the security chip as the authentication key to complete the identity authentication to the key management platform.
  • the entire authentication is based on the two-time authentication authentication mechanism stipulated in the 15843.2 standard, which realizes one-time one-time password in the authentication process, and can avoid the problems of overly complex and computationally intensive certificate system authentication.
  • the business middleware completes the basic encrypted conversation identification synchronization and passes it to the key middleware through the key middleware external interface.
  • the key middleware sends the encrypted conversation identification and the calling and called party numbers as key identifications to the key management platform. Apply for the corresponding session key to apply for and obtain the session key for this call.
  • the cryptographic device service module mainly implements device management of security chips, application management of card containers and files, key management and computing interface calls.
  • the voice middleware includes a voice interception module, a voice rate filtering module, a voice encryption module and a voice backhaul module, wherein:
  • the voice interception module is used to monitor the voice data transmission channel in the current terminal system, intercept and return voice call data;
  • the voice rate screening module is used to receive and detect the voice call data transmitted by the voice interception module to obtain AMR payload data;
  • the voice encryption module is used for key processing, session key status negotiation, and voice data encryption and decryption to send and receive;
  • the voice return module is used to send the AMR payload data to the voice encryption module in a single frame, and return the voice encryption data processed by the voice encryption module to the voice rate screening module. .
  • the voice interception module mainly includes monitoring the voice data transmission channel in the current mobile phone system, intercepting and returning voice call data.
  • the voice rate screening module is used to receive and detect the voice call data transmitted by the voice data interception module; for the voice call data, the VoLTE voice data can be data processed according to the VoLTE voice quality setting rules.
  • VoLTE voice data processing with different code rates can be implemented to adapt to different network environments.
  • AMR payload data is obtained; the AMR payload data is pushed to the voice backhaul module.
  • qualified AMR payload data is pushed to the voice backhaul module; other voice data that does not meet this requirement is sent back to the mobile phone voice data transmission channel.
  • the voice return module is used to send the AMR payload data to the negotiation encryption module in real time in a single frame, and receive the VoLTE voice encryption data processed by the negotiation encryption module and transmit it back to the voice rate screening module.
  • the voice encryption module is used for key processing, session key status negotiation, and voice data encryption, decryption, and transceiver functions.
  • the key processing function is mainly for the voice middleware to realize the session key by interacting with the key middleware.
  • the session key is protected by encryption.
  • the key processing function completes the session key ciphertext data processing and initialization. Encrypted environment.
  • the session key negotiation includes: after completing the session key acquisition, both calling parties need to use the existing system voice data transmission channel to send a voice message related to the identity of this secret conversation, and check the other party's return through the voice rate filtering module.
  • Information If the information returned by the other party is filtered out, it means that the voice data of both parties are transmitted under the operator's VoLTE environment, the AMR payload rates of both parties match, and at the same time, the other party has also completed the session key in accordance with the encryption establishment instructions.
  • the session key for the encrypted call is ready; if the information returned by the other party cannot be filtered out, it means that one party is not in the VoLTE environment or the session key acquisition failed, the AMR payload rate does not match, and the encrypted call negotiation fails. If the negotiation is successful, voice data encryption begins.
  • the voice data encryption and decryption includes: after the initiator and the two sides complete the session key negotiation, the VoLTE voice data is transmitted through the voice backhaul module.
  • the encryption module has the ability to adapt to the VoLTE encoding rate. During the entire life cycle of data encryption and decryption, it can When the voice data stream is running, the encryption and decryption module will construct data encryption and decryption start and end messages to achieve control and synchronization of the encryption and decryption status.
  • the encryption terminal in this embodiment has services, keys, voice middleware functional features and similar terminal programs provided for VoLTE encryption to ensure the development of VoLTE encryption services.
  • the key middleware in order to adapt to the VoLTE service interoperability problem of multi-key platforms under the QKD network, the key middleware is used to use the authentication key stored in the security chip to complete the key management platform to which it belongs.
  • the business middleware requests login to the cloud encrypted voice business management platform, and the voice middleware performs self-starting.
  • the specific expansion is as follows:
  • the key management platform uses the charging function to charge the security chip. During the charging process, the key management platform identification of this platform is written into the security chip. This identification is unique in the QKD network.
  • the key middleware After the terminal is started, the key middleware calls the key stored in the security chip to complete the login authentication to the key management platform. At the same time, the key middleware provides key services to the outside world.
  • the business middleware accesses the key middleware, obtains the filled key management platform identification, and uploads its own information (terminal information) and key management platform identification to the cloud encrypted voice business management platform.
  • the cloud encrypted voice business management platform stores the corresponding relationship between users and each key management platform, serves as a user resource information database for multiple key management platforms, and provides cross-key management platform key negotiation query services.
  • the service middleware is used to send a verification request to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform.
  • the terminal uses the service middleware to report the calling and called numbers of this call to the cloud encrypted call service management platform.
  • the cloud encrypted call service management platform determines whether the call has the ability to enter the encrypted call based on the status of the encrypted call contract between the calling party and the called party.
  • the cloud secret call service management platform checks the latest login status of the middleware of the calling party and the called party. If the middleware status of both parties is found to be normal, it generates the secret call ID of this call based on the calling and called numbers, and checks the secret calling parties of both parties. Key management platform identification. If they are inconsistent, the cloud encrypted call service management platform returns the key platform identification of the peer and the encrypted call identification that generated this call to the business middleware.
  • the business middleware in the terminal After the key negotiation phase is started, the business middleware in the terminal sends the identity of the key platform to which the peer belongs and the encrypted voice ID generated by the cloud encrypted voice business management platform to the key middleware.
  • the terminal plays a prompt tone
  • the business middleware calls the key middleware, and applies to the key management platform to which it belongs based on the secret message identification.
  • the session key of the call specifically expanded to:
  • the called party generally serves as the active end, and the cryptographic middleware requests the key from its own key management platform according to the parameters (the identity of the platform to which the peer belongs, and the encrypted conversation identity).
  • the key management platform obtains the key from the encryption machine based on the encrypted call ID, calling and called numbers, and the key platform ID of the peer.
  • the encryption machine initiates a key application to connect to the QKD network based on the key platform indication.
  • the QKD network Upon request, the QKD network obtains a symmetric key of the QKD node that specifies the calling party and the called party based on the key platform identification of the calling party and the called party, and returns the corresponding key identification to the cryptographic machine.
  • the cryptographic machine feeds back the corresponding key and returns the key and key identification to the called end through the key management platform.
  • the called end cryptographic middleware pushes the key identification to the business middleware, and the business middleware then pushes the key identification and secret conversation identification to the cloud secret conversation service management platform.
  • the cloud encrypted call service management platform pushes the key identifier and encrypted call identifier to the calling end.
  • the calling end business middleware pushes the key identifier and encrypted session identifier to its own key middleware, and the calling key middleware obtains the session key from its own key management platform based on these two parameters.
  • the key middleware transfers the session key to the voice middleware, and the voice middleware uses the media channel to complete the key acquisition status synchronization of both parties in the call.
  • the specific expansion is as follows:
  • the calling and called key middleware obtains the session key for this call and notifies the respective business middleware of the key acquisition status.
  • the cloud encrypted call business management platform transparently transmits push information from both parties to their respective business middlewares to complete key acquisition status synchronization.
  • the calling terminal and the called terminal conduct an encrypted voice call.
  • the specific expansion is as follows:
  • the key middleware of the calling terminal and the called terminal passes the encrypted session key to the voice middleware to complete the encryption state initialization of the voice middleware.
  • the voice middleware uses the media channel to complete the key status synchronization between the calling parties.
  • the calling party and the called party begin to conduct encrypted conversations, the terminal begins to conduct encrypted voice calls, and the voice middleware begins to intercept the voice and encrypt the qualified voice data.
  • the terminal proposed in this embodiment can avoid the transformation of the telecom operator's IMS network and the extension of the signaling control protocol SIP protocol, and only adopts the deployment of a centralized management platform and the in-depth customization of the mobile phone terminal (service , voice, key) three middlewares cooperate with each other to realize the transmission of key synchronization information through the voice channel, the transmission of key synchronization information based on business data information, and the VoLTE encrypted interoperability between SIP extended field terminals and non-SIP extended terminals. It has It has the advantages of wide adaptability, simple construction plan, low cost and short cycle.
  • the three middleware technologies of terminal in-depth customization are used to realize the VoLTE interoperability problem under the single key management platform and multi-key management platform based on the QKD quantum key distribution network, and realize the customer's own password
  • the integration of system construction security requirements and network-wide interoperability requirements improves the compatibility of VoLTE encryption services.
  • VoLTE voice encrypted communication terminal may refer to the above-mentioned method embodiments, and no redundancy will be provided here.
  • the third embodiment of the present invention proposes a VoLTE voice encrypted communication system.
  • the system includes: a quantum key distribution network 13, a calling terminal 5, a called terminal 6, and a first key management platform. 9.
  • the second key management platform 10 the first encryption machine 11, the second encryption machine 12, the cloud encrypted voice service management platform 8 and the operator's IMS network 7;
  • the calling terminal 5 and the called terminal 6 are respectively integrated with a security chip 4, and an authentication key is stored in the security chip 4;
  • the calling terminal 5 is connected to the first key management platform 9, the called terminal 6 is connected to the second key management platform 10, and the first key management platform 9 is connected to the first encryption machine 11 is connected to the quantum key distribution network 13.
  • the second key management platform 10 is connected to the quantum key distribution network 13 via the second encryption machine 12.
  • the calling terminal 5 and the called terminal 5 are connected to the quantum key distribution network 13.
  • the calling terminal 6 respectively accesses the cloud encrypted voice service management platform 8 via the operator's IMS network 7;
  • the calling terminal 5 and the called terminal 6 are both provided with intermediate components.
  • the intermediate components include key middleware 3, service middleware 1 and voice middleware 2.
  • the key middleware 3 and the The first key management platform 9 or the second key management platform 10 is connected, the service middleware 1 is connected to the cloud encrypted voice service management platform 8, and the voice middleware 2 is connected to the underlying data transmission channel ;
  • the key middleware 3 is used to use the authentication key stored in its corresponding security chip 4 to complete the identity authentication to the key management platform to which it belongs, and the business middleware 1 requests the cloud encrypted voice business management platform 8 Log in, and the voice middleware 2 starts automatically;
  • the service middleware 1 is used to send a verification request to the cloud encrypted call service management platform 8 to obtain the encrypted call identifier returned by the cloud encrypted call service management platform 8;
  • the calling terminal 5 and the called terminal 6 play a prompt tone, and the service middleware 1 calls the key middleware 3 and applies to the key management platform to which it belongs based on the encrypted call identification.
  • the session key for the call which is distributed by the quantum key distribution network 13;
  • the key middleware 3 transfers the session key to the voice middleware 2, and the voice middleware 2 uses the media channel to complete the key acquisition status synchronization of the calling terminal 5 and the called terminal 6,
  • the calling terminal 5 and the called terminal 6 conduct an encrypted voice call;
  • the voice middleware 2 After the calling terminal 5 and the called terminal 6 hang up, the voice middleware 2 sends an encryption end message to end this key call.
  • the cloud encrypted voice service management platform 8 is used to provide VoLTE voice-based wide-area user addressing management, each key system information registration management, and the generation and delivery of encrypted identification during VoLTE calls.
  • the operator's IMS network 7 is used to carry and transmit data between the cloud encrypted call service management platform 8 and the mobile phone, as well as the signaling domain and media domain that previously existed on the two mobile phones.
  • the intermediate component can realize functions such as addressing the key management platform of both VoLTE calls, VoLTE encrypted message processing, key negotiation application and acquisition functions, and real-time encryption and decryption of call data during the call.
  • the security chip 4 is a security medium that complies with the certificate issued by the National Commercial Cryptozoology Bureau and has security protection capabilities. It can be connected with the key management platform to realize the key filling function in the security chip 4 and realize the authentication using the key in the security chip 4. The key is delivered to the key management platform for identity authentication and session key one-time padding.
  • the key management platform used to provide a server-side API interface of the key management middleware to interface with the mobile phone-side middleware to realize user login with the key filled in the security chip 4 as the core.
  • Identity verification, session key negotiation, and the generation and issuance of session keys during the establishment of encrypted calls, and the key management platform can be deployed separately or in the quantum key distribution network 13, with the ability to obtain docking cryptographic machines keys and distributed to quantum middleware functions.
  • the first cryptographic machine 11 and the second cryptographic machine 12 adopt a three-level key management system and use cryptographic cards to achieve local secure storage of keys.
  • the quantum key distribution network 13 refers to quantum meeting the networking and application requirements of quantum secure communication in different scenarios, and extending the point-to-point QKD link into a multi-user QKD network. It mainly includes the QKD module, key manager (KM), QKDN controller and QKDN network management system in the QKD network, as well as QKD links between QKD modules and KM links between KMs; password applications (KMS) in the user network and other modules.
  • KMS password applications
  • This system has the characteristics of no modification to the existing two types of terminals and is easy to implement.
  • the specific process is as follows:
  • the service AS service authentication platform of the IMS component responsible for key identification distribution needs to complete the user synchronization interface and the encryption identification push interface with the cloud encrypted voice service management platform.
  • the calling party is a SIP terminal:
  • the call request will be sent to the service AS (service authentication platform) responsible for key identification distribution in the IMS network.
  • the AS will query the local synchronization database to determine the account terminal type. If the encryption conditions are met, the corresponding encrypted message will be generated. Identify and send the identification to the cloud encrypted call service management platform.
  • the cloud encrypted call service management platform will push the encrypted call identifier to the peer terminal. For SIP terminals, the AS will continue to use the encrypted call identifier issued by the AS to complete the encryption.
  • the normal calling party initiates a call and checks that the peer is a SIP terminal through the cloud encrypted call service management platform.
  • the cloud encrypted call service management platform generates the encrypted call identifier and pushes the corresponding encrypted call identifier to the service AS responsible for key identifier distribution in the IMS network ( Business authentication platform), the AS issues the corresponding encryption ID to the corresponding SIP terminal to complete the encryption.
  • the SIP terminal After the encryption ID is issued, the SIP terminal will pass the encryption ID processed by the baseband chip to the voice middleware.
  • the voice middleware will call the key middleware to obtain the key from the key management platform based on the encryption ID.
  • the key is obtained by pushing the encryption ID to the key middleware according to the business middleware.
  • Both calling parties use key middleware to complete key acquisition, and can follow the media channel described in e1) process to achieve dual-end synchronization of the key acquisition status.
  • Both calling parties use key middleware to complete key acquisition. They can follow the process description in e1) to achieve session key acquisition and key acquisition status dual-end synchronization, and encrypt the session key and pass it to the voice middleware.
  • a "computer-readable medium” may be any device that can contain, store, communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Non-exhaustive list of computer readable media include the following: electrical connections with one or more wires (electronic device), portable computer disk cartridges (magnetic device), random access memory (RAM), Read-only memory (ROM), erasable and programmable read-only memory (EPROM or flash memory), fiber optic devices, and portable compact disc read-only memory (CDROM).
  • the computer-readable medium may even be paper or other suitable medium on which the program may be printed, as the paper or other medium may be optically scanned, for example, and subsequently edited, interpreted, or otherwise suitable as necessary. process to obtain the program electronically and then store it in computer memory.
  • various parts of the present invention may be implemented in hardware, software, firmware, or a combination thereof.
  • various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system.
  • a logic gate circuit with a logic gate circuit for implementing a logic function on a data signal.
  • Discrete logic circuits application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGA), field programmable gate arrays (FPGA), etc.
  • first and second are used for descriptive purposes only and cannot be understood as indicating or implying relative importance or implicitly indicating the quantity of indicated technical features. Therefore, features defined as “first” and “second” may explicitly or implicitly include at least one of these features.
  • “plurality” means at least two, such as two, three, etc., unless otherwise expressly and specifically limited.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Multimedia (AREA)
  • Theoretical Computer Science (AREA)
  • Electromagnetism (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Disclosed are a VoLTE voice encrypted communication method, a terminal and a system, in the technical field of wireless communications. The method comprises: a calling terminal and a called terminal each completing identity authentication to a key management platform to which the calling terminal and the called terminal belong, by means of authentication keys stored in corresponding security chips thereof; the calling terminal initiating a call, sending a verification request to a cloud encrypted call service management platform, and acquiring an encrypted call identifier returned by the cloud encrypted call service management platform; after the call is connected, the calling terminal and the called terminal playing alert tones and applying for a session key of the present call to the key management platform to which the calling terminal and the called terminal belong, on the basis of the encrypted call identifier; the calling terminal and the called terminal synchronizing the key acquisition states of the calling terminal and the called terminal using a media channel, on the basis of the session key, and then carrying out encrypted voice communication; when the call is hung up, the two parties sending an encrypted ending message, to end the present key call. The present invention does not require a certificate management module, has fast computational speed and high security, and has high synchronization efficiency and a good user experience.

Description

VoLTE语音加密通信方法、终端及系统VoLTE voice encrypted communication method, terminal and system 技术领域Technical field
本发明涉及无线通信技术领域,具体涉及一种VoLTE语音加密通信方法、终端及系统。The present invention relates to the field of wireless communication technology, and specifically relates to a VoLTE voice encrypted communication method, terminal and system.
背景技术Background technique
超语音长期演进(Voice overLong Term Evolution,VoLTE)是基于IP多媒体子系统(IP Multimedia Subsystem,IMS)的语音业务,是一种IP数据传输技术。VoLTE无需2G/3G网,全部业务承载于4G网络上,可实现接通等待时间更短,以及更高质量、更自然的语音视频通话效果。IMS本身提供了一套复杂和较为安全的认证、鉴权机制,但随着恶意监听越来越普遍,VoLTE需要特殊的加密机制,以保证其通话安全。Voice over Long Term Evolution (VoLTE) is a voice service based on IP Multimedia Subsystem (IMS) and is an IP data transmission technology. VoLTE does not require a 2G/3G network, and all services are carried on the 4G network, which can achieve shorter wait time for connection and higher-quality, more natural voice and video call effects. IMS itself provides a complex and relatively secure authentication and authentication mechanism. However, as malicious monitoring becomes more and more common, VoLTE requires a special encryption mechanism to ensure the security of its calls.
当前为了实现VoLTE语音加密以及后续规模化推广所面临的主要问题有三个:Currently, there are three main problems faced in order to realize VoLTE voice encryption and subsequent large-scale promotion:
(1)传统VoLTE加密提供了依赖证书的安全机制,终端往往需要安装APP才实现功能,所以VoLTE密钥传递过程中依赖证书安全机制。由于机制依赖大数分解等数学计算,会存在随着使用频次增加安全性逐步降低的问题,且由于证书机制中会话密钥传递和协商过程中存在端到端协商,对于平台端对密钥监管也是一个问题。(1) Traditional VoLTE encryption provides a certificate-dependent security mechanism. Terminals often need to install APPs to implement functions, so the VoLTE key transfer process relies on certificate security mechanisms. Because the mechanism relies on mathematical calculations such as large number decomposition, there will be a problem that security gradually decreases as the frequency of use increases. And because there is end-to-end negotiation in the session key delivery and negotiation process in the certificate mechanism, it is difficult for the platform to monitor the key. is also a problem.
(2)对于实现VoLTE加密通话,现有的方案是扩展SIP协议栈,启用附带预置条件的呼叫会话流程来支持加密电话标识、明密来电识别、来电响应、连接态互操作控制等操作。为此需要全网排查、验证和改造IMS网络,确保其能对SIP扩展字段默认采用透传方式,以保障通信双方的终端Modem芯片能识别处理该SIP扩展字段,同时需终端Modem芯片定制改造,以支持SIP扩展字段并对扩展内容进行解析处理。此方案对手机终端、模组、IMS网络都有改造需求,存在改造量大且无法随着终端版本演进自动平滑升级的问题。(2) For implementing VoLTE encrypted calls, the existing solution is to extend the SIP protocol stack and enable call session processes with preset conditions to support operations such as encrypted phone identification, clear and secret call identification, call response, and connection state interoperability control. To this end, the entire IMS network needs to be checked, verified and modified to ensure that it can use transparent transmission by default for SIP extension fields to ensure that the terminal Modem chips of both communicating parties can recognize and process the SIP extension fields. At the same time, the terminal Modem chips need to be customized and modified. To support SIP extension fields and parse the extended content. This solution requires transformation of mobile phone terminals, modules, and IMS networks. It requires a large amount of transformation and cannot be automatically and smoothly upgraded as the terminal version evolves.
(3)随着QKD网络建设的发展,各地都有自己建设密码管理系统的需求,大多数密码管理系统实现安全介质本系统内充注。但实际中针对VoLTE类业务,存在呼叫类业务广域互通的需求,各个独立的密码管理系统之间需具有密钥协商、会话密钥下发功能。因此,需要实现客户自身密码系统建设安全性要求和全网互通需求的融合,提高VoLTE加密业务的兼容性。(3) With the development of QKD network construction, various places have their own needs to build their own password management systems. Most password management systems realize the filling of secure media within the system. However, in practice, for VoLTE services, there is a need for wide-area interoperability of call services, and independent password management systems need to have key negotiation and session key issuance functions. Therefore, it is necessary to integrate the security requirements of customers' own cryptographic system construction and the interoperability requirements of the entire network to improve the compatibility of VoLTE encryption services.
相关技术中,公开号为CN114040385A的发明专利申请公开了一种基于VoLTE的加密通话系统及方法,系统包括:云端密话业务管理平台、运营商网络和手机端组件;其中,所述云端密话业务管理平台用于提供基于VoLTE语音通话服务的用户管理和证书管理,以及会话密钥分发;所述运营商网络用于云端密话业务管理平台与手机端之间数据的承载和传输;所述手机端组件用于提供加密通话功能以及对通话过程中的通话数据进行实时加解密。该方案避开了对电信运营商的IMS网络的改造和信令控制协议SIP协议的扩展,可实现用户跨电信运营商网络来进行VoLTE加密通话。但云端密话业务管理平台用于提供所述密钥管理中心客户端的API接口,用以用户登录时的身份校验、客户端的SM2加密证书的下发,仍需要证书管理模块调用密钥管理中心的API接口,用以用户的SM2加密证书的申请、下载和销毁管理操作,密钥传递过程中依赖证书安全机制。In related technology, the invention patent application with the publication number CN114040385A discloses an encrypted call system and method based on VoLTE. The system includes: a cloud encrypted call service management platform, an operator network and a mobile phone component; wherein, the cloud encrypted call The business management platform is used to provide user management and certificate management based on VoLTE voice call services, as well as session key distribution; the operator network is used to carry and transmit data between the cloud encrypted voice business management platform and the mobile phone; the The mobile phone component is used to provide encrypted call functions and real-time encryption and decryption of call data during the call. This solution avoids the transformation of the telecom operator's IMS network and the extension of the signaling control protocol SIP protocol, and allows users to make VoLTE encrypted calls across the telecom operator's network. However, the cloud encrypted voice business management platform is used to provide the API interface of the key management center client for identity verification when users log in and the issuance of the client's SM2 encryption certificate. The certificate management module still needs to call the key management center. The API interface is used for the application, download and destruction management operations of the user's SM2 encryption certificate. The key transfer process relies on the certificate security mechanism.
公开号为CN106941403A的发明专利申请公开了一种基于量子密钥的保密移动通信系统及方法,包括量子密钥服务站、若干移动终端和公共通信网络,量子密钥服务站和移动终端通过公共通信网络通信;量子密钥服务站用于向移动终端提供量子密钥下载服务并完成对量子密钥的安全管控,移动终端用于实现基本的通话功能及保密通信附加功能,公共通信网络用于实现数据传输功能。该方案虽是以量子密钥服务站提供密钥的加密通信方式,但是在具体方式上面采用电子标签对移动双方密钥进行监控功能,主叫方和被叫方移动终端在量子密钥服务站进行身份认证,下载添加电子标签的共享量子密钥,其中量子密钥是提前申请好的,拨打密话时候主叫方发送自身电子标签认证信息,经过公共通信网络到达被叫方,被叫方对该电子标签识别,并将被叫方电子标签认证信息通过公共通信网络反馈给主叫方,双方分别进行标签认证,认证成功后,主 叫方和被叫方调取存储的量子密钥,开始保密通信。但通信交互过程需要使用标签系统,交互流程繁琐。The invention patent application with the publication number CN106941403A discloses a secure mobile communication system and method based on quantum keys, including a quantum key service station, several mobile terminals and a public communication network. The quantum key service station and mobile terminals communicate through public communication Network communication; the quantum key service station is used to provide quantum key download services to mobile terminals and complete the security management and control of quantum keys. The mobile terminal is used to implement basic call functions and additional secure communication functions, and the public communication network is used to implement Data transfer function. Although this solution is an encrypted communication method in which the quantum key service station provides keys, in the specific method, electronic tags are used to monitor the keys of both mobile parties. The mobile terminals of the calling party and the called party are at the quantum key service station. Perform identity authentication and download the shared quantum key to add the electronic tag. The quantum key is applied in advance. When making a secret call, the calling party sends its own electronic tag authentication information and reaches the called party through the public communication network. The called party The electronic tag is identified and the called party's electronic tag authentication information is fed back to the calling party through the public communication network. Both parties perform label authentication respectively. After successful authentication, the calling party and the called party retrieve the stored quantum key. Confidential communication begins. However, the communication interaction process requires the use of a tag system, and the interaction process is cumbersome.
发明内容Contents of the invention
本发明所要解决的技术问题在于如何解决VoLTE手持终端认证中依赖证书的问题。The technical problem to be solved by this invention is how to solve the problem of certificate dependence in VoLTE handheld terminal authentication.
本发明通过以下技术手段实现解决上述技术问题的:The present invention solves the above technical problems through the following technical means:
一方面,本发明提出了一种VoLTE语音加密通信方法,主叫终端和被叫终端内分别集成有安全芯片,所述方法包括:On the one hand, the present invention proposes a VoLTE voice encrypted communication method. Security chips are integrated into the calling terminal and the called terminal respectively. The method includes:
主叫终端和被叫终端分别通过其对应安全芯片内存储的认证密钥完成到其所属密钥管理平台的身份认证;The calling terminal and the called terminal respectively complete the identity authentication to the key management platform to which they belong through the authentication keys stored in their corresponding security chips;
主叫终端发起通话,主叫终端和被叫终端向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识;The calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;
通话接通后,主叫终端和被叫终端播放提示音,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发网络分发;After the call is connected, the calling terminal and the called terminal play prompt tones and apply to their respective key management platforms for session keys for this call based on the encrypted call identification. The session keys are provided by the quantum key distribution network. distribution;
主叫终端和被叫终端基于所述会话密钥,使用媒体信道同步主叫终端和被叫终端密钥获取状态后,进行加密语音通话;The calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call;
主叫终端和被叫终端发送加密结束消息,结束本次密钥通话。The calling terminal and the called terminal send encrypted end messages to end this key call.
本发明中,主叫终端和被叫终端内均集成有安全芯片,主叫终端和被叫终端利用各自内部集成的安全芯片存储的认证密钥完成到其所属的密钥管理平台的身份认证,密钥管理平台内存储有经量子密钥分发网络分发的会话密钥对,通过采用对称密钥算法实现VoLTE终端认证和密钥的分发,不需要证书管理模块,相比证书系统有着计算速度快、安全性高的特点。而且,该加密通话由VoLTE发起流程,先接通明话再进行密钥协商流程,避免密钥过早的协商,避免了用户接电话过快对密钥协商要求过高的问题,并在真正发起明话时,先播放一端提示音,等待密钥协商才进行真正的密话,对用户来说只有密话一种感知,用户体验好。另外,通过使用接通后的媒体信道作为密钥状态同步接 口,可以实现将密钥同步时间通过媒体信道进行同步,提高同步效率。In the present invention, the calling terminal and the called terminal are both integrated with security chips. The calling terminal and the called terminal use the authentication keys stored in their respective internally integrated security chips to complete identity authentication to the key management platform to which they belong. The key management platform stores session key pairs distributed through the quantum key distribution network. It uses symmetric key algorithms to achieve VoLTE terminal authentication and key distribution. It does not require a certificate management module and has faster calculation speed than the certificate system. , High safety features. Moreover, the encrypted call is initiated by VoLTE. The clear call is connected first and then the key negotiation process is carried out. This avoids premature key negotiation and avoids the problem of users answering the phone too quickly and having too high key negotiation requirements. When initiating a clear conversation, a prompt tone is played at one end first, and the actual encrypted conversation is carried out after key negotiation. For the user, only the encrypted conversation is perceived, and the user experience is good. In addition, by using the connected media channel as the key status synchronization interface, the key synchronization time can be synchronized through the media channel to improve synchronization efficiency.
进一步地,所述主叫终端和被叫终端分别通过其对应安全芯片内存储的认证密钥完成到密钥管理平台的身份认证,包括:Further, the calling terminal and the called terminal respectively complete the identity authentication to the key management platform through the authentication keys stored in their corresponding security chips, including:
所述安全芯片分别获取其所属密钥管理平台的标识;The security chips respectively obtain the identification of the key management platform to which they belong;
所述主叫终端和被叫终端分别调用其对应安全芯片内存储的所述认证密钥,完成到其所属密钥管理平台的身份认证;The calling terminal and the called terminal respectively call the authentication keys stored in their corresponding security chips to complete the identity authentication to the key management platform to which they belong;
所述主叫终端和被叫终端将其所属密钥管理平台的标识及自身的终端标识上传至所述云端密话业务管理平台,以使所述云端密钥业务管理平台生成终端标识和密钥管理平台标识的对照表并存储。The calling terminal and the called terminal upload the identification of the key management platform to which they belong and their own terminal identification to the cloud encrypted voice service management platform, so that the cloud key service management platform generates the terminal identification and key Manage and store the comparison table of platform identifiers.
进一步地,所述主叫终端发起通话,主叫终端和被叫终端向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识,包括:Further, the calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform, including:
所述主叫终端和被叫终端向所述云端密话业务管理平台上报本次通话的主叫号码和被叫号码,以使所述云端密话业务管理平台根据所述主叫号码和被叫号码生成本次通话的所述密话标识;The calling terminal and the called terminal report the calling number and the called number of the current call to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform can use the calling number and the called number according to the calling number and the called number. The number generates the secret code ID for this call;
在所述云端密话业务管理平台基于所述对照表确定所述主叫终端和被叫终端所属的密钥管理平台标识不一致时,所述主叫终端和被叫终端获取所述云端密话业务管理平台返回的所述密话标识以及对端所属密钥管理平台的标识。When the cloud encrypted voice service management platform determines that the key management platform identities of the calling terminal and the called terminal are inconsistent based on the comparison table, the calling terminal and the called terminal obtain the cloud encrypted voice service. The secret conversation identifier returned by the management platform and the identifier of the key management platform to which the peer belongs.
进一步地,所述通话接通后,主叫终端和被叫终端播放提示音,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发系统分发,包括:Further, after the call is connected, the calling terminal and the called terminal play a prompt tone, and apply to the key management platform to which they belong for a session key for this call based on the secret conversation identifier. The session key is provided by Quantum key distribution system distribution, including:
所述被叫终端向其所属密钥管理平台发送第一密钥请求,以使所述密钥管理平台从密码机中获取密钥标识并返回至所述被叫终端,所述第一密钥请求携带有所述密话标识以及对端所属密钥管理平台的标识;The called terminal sends a first key request to the key management platform to which it belongs, so that the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal. The first key The request carries the secret conversation identifier and the identifier of the key management platform to which the peer belongs;
所述被叫终端将所述密钥标识和所述密话标识推送至所述云端密话业务管理平台,以使所述云端密话业务管理平台将所述密钥标识和所述密话标识推送至所述主叫终端;The called terminal pushes the key identifier and the encrypted call identifier to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform Push to the calling terminal;
所述主叫终端向其所属密钥管理平台发送第二密钥请求,以使密钥管理平 台返回所述会话密钥至所述主叫终端,所述第二密钥请求携带所述密钥标识和所述密话标识。The calling terminal sends a second key request to the key management platform to which it belongs, so that the key management platform returns the session key to the calling terminal, and the second key request carries the key Identity and said secret phrase identification.
进一步地,所述密钥管理平台从密码机中获取密钥标识并返回至所述被叫终端,包括:Further, the key management platform obtains the key identification from the encryption machine and returns it to the called terminal, including:
所述密钥管理平台向所述密码机发送第一密钥申请,以使所述密码机根据所述第一密钥申请向其连接的QKD网络发起第二密钥申请,其中,所述第一密钥申请携带信息包括所述密话标识、所述主叫号码、所述被叫号码及对端所属密钥管理平台的标识,所述第二密钥申请携带的信息包括对端所属密钥管理平台的标识;The key management platform sends a first key application to the cryptographic machine, so that the cryptographic machine initiates a second key application to the QKD network to which it is connected based on the first key application, wherein the first key application is sent to the cryptographic machine. The information carried in the first key application includes the encrypted call identifier, the calling number, the called number and the identification of the key management platform to which the opposite end belongs, and the information carried in the second key application includes the key management platform to which the opposite end belongs. The identification of the key management platform;
所述QKD网络根据所述第二密钥申请,获取所述主叫终端和所述被叫终端所属QKD节点的一支对称密钥,并将所述对称密钥返回至所述密码机;The QKD network obtains a symmetric key of the QKD node to which the calling terminal and the called terminal belong based on the second key application, and returns the symmetric key to the cryptographic machine;
所述密码机通过所述密钥管理平台返回所述对称密钥及密钥标识至所述被叫终端。The cryptographic machine returns the symmetric key and key identification to the called terminal through the key management platform.
进一步地,所述主叫终端和被叫终端基于所述会话密钥,使用媒体信道同步主叫终端和被叫终端密钥获取状态后,进行加密语音通话,包括:Further, the calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call, including:
所述主叫终端和被叫终端获取所述会话密钥;The calling terminal and the called terminal obtain the session key;
所述主叫终端和被叫终端向所述云端密话业务管理平台同步密钥获取的通知信息,以使所述云端密话业务管理平台将所述通知信息透传至所述主叫终端和被叫终端,完成密钥获取状态同步。The calling terminal and the called terminal synchronize the notification information of key acquisition to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform transparently transmits the notification information to the calling terminal and the called terminal. The called terminal completes key acquisition status synchronization.
进一步地,在所述主叫终端和被叫终端中至少一个为基于SIP拓展字段请求分发入密标识的SIP终端时,所述方法还包括:Further, when at least one of the calling terminal and the called terminal is a SIP terminal that requests distribution of an encryption ID based on the SIP extension field, the method further includes:
所述云端密话业务管理平台与IMS网络完成用户同步接口和密话标识推送接口;The cloud encrypted call service management platform and the IMS network complete a user synchronization interface and an encrypted call identification push interface;
由所述云端密话业务管理平台或所述IMS网络生成所述密话标识,并由所述IMS网络下发对应的密话标识至所述SIP终端,所述SIP终端包括密钥中间件和语音中间件;The cloud encrypted call service management platform or the IMS network generates the encrypted call identifier, and the IMS network delivers the corresponding encrypted call identifier to the SIP terminal. The SIP terminal includes a key middleware and Voice middleware;
所述语音中间件获取经基带芯片处理后的密话标识,并调用所述密钥中间件,向所述密钥管理平台申请获取所述会话密钥。The voice middleware obtains the secret speech identifier processed by the baseband chip, calls the key middleware, and applies to the key management platform to obtain the session key.
此外,本发明还提出了一种VoLTE语音加密通信终端,所述终端内设有安全芯片和中间组件,所述安全芯片内存储有认证密钥,所述中间组件包括密钥中间件、业务中间件和语音中间件,其中:In addition, the present invention also proposes a VoLTE voice encrypted communication terminal. The terminal is provided with a security chip and an intermediate component. An authentication key is stored in the security chip. The intermediate component includes a key middleware and a business middleware. software and voice middleware, including:
所述密钥中间件,用于利用所述安全芯片内存储的认证密钥完成到其所属密钥管理平台的身份认证,所述业务中间件向云端密话业务管理平台请求登录,所述语音中间件进行自启动;The key middleware is used to use the authentication key stored in the security chip to complete the identity authentication to the key management platform to which it belongs. The business middleware requests login from the cloud encrypted voice business management platform. The voice Middleware performs self-starting;
所述业务中间件,用于在通话双方发起通话后,向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识;所述业务中间件,用于在通话接通,所述终端播放提示音后,调用所述密钥中间件,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发网络分发;The business middleware is used to send a verification request to the cloud encrypted call service management platform after both parties initiate a call to obtain the encrypted call identifier returned by the cloud encrypted call service management platform; the business middleware is used to After the call is connected and the terminal plays the prompt tone, it calls the key middleware and applies to the key management platform to which it belongs for the session key for this call based on the secret speech identifier. The session key is provided by Quantum key distribution network distribution;
所述密钥中间件,用于将所述会话密钥传递至所述语音中间件,并由所述语音中间件使用媒体信道完成通话双方密钥获取状态同步后,通话双方进行加密语音通话;The key middleware is used to transfer the session key to the voice middleware, and after the voice middleware uses the media channel to complete the key acquisition status synchronization of both parties, the two parties conduct encrypted voice calls;
所述语音中间件,用于在通话挂断后,发送加密结束消息,结束本次密钥通话。The voice middleware is used to send an encrypted end message after the call is hung up to end the key call.
进一步地,所述业务中间件包括UI展示模块、密话通知模块、密话标识同步模块和密钥协商发起模块,其中:Further, the business middleware includes a UI display module, a secret conversation notification module, a secret conversation identification synchronization module and a key negotiation initiation module, wherein:
所述UI展示模块,用于展示和所述云端密话业务管理平台协调用户签约的判断信息、本次密话通知和标识同步信息以及本次密话开始密钥协商状态;The UI display module is used to display the judgment information for coordinating user signing with the cloud secret conversation service management platform, the notification and identification synchronization information of this secret conversation, and the key negotiation status of the start of this secret conversation;
所述密话通知模块,用于与所述云端密话业务管理平台的接口进行交互;The secret call notification module is used to interact with the interface of the cloud secret call service management platform;
所述密话标识同步模块,用于在所述云端密话业务管理平台判断通话双方具备密话通话资格及条件后,获取所述云端密话业务管理平台返回的密话标识和对端获取状态,完成密话标识下发及同步;The secret conversation identification synchronization module is used to obtain the secret conversation identification and the peer acquisition status returned by the cloud secret conversation service management platform after the cloud secret conversation service management platform determines that both parties have the qualifications and conditions for a secret conversation call. , complete the issuance and synchronization of the secret call ID;
所述密钥协商发起模块,用于在完成密钥标识同步后,基于所述密钥标识向所述密钥中间件发起密钥请求并获得对应的密钥协商状态。The key negotiation initiating module is configured to initiate a key request to the key middleware based on the key identification and obtain the corresponding key negotiation status after completing the key identification synchronization.
进一步地,所述密钥中间件包括对外服务接口、通用密码服务模块和密码设备服务模块,其中:Further, the key middleware includes an external service interface, a general cryptographic service module and a cryptographic device service module, wherein:
所述对外服务接口,用于通过进程间通信方式连接外部应用;The external service interface is used to connect external applications through inter-process communication;
所述通用密码服务模块,用于提供密钥管理、身份认证和密钥运算接口;The general cryptographic service module is used to provide key management, identity authentication and key calculation interfaces;
所述密码设备服务模块,用于获取所述安全芯片内存储的认证密钥。The cryptographic device service module is used to obtain the authentication key stored in the security chip.
进一步地,所述语音中间件包括语音拦截模块、语音速率筛选模块、语音加密模块和语音回传模块,其中:Further, the voice middleware includes a voice interception module, a voice rate filtering module, a voice encryption module and a voice backhaul module, wherein:
所述语音拦截模块,用于监听当前终端系统中的语音数传通道、拦截及回传语音通话数据;The voice interception module is used to monitor the voice data transmission channel in the current terminal system, intercept and return voice call data;
所述语音速率筛选模块,用于接收并检测所述语音拦截模块传输的语音通话数据,获得AMR净荷数据;The voice rate screening module is used to receive and detect the voice call data transmitted by the voice interception module to obtain AMR payload data;
所述语音加密模块,用于进行密钥处理、会话密钥状态协商及语音数据加解密收发;The voice encryption module is used for key processing, session key status negotiation, and voice data encryption and decryption to send and receive;
所述语音回传模块,用于将所述AMR净荷数据按单帧方式发送到所述语音加密模块,并将所述语音加密模块处理好的语音加密数据回传至所述语音速率筛选模块。The voice return module is used to send the AMR payload data to the voice encryption module in a single frame, and return the voice encryption data processed by the voice encryption module to the voice rate screening module. .
此外,本发明还提出了一种VoLTE语音加密通信系统,所述系统包括:量子密钥分发网络、主叫终端、被叫终端、第一密钥管理平台、第二密钥管理平台、第一密码机、第二密码机、云端密话业务管理平台和运营商网络;In addition, the present invention also proposes a VoLTE voice encrypted communication system, which includes: a quantum key distribution network, a calling terminal, a called terminal, a first key management platform, a second key management platform, a first Cipher machine, second cipher machine, cloud encrypted voice service management platform and operator network;
所述主叫终端和所述被叫终端分别集成有安全芯片,所述安全芯片内存储有认证密钥;The calling terminal and the called terminal are respectively integrated with security chips, and an authentication key is stored in the security chip;
所述主叫终端连接所述第一密钥管理平台,所述被叫终端连接所述第二密钥管理平台,所述第一密钥管理平台经所述第一密码机接入所述量子密钥分发网络,所述第二密钥管理平台经所述第二密码机接入所述量子密钥分发网络,所述主叫终端和所述被叫终端分别经所述运营商网络接入所述云端密话业务管理平台;The calling terminal is connected to the first key management platform, the called terminal is connected to the second key management platform, and the first key management platform is connected to the quantum computer via the first cryptographic machine. Key distribution network, the second key management platform is connected to the quantum key distribution network via the second encryption machine, and the calling terminal and the called terminal are respectively connected via the operator network The cloud encrypted voice business management platform;
所述主叫终端和所述被叫终端内均设有中间组件,所述中间组件包括密钥中间件、业务中间件和语音中间件,所述密钥中间件与所述第一密钥管理平台或所述第二密钥管理平台连接,所述业务中间件与所述云端密话业务管理平台连接,所述语音中间件与底层数据传输通道连接;The calling terminal and the called terminal are both provided with intermediate components. The intermediate components include key middleware, service middleware and voice middleware. The key middleware and the first key management The platform or the second key management platform is connected, the business middleware is connected with the cloud encrypted voice business management platform, and the voice middleware is connected with the underlying data transmission channel;
所述密钥中间件用于利用其对应的所述安全芯片内存储的认证密钥完成到其所属密钥管理平台的身份认证,所述业务中间件向所述云端密话业务管理平台请求登录,所述语音中间件进行自启动;The key middleware is used to use the authentication key stored in the corresponding security chip to complete the identity authentication to the key management platform to which it belongs, and the business middleware requests login from the cloud encrypted voice business management platform , the voice middleware performs self-starting;
在主叫终端发起通话后,所述业务中间件用于向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识;After the calling terminal initiates a call, the service middleware is used to send a verification request to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;
通话接通后,主叫终端和被叫终端播放提示音,所述业务中间件调用所述密钥中间件,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发网络分发;After the call is connected, the calling terminal and the called terminal play prompt tones, and the business middleware calls the key middleware and applies to the key management platform to which it belongs for the session secret for this call based on the secret conversation identifier. Key, the session key is distributed by the quantum key distribution network;
所述密钥中间件将所述会话密钥传递至所述语音中间件,并由所述语音中间件使用媒体信道完成主叫终端和被叫终端密钥获取状态同步后,主叫终端和被叫终端进行加密语音通话;The key middleware transfers the session key to the voice middleware, and after the voice middleware uses the media channel to complete the key acquisition status synchronization of the calling terminal and the called terminal, the calling terminal and the called terminal Call the terminal to make an encrypted voice call;
在通话挂断后,由所述语音中间件发送加密结束消息,结束本次密钥通话。After the call is hung up, the voice middleware sends an encrypted end message to end this key call.
本发明的优点在于:The advantages of the present invention are:
(1)本发明中,主叫终端和被叫终端内均集成有安全芯片,主叫终端和被叫终端利用各自内部集成的安全芯片存储的认证密钥完成到其所属的密钥管理平台的身份认证,密钥管理平台内存储有经量子密钥分发网络分发的会话密钥对,通过采用对称密钥算法实现VoLTE终端认证和密钥的分发,不需要证书管理模块,相比证书系统有着计算速度快、安全性高的特点。而且,该加密通话由VoLTE发起流程,先接通明话再进行密钥协商流程,避免密钥过早的协商,避免了用户接电话过快对密钥协商要求过高的问题,并在真正发起明话时,先播放一端提示音,等待密钥协商才进行真正的密话,对用户来说只有密话一种感知,用户体验好。另外,通过使用接通后的媒体信道作为密钥状态同步接口,可以实现将密钥同步时间通过媒体信道进行同步,提高同步效率。(1) In the present invention, the calling terminal and the called terminal are both integrated with security chips. The calling terminal and the called terminal use the authentication keys stored in their respective internally integrated security chips to complete the authentication to the key management platform to which they belong. Identity authentication, the key management platform stores session key pairs distributed through the quantum key distribution network, and uses symmetric key algorithms to achieve VoLTE terminal authentication and key distribution without the need for a certificate management module. Compared with the certificate system, it has It has the characteristics of fast calculation speed and high security. Moreover, the encrypted call is initiated by VoLTE. The clear call is connected first and then the key negotiation process is carried out. This avoids premature key negotiation and avoids the problem of users answering the phone too quickly and having too high key negotiation requirements. When initiating a clear conversation, a prompt tone is played at one end first, and the actual encrypted conversation is carried out after key negotiation. For the user, only the encrypted conversation is perceived, and the user experience is good. In addition, by using the connected media channel as the key status synchronization interface, the key synchronization time can be synchronized through the media channel and the synchronization efficiency can be improved.
(2)本发明能够从终端内部处理流程、云端密话业务管理平台、密钥管理平台以及对应的量子密钥分发网络角度完成一个端到端的实例。(2) The present invention can complete an end-to-end example from the perspective of terminal internal processing flow, cloud encrypted voice business management platform, key management platform and corresponding quantum key distribution network.
(3)本发明可以实现两个QKD节点下的不同密钥管理平台之间的密钥交互下VoLTE互通的问题。(3) The present invention can solve the problem of VoLTE interoperability under key interaction between different key management platforms under two QKD nodes.
(4)SIP终端和非SIP终端均可采用本发明方案实施,且对两种类型终端 无改动,容易实施。(4) Both SIP terminals and non-SIP terminals can be implemented using the solution of the present invention, and there are no changes to the two types of terminals, making it easy to implement.
本发明附加的方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本发明的实践了解到。Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.
附图说明Description of the drawings
图1是本发明第一实施例中VoLTE语音加密通信方法的流程示意图;Figure 1 is a schematic flow chart of the VoLTE voice encrypted communication method in the first embodiment of the present invention;
图2是本发明第一实施例中步骤S10的细分步骤示意图;Figure 2 is a schematic diagram of the subdivision steps of step S10 in the first embodiment of the present invention;
图3是本发明第一实施例中步骤S20的细分步骤示意图;Figure 3 is a schematic diagram of the subdivided steps of step S20 in the first embodiment of the present invention;
图4是本发明第一实施例中步骤S30的细分步骤示意图;Figure 4 is a schematic diagram of the subdivided steps of step S30 in the first embodiment of the present invention;
图5是本发明第一实施例中步骤S40的细分步骤示意图;Figure 5 is a schematic diagram of the subdivided steps of step S40 in the first embodiment of the present invention;
图6是本发明第二实施例中VoLTE语音加密通信终端的结构示意图;Figure 6 is a schematic structural diagram of a VoLTE voice encrypted communication terminal in the second embodiment of the present invention;
图7是本发明第二实施例中中间组件的连接示意图;Figure 7 is a schematic diagram of the connection of intermediate components in the second embodiment of the present invention;
图8是本发明第三实施例中VoLTE语音加密通信系统的结构图示意图。Figure 8 is a schematic structural diagram of the VoLTE voice encrypted communication system in the third embodiment of the present invention.
具体实施方式Detailed ways
为使本发明实施例的目的、技术方案和优点更加清楚,下面将结合本发明实施例,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the embodiments of the present invention. Obviously, the described embodiments are part of the present invention. Examples, not all examples. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without making creative efforts fall within the scope of protection of the present invention.
参照图1,本发明第一实施例提出了一种VoLTE语音加密通信方法,主叫终端和被叫终端内分别集成有安全芯片,所述方法包括以下步骤:Referring to Figure 1, the first embodiment of the present invention proposes a VoLTE voice encrypted communication method. Security chips are integrated in the calling terminal and the called terminal respectively. The method includes the following steps:
S10、主叫终端和被叫终端分别通过其对应安全芯片内存储的认证密钥完成到其所属密钥管理平台的身份认证;S10. The calling terminal and the called terminal respectively complete the identity authentication to their respective key management platforms through the authentication keys stored in their corresponding security chips;
需要说明的是,各密钥管理平台使用充注功能实现对其连接的安全芯片充注,主叫终端和被叫终端分别获取充注密钥,将充注密钥作为认证密钥,并且充注密钥之间无关联性;本实施例采用安全芯片预制密钥作为认证密钥,解决VoLTE手持终端认证中依赖证书问题,实现一次认证一次密钥功能。It should be noted that each key management platform uses the charging function to charge the security chip connected to it. The calling terminal and the called terminal obtain the charging key respectively, use the charging key as the authentication key, and charge Note that there is no correlation between keys; this embodiment uses a security chip prefabricated key as the authentication key to solve the problem of certificate dependence in VoLTE handheld terminal authentication and realize the one-time authentication and one-key function.
S20、主叫终端发起通话,主叫终端和被叫终端向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识;S20. The calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;
需要说明的是,主被叫双方发起通话,被叫终端开始响铃,主叫终端和被叫终端申请到云端密话业务管理平台验证双方签约信息,云端密话业务管理平台通过自身的业务系统记录判断通话双方是否已经签约密话服务,完成验证后,根据主/被叫双方的账号生成本次通话的唯一标识即密话标识并下发到主叫终端和被叫终端。It should be noted that when the calling party and the called party initiate a call, the called terminal starts to ring. The calling terminal and the called terminal apply to the cloud encrypted call service management platform to verify the contract information of both parties. The cloud encrypted call service management platform uses its own business system The record determines whether both parties to the call have signed up for the secret call service. After the verification is completed, a unique identifier for this call, that is, the secret call ID, is generated based on the accounts of the calling party and the called party and is sent to the calling terminal and the called terminal.
S30、通话接通后,主叫终端和被叫终端播放提示音,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发网络分发;S30. After the call is connected, the calling terminal and the called terminal play a prompt tone, and apply to the key management platform to which they belong for a session key for this call based on the encrypted message identification. The session key is composed of a quantum key distribution network distribution;
需要说明的是,为了避免主/被叫双方提前以明话方式进行,主叫终端和被叫终端在进行明话方式之前先播放密钥协商中的提示音,双方暂时不能通话,然后基于密话标识向所属密钥管理平台申请本次通话的会话密钥,密钥管理平台向各自连接的密码机申请本次通话的会话密钥,密码机中存储的量子密钥由量子密钥分发网络分发,即作为本次通话的会话密钥。It should be noted that in order to prevent the calling and called parties from communicating in clear mode in advance, the calling terminal and the called terminal first play the key negotiation prompt tone before conducting clear communication. The two parties are temporarily unable to talk, and then based on the secret key The call ID applies to its key management platform for the session key of this call. The key management platform applies to the respective connected cryptographic machines for the session key of this call. The quantum keys stored in the cryptographic machines are distributed by the quantum key distribution network. Distributed as the session key for this call.
S40、主叫终端和被叫终端基于所述会话密钥,使用媒体信道同步主叫终端和被叫终端密钥获取状态后,进行加密语音通话;S40. The calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call;
需要说明的是,通过使用接通后的媒体信道作为密钥状态同步接口,可以实现将密钥同步时间通过媒体信道进行同步,提高同步效率。It should be noted that by using the connected media channel as the key status synchronization interface, the key synchronization time can be synchronized through the media channel and the synchronization efficiency can be improved.
需要说明的是,主叫终端和被叫终端开始进行加密语音通话时,对语音开始拦截并对符合条件的语音数据进行加密传输。It should be noted that when the calling terminal and the called terminal start an encrypted voice call, the voice begins to be intercepted and the qualified voice data is encrypted and transmitted.
S50、主叫终端和被叫终端发送加密结束消息,结束本次密钥通话。S50. The calling terminal and the called terminal send encrypted end messages to end this key call.
需要说明的是,主叫终端和被叫终端挂断电话时,即发送加密通话结束消息,双方结束本次密钥通话。It should be noted that when the calling terminal and the called terminal hang up the phone, an encrypted call end message is sent, and both parties end this key call.
本实施例中,主叫终端和被叫终端内均集成有安全芯片,主叫终端和被叫终端利用各自内部集成的安全芯片存储的认证密钥完成到其所属的密钥管理平台的身份认证,密钥管理平台内存储有经量子密钥分发网络分发的会话密钥对,通过采用对称密钥算法实现VoLTE终端认证和密钥的分发,不需要证书 管理模块,相比证书系统有着计算速度快、安全性高的特点。而且,该加密通话由VoLTE发起流程,先接通明话再进行密钥协商流程,避免密钥过早的协商,避免了用户接电话过快对密钥协商要求过高的问题,并在真正发起明话时,先播放一端提示音,等待密钥协商才进行真正的密话,对用户来说只有密话一种感知,用户体验好。另外,通过使用接通后的媒体信道作为密钥状态同步接口,可以实现将密钥同步时间通过媒体信道进行同步,提高同步效率。In this embodiment, the calling terminal and the called terminal are both integrated with security chips. The calling terminal and the called terminal use the authentication keys stored in their respective internally integrated security chips to complete identity authentication to the key management platform to which they belong. , the key management platform stores session key pairs distributed through the quantum key distribution network. VoLTE terminal authentication and key distribution are achieved by using a symmetric key algorithm. There is no need for a certificate management module, and it is faster than the certificate system. Fast and safe. Moreover, the encrypted call is initiated by VoLTE. The clear call is connected first and then the key negotiation process is carried out. This avoids premature key negotiation and avoids the problem of users answering the phone too quickly and having too high key negotiation requirements. When initiating a clear conversation, a prompt tone is played at one end first, and the actual encrypted conversation is carried out after key negotiation. For the user, only the encrypted conversation is perceived, and the user experience is good. In addition, by using the connected media channel as the key status synchronization interface, the key synchronization time can be synchronized through the media channel and the synchronization efficiency can be improved.
进一步地来说,本次发明在密钥充注阶段直接使用密钥管理平台对主被叫双方安全芯片充注密钥作为认证密钥,主被叫双方内部存储的认证密钥无任何关系,其主要作用为主被叫双方各自使用各自芯片内存储的密钥实现到密钥管理平台的身份认证,实现身份认证的一次一密。在语音通讯阶段,主被叫双方申请本次通信密钥时候,密钥管理平台会使用主被叫双方安全芯片内的一支新的密钥作为保护密钥下发会话密钥,虽然会话密钥的明文一致,但是由于主被叫双方安全芯片内存储的认证密钥不同,所以主被叫双方得到的密钥密文并不一致,提供了会话密钥下发的一次一密功能;而且整个过程并没有使用标签系统,减少了交互流程,整个过程不要求主被叫双方内密钥一致,实现了主被叫安全芯片内部充注的根密钥和实际语音通讯所需会话密钥的解耦,提供了更多的适应性,更符合实际的业务情况。Furthermore, in the key charging stage, this invention directly uses the key management platform to charge the security chips of the calling party and the called party with keys as authentication keys. There is no relationship between the authentication keys stored internally by the calling party and the called party. Its main function is to enable both the called party and the called party to use the keys stored in their respective chips to achieve identity authentication to the key management platform, thereby achieving one-time one-time padding for identity authentication. During the voice communication phase, when the calling party and the called party apply for the communication key, the key management platform will use a new key in the security chip of the calling party and the called party as a protection key to issue the session key. Although the session key is The plain text of the key is consistent, but because the authentication keys stored in the security chips of the calling party and the called party are different, the key ciphertext obtained by the calling party and the called party is inconsistent. It provides a one-time pad function for session key distribution; and the entire The process does not use a tag system, which reduces the interaction process. The entire process does not require the keys of the calling party and the called party to be consistent. It realizes the decoding of the root key filled in the security chip of the calling party and the called party and the session key required for actual voice communication. Coupling provides more adaptability and is more in line with actual business conditions.
在一实施例,参照图2,所述步骤S10,包括如下细分步骤:In one embodiment, referring to Figure 2, step S10 includes the following subdivided steps:
S11、所述安全芯片分别获取其所属密钥管理平台的标识;S11. The security chips respectively obtain the identification of the key management platform to which they belong;
需要说明的是,各密钥管理平台使用充注功能实现对其连接的安全芯片充注,充注过程将密钥管理平台的标识写入到所连接的安全芯片内,此标识在量子密钥分发QKD网络具备唯一性。It should be noted that each key management platform uses the charging function to charge the security chip connected to it. The charging process writes the identification of the key management platform into the connected security chip. This identification is in the quantum key. The distribution QKD network is unique.
S12、所述主叫终端和被叫终端分别调用其对应安全芯片内存储的所述认证密钥,完成到其所属密钥管理平台的身份认证;S12. The calling terminal and the called terminal respectively call the authentication keys stored in their corresponding security chips to complete the identity authentication to the key management platform to which they belong;
需要说明的是,在终端启动后,即调用安全芯片内密钥存储的认证密钥完成到所属密钥管理平台的登录认证,并且终端还对外提供密钥服务。It should be noted that after the terminal is started, the authentication key stored in the security chip is called to complete the login authentication to the key management platform to which it belongs, and the terminal also provides key services to the outside world.
S13、所述主叫终端和被叫终端将其所属密钥管理平台的标识及自身的终端标识上传至所述云端密话业务管理平台,以使所述云端密钥业务管理平台生 成终端标识和密钥管理平台标识的对照表并存储。S13. The calling terminal and the called terminal upload the identification of the key management platform to which they belong and their own terminal identification to the cloud encrypted voice service management platform, so that the cloud key service management platform generates the terminal identification and Comparison table of key management platform identification and storage.
需要说明的是,云端密话业务管理平台存储用户终端与各密钥管理平台对应关系,作为多个密钥管理平台对接的用户资源信息库,提供跨密钥管理平台密钥协商查询服务,可适配在QKD网络下多密钥平台VoLTE业务互通问题。It should be noted that the cloud encrypted voice business management platform stores the corresponding relationship between user terminals and each key management platform, and serves as a user resource information library for multiple key management platforms to provide cross-key management platform key negotiation query services. Adapt to multi-key platform VoLTE service interoperability issues under QKD network.
在一实施例中,参照图3,所述步骤S20,包括以下细分步骤:In one embodiment, referring to Figure 3, step S20 includes the following subdivided steps:
S21、所述主叫终端和被叫终端向所述云端密话业务管理平台上报本次通话的主叫号码和被叫号码,以使所述云端密话业务管理平台根据所述主叫号码和被叫号码生成本次通话的所述密话标识;S21. The calling terminal and the called terminal report the calling number and called number of this call to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform can use the calling number and the called number according to the calling number and the called number. The called number generates the secret call identifier for this call;
S22、在所述云端密话业务管理平台基于所述对照表确定所述主叫终端和被叫终端所属的密钥管理平台标识不一致时,所述主叫终端和被叫终端获取所述云端密话业务管理平台返回的所述密话标识以及对端所属密钥管理平台的标识。S22. When the cloud encrypted call service management platform determines that the key management platform identifiers of the calling terminal and the called terminal are inconsistent based on the comparison table, the calling terminal and the called terminal obtain the cloud encrypted call service management platform. The encrypted conversation identifier returned by the call service management platform and the identifier of the key management platform to which the peer belongs.
需要说明的是,主叫终端和被叫终端上报本次通话的主被叫号码至云端密话业务管理平台,云端密话业务管理平台根据主/被叫双方签约密话的状态判断本次通话是否具备进入密话条件;同时云端密话业务管理平台检查主/被叫双方最近一次登录状态,如果发现双方状态正常,则根据主/被叫号码生成本次通话的密话标识;同时按照对照表,检查通话双方所属密钥管理平台的标识,如果不一致,云端密话业务管理平台返回对端所属密钥平台标识以及密话标识到本终端。It should be noted that the calling terminal and the called terminal report the calling and called numbers of this call to the cloud encrypted call service management platform. The cloud encrypted call service management platform determines the call based on the status of the encrypted call contract between the calling and the called parties. Whether the conditions for entering the secret call are met; at the same time, the cloud secret call service management platform checks the last login status of the calling party and the called party. If the status of both parties is found to be normal, it generates a secret call identification for this call based on the calling/called number; and at the same time, according to the comparison table, check the identity of the key management platform to which both parties belong to the call. If they are inconsistent, the cloud encrypted call service management platform returns the identity of the key platform to which the other end belongs and the encrypted call identifier to the terminal.
本实施例中的密话标识的获取可适配在QKD网络下多密钥平台VoLTE业务互通问题,因为多密钥管理平台下,业务标识无法直接代理密钥标识。The acquisition of the encrypted voice ID in this embodiment can be adapted to the problem of VoLTE service interoperability on a multi-key platform under the QKD network, because under a multi-key management platform, the service ID cannot directly act as a proxy for the key ID.
在一实施例中,参照图4,所述步骤S30,包括以下细分步骤:In one embodiment, referring to Figure 4, step S30 includes the following subdivided steps:
S31、所述被叫终端向其所属密钥管理平台发送第一密钥请求,以使所述密钥管理平台从密码机中获取密钥标识并返回至所述被叫终端,所述第一密钥请求携带有所述密话标识以及对端所属密钥管理平台的标识;S31. The called terminal sends a first key request to the key management platform to which it belongs, so that the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal. The first The key request carries the encryption key identifier and the identifier of the key management platform to which the peer belongs;
需要说明的是,被叫终端一般作为主动端,其根据参数(对端所属平台标识、密话标识)向自身所属的密钥管理平台请求密钥。It should be noted that the called terminal generally serves as the active terminal, and it requests a key from the key management platform to which it belongs based on the parameters (identity of the platform to which the opposite terminal belongs, and encryption key identification).
S32、所述被叫终端将所述密钥标识和所述密话标识推送至所述云端密话 业务管理平台,以使所述云端密话业务管理平台将所述密钥标识和所述密话标识推送至所述主叫终端;S32. The called terminal pushes the key identifier and the encrypted call identifier to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform sends the key identifier and the encrypted call service management platform. Push the call ID to the calling terminal;
S33、所述主叫终端向其所属密钥管理平台发送第二密钥请求,以使密钥管理平台返回所述会话密钥至所述主叫终端,所述第二密钥请求携带所述密钥标识和所述密话标识。S33. The calling terminal sends a second key request to the key management platform to which it belongs, so that the key management platform returns the session key to the calling terminal. The second key request carries the The key identifier and the secret key identifier.
需要说明的是,在单密钥管理平台情况下,由于密钥生成是一个平台,因此可以直接使用密话标识作为密钥标识可以完成双端密钥获取,主被叫双方可以使用密话标识到同一个密钥管理平台获取密钥。但是在多密钥管理平台下,因为密钥管理平台主要依靠通过QKD网络提供密钥接口完成双端密钥协商,协商出一个密钥返回一个密钥标识,此时在密钥申请主动端能够获取到此密钥标识,但是另外一端无法使用同一个密话标识唯一标识一个密钥,无法实现密钥同步。It should be noted that in the case of a single key management platform, since the key generation is a platform, the secret speech identifier can be directly used as the key identifier to complete the double-ended key acquisition. Both the calling and the called parties can use the secret speech identifier. Go to the same key management platform to obtain the key. However, under a multi-key management platform, because the key management platform mainly relies on providing a key interface through the QKD network to complete double-ended key negotiation, a key is negotiated and a key identifier is returned. At this time, the active end of the key application can This key ID is obtained, but the other end cannot use the same secret key ID to uniquely identify a key, and key synchronization cannot be achieved.
而本实施例实现了QKD异地协商密钥后密钥标识和本次VoLTE通话之间的密话标识之间的关联,实现了多密钥管理平台下密钥的分发问题,真正实现密钥同步。This embodiment realizes the association between the key identification after QKD remote key negotiation and the encrypted voice identification between this VoLTE call, realizes the key distribution problem under the multi-key management platform, and truly realizes key synchronization. .
在一实施例中,所述步骤S31中,所述密钥管理平台从密码机中获取密钥标识并返回至所述被叫终端,包括:In one embodiment, in step S31, the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal, including:
所述密钥管理平台向所述密码机发送第一密钥申请,以使所述密码机根据所述第一密钥申请向其连接的QKD网络发起第二密钥申请,其中,所述第一密钥申请携带信息包括所述密话标识、所述主叫号码、所述被叫号码及对端所属密钥管理平台的标识,所述第二密钥申请携带的信息包括对端所属密钥管理平台的标识;The key management platform sends a first key application to the cryptographic machine, so that the cryptographic machine initiates a second key application to the QKD network to which it is connected based on the first key application, wherein the first key application is sent to the cryptographic machine. The information carried in the first key application includes the encrypted call identifier, the calling number, the called number and the identification of the key management platform to which the opposite end belongs, and the information carried in the second key application includes the key management platform to which the opposite end belongs. The identification of the key management platform;
所述QKD网络根据所述第二密钥申请,获取所述主叫终端和被叫终端所属QKD节点的一支对称密钥,并将所述对称密钥返回至所述密码机;The QKD network obtains a symmetric key of the QKD node to which the calling terminal and the called terminal belong based on the second key application, and returns the symmetric key to the cryptographic machine;
所述密码机通过所述密钥管理平台返回所述对称密钥及密钥标识至所述被叫终端。The cryptographic machine returns the symmetric key and key identification to the called terminal through the key management platform.
需要说明的是,本实施例能够从终端内部处理流程、云端密话业务管理平台、密钥管理平台以及对应的量子密钥分发网络角度完成一个端到端的实例; 并且可以实现两个QKD节点下的不同密钥管理平台之间的密钥交互下VoLTE互通的问题。It should be noted that this embodiment can complete an end-to-end instance from the perspective of terminal internal processing flow, cloud encrypted voice business management platform, key management platform and corresponding quantum key distribution network; and can implement two QKD nodes. The problem of VoLTE interoperability under key interaction between different key management platforms.
在一实施例中,参照图5,所述步骤S40,包括以下细分步骤:In one embodiment, referring to Figure 5, step S40 includes the following subdivided steps:
S41、所述主叫终端和被叫终端获取所述会话密钥;S41. The calling terminal and the called terminal obtain the session key;
S42、所述主叫终端和被叫终端向所述云端密话业务管理平台同步密钥获取的通知信息,以使所述云端密话业务管理平台将所述通知信息透传至所述主叫终端和被叫终端,完成密钥获取状态同步。S42. The calling terminal and the called terminal synchronize the notification information of key acquisition to the cloud encrypted voice service management platform, so that the cloud encrypted voice service management platform transparently transmits the notification information to the calling party. The terminal and the called terminal complete key acquisition status synchronization.
需要说明的是,在一些场景下,主/被叫双方获取相关的密钥后,用户期望接通电话就是密话,而不想先接通电话再进行密钥分发,以提升用户对VoLTE密话的体验;本实施例可通过终端推送机制实现不依赖媒体信息流同步密钥的优化实例,可以实现呼叫双方在同一密钥平台下以及不同密钥平台下的密钥获取状态同步,有一定的适应性。It should be noted that in some scenarios, after the calling party and the called party obtain the relevant keys, the user expects that the phone will be encrypted when the call is connected, and does not want to connect the phone first and then distribute the key, so as to improve the user's understanding of VoLTE encrypted calls. experience; this embodiment can realize an optimized instance of key synchronization that does not rely on media information flow through the terminal push mechanism, and can realize the synchronization of the key acquisition status of both parties under the same key platform or under different key platforms, which has certain Adaptability.
进一步地,在一些场景下,会存在基于SIP拓展字段请求分发入密标识定制终端(SIP终端)和不依赖SIP拓展字段的定制终端(非SIP终端)共存的方案,两个定制终端主要区别是SIP类终端实现对模组侧改造具备处理SIP拓展字段能力,相同点是拥有类似的密钥中间件和语音中间件结构实现密钥协商以及语音加解密。因此只需要完成云端管理平台和IMS负责负责密钥标识分发的服务AS(业务鉴权平台)对接,就可以实现不修改终端的情况下的VoLTE互通功能,本方案具备对现有2种类型终端无改动,容易实施的特点。具体实施步骤包括:Furthermore, in some scenarios, there will be a solution for coexistence of a customized terminal (SIP terminal) based on the SIP extended field request to distribute the encryption ID and a customized terminal (non-SIP terminal) that does not rely on the SIP extended field. The main difference between the two customized terminals is SIP terminals have been modified on the module side to have the ability to process SIP extended fields. The same point is that they have similar key middleware and voice middleware structures to implement key negotiation and voice encryption and decryption. Therefore, it is only necessary to complete the connection between the cloud management platform and the service AS (service authentication platform) of IMS responsible for key identification distribution, and the VoLTE interoperability function can be realized without modifying the terminal. This solution can support the existing two types of terminals. No modifications, easy to implement. Specific implementation steps include:
(1)IMS组件负责密钥标识分发的服务AS(业务鉴权平台)和云端密话业务管理平台完成用户同步接口、密话标识推送接口;(1) The IMS component is responsible for the service AS (business authentication platform) of key identification distribution and the cloud encrypted voice business management platform to complete the user synchronization interface and encrypted voice identity push interface;
(2-1)第一种场景:呼叫双方一方为SIP终端,SIP终端为主叫方:(2-1) The first scenario: one of the calling parties is a SIP terminal, and the SIP terminal is the calling party:
主叫发起通话后,呼叫请求会发送到IMS网络负责密钥标识分发的服务AS(业务鉴权平台),AS会查询本地同步数据库确定该账号终端类型,符合入密条件则生成对应的密话标识并发送该标识到云端密话业务管理平台,云端密话业务管理平台推送该密话标识到对端终端,对于SIP终端则继续使用AS下发密话标识完成入密。After the caller initiates a call, the call request will be sent to the service AS (service authentication platform) responsible for key identification distribution in the IMS network. The AS will query the local synchronization database to determine the account terminal type. If the encryption conditions are met, the corresponding encrypted message will be generated. Identify and send the identification to the cloud encrypted call service management platform. The cloud encrypted call service management platform will push the encrypted call identifier to the peer terminal. For SIP terminals, the AS will continue to use the encrypted call identifier issued by the AS to complete the encryption.
(2-2)第二种场景:SIP终端为被叫端,正常主叫端发起通话:(2-2) The second scenario: the SIP terminal is the called party, and the normal calling party initiates a call:
通过云端密话业务管理平台查询对端为SIP终端,云端密话业务管理平台生成密话标识并推送对应的密话标识到IMS网络负责密钥标识分发的服务AS(业务鉴权平台),由AS下发对应的入密标识到对应SIP拓展方案终端完成入密。Through the cloud encrypted call service management platform, the peer is a SIP terminal. The cloud encrypted call service management platform generates the encrypted call identifier and pushes the corresponding encrypted call identifier to the service AS (service authentication platform) responsible for key identifier distribution in the IMS network. The AS delivers the corresponding encryption ID to the corresponding SIP expansion solution terminal to complete the encryption.
(3)密话标识下发后,SIP终端会将基带芯片处理后的入密标识传递到语音中间件,语音中间件在调用密钥中间件完成根据入密标识到密钥管理平台获取密钥,针对非SIP类拓展字段,则根据业务中间件推送入密标识到密钥中间件方式实现密钥的获取。(3) After the encryption ID is issued, the SIP terminal will pass the encryption ID processed by the baseband chip to the voice middleware. The voice middleware will call the key middleware to obtain the key from the key management platform based on the encryption ID. , for non-SIP extended fields, the key is obtained by pushing the encryption ID to the key middleware according to the business middleware.
(4)主被叫双方使用密钥中间件完成密钥获取,并遵循步骤S40~S50流程实现语音加密功能。(4) Both the calling party and the called party use the key middleware to obtain the key and follow the steps S40 to S50 to implement the voice encryption function.
此外,参照图6至图7,本发明第二实施例提出了一种VoLTE语音加密通信终端,所述终端内设有安全芯片4和中间组件,所述安全芯片4内存储有认证密钥,所述中间组件包括密钥中间件3、业务中间件1和语音中间件2,其中:In addition, referring to Figures 6 to 7, the second embodiment of the present invention proposes a VoLTE voice encrypted communication terminal. The terminal is provided with a security chip 4 and an intermediate component. The security chip 4 stores an authentication key. The middle components include key middleware 3, business middleware 1 and voice middleware 2, where:
所述密钥中间件3,用于利用所述安全芯片4内存储的认证密钥完成到其所属密钥管理平台的身份认证,所述业务中间件1向云端密话业务管理平台请求登录,所述语音中间件2进行自启动;The key middleware 3 is used to use the authentication key stored in the security chip 4 to complete the identity authentication to the key management platform to which it belongs, and the business middleware 1 requests login to the cloud encrypted voice business management platform, The voice middleware 2 performs self-starting;
所述业务中间件1,用于在通话双方发起通话后,向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识;所述业务中间件1,用于在通话接通,所述终端播放提示音后,调用所述密钥中间件,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发网络分发;The business middleware 1 is used to send a verification request to the cloud encrypted call service management platform after both parties initiate a call to obtain the encrypted call identifier returned by the cloud encrypted call service management platform; the business middleware 1, It is used to call the key middleware after the call is connected and the terminal plays the prompt tone, and apply to the key management platform to which it belongs for the session key for this call based on the secret conversation identifier. The key is distributed by the quantum key distribution network;
所述密钥中间件3,用于将所述会话密钥传递至所述语音中间件,并由所述语音中间件2使用媒体信道完成通话方双密钥获取状态同步后,通话双方进行加密语音通话;The key middleware 3 is used to transfer the session key to the voice middleware, and after the voice middleware 2 uses the media channel to complete the dual key acquisition status synchronization of the calling parties, the two parties conduct encrypted voice calls. ;
所述语音中间件2,用于在通话挂断后,发送加密结束消息,结束本次密 钥通话。The voice middleware 2 is used to send an encryption end message after the call is hung up to end this key call.
本实施例中,在终端内部,三个中间件之间,依赖安全芯片内密钥,实现了中间件之间、中间件到平台,不使用公私钥、使用安全芯片内密钥实现实体鉴别,实现一次鉴别一次密钥,具备认证速度快的特点。In this embodiment, within the terminal, between the three middlewares, the key within the security chip is relied upon to implement entity authentication between the middleware and between the middleware and the platform. Instead of using public and private keys, the key within the security chip is used to achieve entity authentication. It realizes one-time authentication of the key and has the characteristics of fast authentication speed.
具体地来说,所述密钥中间件,用于和终端内集成的安全芯片进行交互,支持多种通道协议实现对不同类型安全芯片内密钥的读取和操作。由于安全芯片大多是单通道,所以密钥中间件需要具备对外统一服务功能,能够完成对接入应用的应用鉴权、访问控制、调度等功能;同时密钥中间件还可以和密钥管理平台完成基于安全芯片的身份认证、密钥协商、会话密钥获取、加密和销毁功能,实现中间件对密码安全能力的统一管控和服务。Specifically, the key middleware is used to interact with the security chip integrated in the terminal, and supports multiple channel protocols to realize the reading and operation of keys in different types of security chips. Since most security chips are single-channel, the key middleware needs to have unified external service functions and can complete application authentication, access control, scheduling and other functions for access applications; at the same time, the key middleware can also interact with the key management platform Complete the identity authentication, key negotiation, session key acquisition, encryption and destruction functions based on the security chip, and realize the unified management, control and service of password security capabilities by the middleware.
所述业务中间件用于和云端密话业务管理平台交互完成VoLTE密话通知、密话标识同步以及调用密码中间件完成密钥协商功能,在中间件初始化阶段可以完成将安全芯片内充注平台标识上报的功能,云端密话业务管理平台根据上报信息可以构建一个全域用户与密钥管理平台对应关系。The business middleware is used to interact with the cloud encrypted call service management platform to complete VoLTE encrypted call notification, encrypted call identification synchronization, and call the password middleware to complete the key negotiation function. During the middleware initialization phase, the security chip can be charged into the platform. With the function of identifying and reporting, the cloud encrypted voice business management platform can build a corresponding relationship between global users and the key management platform based on the reported information.
所述业务中间件可以根据通话过程状态,反馈当前通话进展,同时该业务中间件还以独立进程方式在手机中,具备开机自启动、并保持所述进程不被手机系统杀死。The business middleware can feedback the current call progress according to the status of the call process. At the same time, the business middleware is also an independent process in the mobile phone, has the ability to start automatically when the phone is turned on, and prevents the process from being killed by the mobile phone system.
所述语音中间件以独立进程方式运行在手机中间件,主要完成和底层手机语音处理和传输模块交互,实现加密通话时关闭静音检测机制和关闭录音功能;在手机系统底层监听语音通话状态,并能调用密码中间件提供的密码运算接口实现语音流的加解密功能。The voice middleware runs in the mobile phone middleware as an independent process, and mainly completes the interaction with the underlying mobile phone voice processing and transmission module to realize the shutdown of the silence detection mechanism and the recording function during encrypted calls; monitors the voice call status at the bottom of the mobile phone system, and The cryptographic operation interface provided by the cryptographic middleware can be called to implement the encryption and decryption function of the voice stream.
在一实施例中,参照图6,所述业务中间件包括UI展示模块、密话通知模块、密话标识同步模块和密钥协商发起模块,其中:In one embodiment, referring to Figure 6, the service middleware includes a UI display module, a secret conversation notification module, a secret conversation identification synchronization module and a key negotiation initiation module, wherein:
所述UI展示模块,用于展示和所述云端密话业务管理平台协调用户签约的判断信息、本次密话通知和标识同步信息以及本次密话开始密钥协商状态;The UI display module is used to display the judgment information for coordinating user signing with the cloud secret conversation service management platform, the notification and identification synchronization information of this secret conversation, and the key negotiation status of the start of this secret conversation;
所述密话通知模块,用于与所述云端密话业务管理平台的接口进行交互;The secret call notification module is used to interact with the interface of the cloud secret call service management platform;
所述密话标识同步模块,用于在所述云端密话业务管理平台判断通话双方具备密话通话资格及条件后,获取所述云端密话业务管理平台返回的密话标识 和对端获取状态,完成密话标识下发及同步;The secret conversation identification synchronization module is used to obtain the secret conversation identification and the peer acquisition status returned by the cloud secret conversation service management platform after the cloud secret conversation service management platform determines that both parties have the qualifications and conditions for a secret conversation call. , complete the issuance and synchronization of the secret call ID;
所述密钥协商发起模块,用于在完成密钥标识同步后,基于所述密钥标识向所述密钥中间件发起密钥请求并获得对应的密钥协商状态。The key negotiation initiating module is configured to initiate a key request to the key middleware based on the key identification and obtain the corresponding key negotiation status after completing the key identification synchronization.
具体地,所述UI展示模块,用于密话建立过程中各个阶段UI展示,主要包括和云端密话业务管理平台协调用户签约信息判断信息展示、本次密话通知和标识同步信息展示、本次密话开始密钥协商状态显示等几个流程的展示。Specifically, the UI display module is used for UI display at each stage during the secret call establishment process, mainly including the display of user contract information and judgment information coordinated with the cloud secret call service management platform, the display of this secret call notification and identification synchronization information, this The sub-encryption key negotiation status display and other processes are displayed.
所述密话通知模块包含和云端密话业务管理平台接口交互,实现密话主被叫双方密话签约资格判断、双方当前网络状态判断以及和云端密话业务管理平台消息推送功能。The secret call notification module includes interaction with the cloud secret call service management platform interface to realize the secret call signing qualification judgment of the caller and the called party, the judgment of the current network status of both parties, and the message push function with the cloud secret call service management platform.
所述密话标识同步模块用于在云端密话业务管理平台判断双方具备密话通话资格以及条件后,云端密话业务管理平台生成本次通话的标识,并推送到业务中间件,业务中间件通过云端密话业务管理平台获取对端获取状态,完成密话标识下发以及同步,此接口主要用于分属于多个密钥管理平台之间用户VoLTE通话,在同一个密钥平台用户之前不需要此功能。The secret call identifier synchronization module is used to determine that both parties have the qualifications and conditions for a secret call call on the cloud secret call service management platform. The cloud secret call service management platform generates an identifier for this call and pushes it to the business middleware. The business middleware Obtain the peer acquisition status through the cloud encrypted call service management platform, and complete the issuance and synchronization of encrypted call identification. This interface is mainly used for VoLTE calls between users belonging to multiple key management platforms. Users of the same key platform cannot communicate with each other before. This feature is required.
所述密钥协商发起模块,用于在完成密钥标识同步接口后,业务中间件使用该标识向密钥中间件发起密钥申请请求并获得对应的密钥协商状态。The key negotiation initiation module is configured to, after completing the key identification synchronization interface, the business middleware use the identification to initiate a key application request to the key middleware and obtain the corresponding key negotiation status.
在一实施例中,参照图6,所述密钥中间件包括对外服务接口、通用密码服务模块和密码设备服务模块,其中:In one embodiment, referring to Figure 6, the key middleware includes an external service interface, a general cryptographic service module and a cryptographic device service module, wherein:
所述对外服务接口,用于通过进程间通信方式连接外部应用;The external service interface is used to connect external applications through inter-process communication;
所述通用密码服务模块,用于提供密钥管理、身份认证和密钥运算接口;The general cryptographic service module is used to provide key management, identity authentication and key calculation interfaces;
所述密码设备服务模块,用于获取所述安全芯片内存储的认证密钥。The cryptographic device service module is used to obtain the authentication key stored in the security chip.
具体地,所述对外服务主要包含外部应用鉴权、访问控制、进程通信等功能,实现外部应用的安全接入,外部应用通过进程间通信方式接入到密钥中间件。Specifically, the external services mainly include external application authentication, access control, process communication and other functions to realize secure access of external applications, and external applications access the key middleware through inter-process communication.
所述通用密码服务模块主要包含密钥管理、身份认证、密钥运算接口,实现对外部应用的密钥服务。The general cryptographic service module mainly includes key management, identity authentication, and key calculation interfaces to implement key services for external applications.
具体来说,密钥中间件在启动过程中会通过密码设备服务接口获取安全芯片内密钥,实现以安全芯片内一支密钥为认证密钥完成到密钥管理平台的身份 认证,整个认证过程基于15843.2标准中规定的两次鉴别认证机制,实现了认证过程中的一次一密,能够避免证书体系认证过于复杂、计算量大的问题。Specifically, during the startup process, the key middleware will obtain the key in the security chip through the cryptographic device service interface, and use a key in the security chip as the authentication key to complete the identity authentication to the key management platform. The entire authentication The process is based on the two-time authentication authentication mechanism stipulated in the 15843.2 standard, which realizes one-time one-time password in the authentication process, and can avoid the problems of overly complex and computationally intensive certificate system authentication.
所述业务中间件完成基本密话标识同步,并通过密钥中间件外部接口传递到密钥中间件,密钥中间件将密话标识、主被叫双方号码作为密钥标识到密钥管理平台申请对应会话密钥,实现本次通话会话密钥的申请和获取。The business middleware completes the basic encrypted conversation identification synchronization and passes it to the key middleware through the key middleware external interface. The key middleware sends the encrypted conversation identification and the calling and called party numbers as key identifications to the key management platform. Apply for the corresponding session key to apply for and obtain the session key for this call.
所述密码设备服务模块主要实现对安全芯片的设备管理、卡内容器、文件的应用管理、密钥管理以及运算接口调用。The cryptographic device service module mainly implements device management of security chips, application management of card containers and files, key management and computing interface calls.
在一实施例中,参照图6,所述语音中间件包括语音拦截模块、语音速率筛选模块、语音加密模块和语音回传模块,其中:In one embodiment, referring to Figure 6, the voice middleware includes a voice interception module, a voice rate filtering module, a voice encryption module and a voice backhaul module, wherein:
所述语音拦截模块,用于监听当前终端系统中的语音数传通道、拦截及回传语音通话数据;The voice interception module is used to monitor the voice data transmission channel in the current terminal system, intercept and return voice call data;
所述语音速率筛选模块,用于接收并检测所述语音拦截模块传输的语音通话数据,获得AMR净荷数据;The voice rate screening module is used to receive and detect the voice call data transmitted by the voice interception module to obtain AMR payload data;
所述语音加密模块,用于进行密钥处理、会话密钥状态协商及语音数据加解密收发;The voice encryption module is used for key processing, session key status negotiation, and voice data encryption and decryption to send and receive;
所述语音回传模块,用于将所述AMR净荷数据按单帧方式发送到所述语音加密模块,并将所述语音加密模块处理好的语音加密数据回传至所述语音速率筛选模块。The voice return module is used to send the AMR payload data to the voice encryption module in a single frame, and return the voice encryption data processed by the voice encryption module to the voice rate screening module. .
具体地,所述语音拦截模块主要包含用于监听当前手机系统中的语音数传通道、拦截及回传语音通话数据。Specifically, the voice interception module mainly includes monitoring the voice data transmission channel in the current mobile phone system, intercepting and returning voice call data.
所述语音速率筛选模块,用于接收并检测所述语音数据拦截模块传输过来的语音通话数据;对于所述语音通话数据,可以根据VoLTE语音质量设定规则,对VoLTE语音数据进行数据处理,理论上面讲能够实现不同码率VoLTE语音数据处理以适应不同的网络环境,对符合条件的语音数据,获得AMR净荷数据;将所述AMR净荷数据推送到所述语音回传模块。根据3GPP协议,将符合条件的AMR净荷数据推送到所述语音回传模块;不满足这个要求的其它语音数据送回手机语音数传通道。The voice rate screening module is used to receive and detect the voice call data transmitted by the voice data interception module; for the voice call data, the VoLTE voice data can be data processed according to the VoLTE voice quality setting rules. In theory As mentioned above, VoLTE voice data processing with different code rates can be implemented to adapt to different network environments. For voice data that meets the conditions, AMR payload data is obtained; the AMR payload data is pushed to the voice backhaul module. According to the 3GPP protocol, qualified AMR payload data is pushed to the voice backhaul module; other voice data that does not meet this requirement is sent back to the mobile phone voice data transmission channel.
所述语音回传模块,用于将所述AMR净荷数据按单帧方式实时发送到协 商加密模块,并接收所述协商加密模块处理好的VoLTE语音加密数据回传到语音速率筛选模块。The voice return module is used to send the AMR payload data to the negotiation encryption module in real time in a single frame, and receive the VoLTE voice encryption data processed by the negotiation encryption module and transmit it back to the voice rate screening module.
所述语音加密模块,用于密钥处理、会话密钥状态协商和语音数据加解密收发功能。The voice encryption module is used for key processing, session key status negotiation, and voice data encryption, decryption, and transceiver functions.
具体地,所述密钥处理功能主要为语音中间件通过和密钥中间件交互实现会话密钥,会话密钥采用加密方式进行保护,密钥处理功能完成对会话密钥密文数据处理,初始化加密环境。Specifically, the key processing function is mainly for the voice middleware to realize the session key by interacting with the key middleware. The session key is protected by encryption. The key processing function completes the session key ciphertext data processing and initialization. Encrypted environment.
所述会话密钥协商包括:在完成会话密钥获取之后,呼叫双方需要借用现有系统语音数传通道发送和本次密话标识相关的一个语音信息,通过所述语音速率筛选模块查收对方返回信息:如果筛选出对方返回信息,则说明双方语音数据均在运营商VoLTE环境下传输,双方AMR净荷速率是匹配的,且同时对方也已经按照所述密话建立指令要求完成了会话密钥的协商,准备好了加密通话的会话密钥具备;如果筛选不出对方返回信息,则表示有一方不在VoLTE环境下或者会话密钥获取失败,AMR净荷速率没有匹配上,加密通话协商失败。如果协商成功则开始进入到语音数据加密。The session key negotiation includes: after completing the session key acquisition, both calling parties need to use the existing system voice data transmission channel to send a voice message related to the identity of this secret conversation, and check the other party's return through the voice rate filtering module. Information: If the information returned by the other party is filtered out, it means that the voice data of both parties are transmitted under the operator's VoLTE environment, the AMR payload rates of both parties match, and at the same time, the other party has also completed the session key in accordance with the encryption establishment instructions. After the negotiation, the session key for the encrypted call is ready; if the information returned by the other party cannot be filtered out, it means that one party is not in the VoLTE environment or the session key acquisition failed, the AMR payload rate does not match, and the encrypted call negotiation fails. If the negotiation is successful, voice data encryption begins.
所述语音数据加解密包括:发起方双方完成会话密钥协商后,通过语音回传模块传递VoLTE语音数据,加密模块具备对VoLTE编码速率自适应能力,在数据加解密整个生命周期内,针对上下行语音数据流,加解密模块会构造数据加解密开始和结束报文,实现对加解密状态的控制和同步。The voice data encryption and decryption includes: after the initiator and the two sides complete the session key negotiation, the VoLTE voice data is transmitted through the voice backhaul module. The encryption module has the ability to adapt to the VoLTE encoding rate. During the entire life cycle of data encryption and decryption, it can When the voice data stream is running, the encryption and decryption module will construct data encryption and decryption start and end messages to achieve control and synchronization of the encryption and decryption status.
本实施例中的加密终端,具备为了VoLTE加密提供的业务、密钥、语音中间件功能特征以及类似的终端内程序,保障VoLTE加密业务开展。The encryption terminal in this embodiment has services, keys, voice middleware functional features and similar terminal programs provided for VoLTE encryption to ensure the development of VoLTE encryption services.
在一实施例中,为了适配在QKD网络下多密钥平台VoLTE业务互通问题,所述密钥中间件,用于利用所述安全芯片内存储的认证密钥完成到其所属密钥管理平台的身份认证,所述业务中间件向所述云端密话业务管理平台请求登录,所述语音中间件进行自启动,具体展开为:In one embodiment, in order to adapt to the VoLTE service interoperability problem of multi-key platforms under the QKD network, the key middleware is used to use the authentication key stored in the security chip to complete the key management platform to which it belongs. For identity authentication, the business middleware requests login to the cloud encrypted voice business management platform, and the voice middleware performs self-starting. The specific expansion is as follows:
a1)密钥管理平台使用充注功能实现对安全芯片充注,充注过程将本平台的密钥管理平台标识写入到安全芯片内,此标识在QKD网络具备唯一性。a1) The key management platform uses the charging function to charge the security chip. During the charging process, the key management platform identification of this platform is written into the security chip. This identification is unique in the QKD network.
a2)安全芯片集成终端,终端启动后,密钥中间件调用安全芯片内密钥存 储的密钥完成到密钥管理平台登录认证、同时密钥中间件对外提供密钥服务。a2) Security chip integrated terminal. After the terminal is started, the key middleware calls the key stored in the security chip to complete the login authentication to the key management platform. At the same time, the key middleware provides key services to the outside world.
a3)业务中间件接入密钥中间件,获取充注的密钥管理平台标识,并上传自身信息(终端信息)和密钥管理平台标识到云端密话业务管理平台。a3) The business middleware accesses the key middleware, obtains the filled key management platform identification, and uploads its own information (terminal information) and key management platform identification to the cloud encrypted voice business management platform.
a4)云端密话业务管理平台存储用户与各密钥管理平台对应关系,作为多个密钥管理平台对接的用户资源信息库,提供跨密钥管理平台密钥协商查询服务。a4) The cloud encrypted voice business management platform stores the corresponding relationship between users and each key management platform, serves as a user resource information database for multiple key management platforms, and provides cross-key management platform key negotiation query services.
在一实施例中,所述在通话双方发起通话后,所述业务中间件用于向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识,具体展开为:In one embodiment, after both parties initiate a call, the service middleware is used to send a verification request to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform. Specifically, Expand to:
b1)终端使用业务中间件上报本次通话的主被叫号码到云端密话业务管理平台,云端密话业务管理平台根据主被叫双方签约密话的状态进行判断,本次通话是否具备进入密话条件,同时云端密话业务管理平台检查主被叫双方中间件最近一次登录状态,如果发现双方中间件状态正常,则根据主被叫号码生成本次通话密话标识,同时检查通话双方所属密钥管理平台标识,如果不一致,云端密话业务管理平台返回对端所属密钥平台标识以及生成本次通话的密话标识到业务中间件。b1) The terminal uses the service middleware to report the calling and called numbers of this call to the cloud encrypted call service management platform. The cloud encrypted call service management platform determines whether the call has the ability to enter the encrypted call based on the status of the encrypted call contract between the calling party and the called party. At the same time, the cloud secret call service management platform checks the latest login status of the middleware of the calling party and the called party. If the middleware status of both parties is found to be normal, it generates the secret call ID of this call based on the calling and called numbers, and checks the secret calling parties of both parties. Key management platform identification. If they are inconsistent, the cloud encrypted call service management platform returns the key platform identification of the peer and the encrypted call identification that generated this call to the business middleware.
b2)在密钥协商阶段启动后,终端内业务中间件将对端所属密钥平台标识、云端密话业务管理平台生成密话标识发送到密钥中间件。b2) After the key negotiation phase is started, the business middleware in the terminal sends the identity of the key platform to which the peer belongs and the encrypted voice ID generated by the cloud encrypted voice business management platform to the key middleware.
在一实施例中,所述通话接通后,所述终端播放提示音,所述业务中间件调用所述密钥中间件,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,具体展开为:In one embodiment, after the call is connected, the terminal plays a prompt tone, the business middleware calls the key middleware, and applies to the key management platform to which it belongs based on the secret message identification. The session key of the call, specifically expanded to:
c1)被叫一般作为主动端,密码中间件根据参数(对端所属平台标识、密话标识)向自身密钥管理平台请求密钥。c1) The called party generally serves as the active end, and the cryptographic middleware requests the key from its own key management platform according to the parameters (the identity of the platform to which the peer belongs, and the encrypted conversation identity).
c2)密钥管理平台根据密话标识、主被叫号码、对端所属密钥平台标识到密码机获取密钥,密码机根据密钥平台表示向自身连接QKD网络发起密钥申请。c2) The key management platform obtains the key from the encryption machine based on the encrypted call ID, calling and called numbers, and the key platform ID of the peer. The encryption machine initiates a key application to connect to the QKD network based on the key platform indication.
c3)QKD网络根据请求,根据主被叫所属密钥平台标识获取指定主被叫所属QKD节点的一支对称密钥,并将对应密钥标识返回到密码机。c3) Upon request, the QKD network obtains a symmetric key of the QKD node that specifies the calling party and the called party based on the key platform identification of the calling party and the called party, and returns the corresponding key identification to the cryptographic machine.
c4)密码机反馈对应密钥并通过密钥管理平台返回密钥和密钥标识到被叫端。c4) The cryptographic machine feeds back the corresponding key and returns the key and key identification to the called end through the key management platform.
c5)被叫端密码中间件推送密钥标识到业务中间件,业务中间件再推送密钥标识和密话标识到云端密话业务管理平台。c5) The called end cryptographic middleware pushes the key identification to the business middleware, and the business middleware then pushes the key identification and secret conversation identification to the cloud secret conversation service management platform.
c6)云端密话业务管理平台推送该密钥标识和密话标识到主叫端。c6) The cloud encrypted call service management platform pushes the key identifier and encrypted call identifier to the calling end.
c7)主叫端业务中间件推送密钥标识、密话标识到自身密钥中间件,主叫密钥中间件根据这两个参数向自身密钥管理平台获取会话密钥。c7) The calling end business middleware pushes the key identifier and encrypted session identifier to its own key middleware, and the calling key middleware obtains the session key from its own key management platform based on these two parameters.
在一实施例中,所述密钥中间件将所述会话密钥传递至所述语音中间件,并由所述语音中间件使用媒体信道完成通话双方密钥获取状态同步,具体展开为:In one embodiment, the key middleware transfers the session key to the voice middleware, and the voice middleware uses the media channel to complete the key acquisition status synchronization of both parties in the call. The specific expansion is as follows:
d1)主被叫密钥中间件获取本次通话的会话密钥,将密钥获取状态通知各自业务中间件。d1) The calling and called key middleware obtains the session key for this call and notifies the respective business middleware of the key acquisition status.
d2)双方业务中间件向云端密话业务管理平台同步本次通话会话密钥已经获取的通知信息。d2) The business middleware of both parties synchronizes the notification information that the session key of this call has been obtained to the cloud encrypted call service management platform.
d3)云端密话业务管理平台透传双方推送信息到各自业务中间件,完成密钥获取状态同步。d3) The cloud encrypted call business management platform transparently transmits push information from both parties to their respective business middlewares to complete key acquisition status synchronization.
d4)双方各自业务中间件同步状态信息到中间件完成密钥获取状态同步。d4) The business middleware of both parties synchronizes the status information to the middleware to complete the key acquisition status synchronization.
需要说明的是,直接使用业务中间件的推送机制实现不依赖媒体信息流同步密钥的优化实例,此方案不依赖密钥中间件,可以实现呼叫双方在同一密钥平台下以及不同密钥平台下的密钥获取状态同步,有一定的适应性。It should be noted that the push mechanism of business middleware is directly used to achieve an optimized example of key synchronization that does not rely on media information flow. This solution does not rely on key middleware and can achieve the same key platform or different key platforms between the two parties. The key acquisition status under the key is synchronized and has certain adaptability.
在一实施例中,所述主叫终端和被叫终端密钥获取状态同步后,主叫终端和被叫终端进行加密语音通话,具体展开为:In one embodiment, after the key acquisition status of the calling terminal and the called terminal is synchronized, the calling terminal and the called terminal conduct an encrypted voice call. The specific expansion is as follows:
e1)主叫终端和被叫终端的密钥中间件将加密后会话密钥传递到语音中间件,完成语音中间件加密状态初始化,语音中间件使用媒体通道完成呼叫双方获取密钥状态同步。e1) The key middleware of the calling terminal and the called terminal passes the encrypted session key to the voice middleware to complete the encryption state initialization of the voice middleware. The voice middleware uses the media channel to complete the key status synchronization between the calling parties.
e2)主/被叫双方开始进行密话,终端开始进行加密语音通话,语音中间件对语音开始拦截、对符合条件的语音数据进行加密。e2) The calling party and the called party begin to conduct encrypted conversations, the terminal begins to conduct encrypted voice calls, and the voice middleware begins to intercept the voice and encrypt the qualified voice data.
e3)主被叫挂断电话,语音中间件发送加密结束消息,完成本次密钥通话。e3) The caller and called party hang up the phone, and the voice middleware sends an encrypted end message to complete this key call.
需要说明的是,本实施例提出的终端可避开了对电信运营商的IMS网络的改造和信令控制协议SIP协议的扩展,只是通过集中的管理平台的部署,以及手机端的深度定制(业务、语音、密钥)三个中间件互相协作实现通过语音信道传输密钥同步信息、基于业务数据信息传递密钥同步信息、以及基于SIP拓展字段终端和非SIP拓展终端VoLTE加密互通的问题,具备适应性广、建设有方案简单,成本较低,周期较短的优势。It should be noted that the terminal proposed in this embodiment can avoid the transformation of the telecom operator's IMS network and the extension of the signaling control protocol SIP protocol, and only adopts the deployment of a centralized management platform and the in-depth customization of the mobile phone terminal (service , voice, key) three middlewares cooperate with each other to realize the transmission of key synchronization information through the voice channel, the transmission of key synchronization information based on business data information, and the VoLTE encrypted interoperability between SIP extended field terminals and non-SIP extended terminals. It has It has the advantages of wide adaptability, simple construction plan, low cost and short cycle.
并且,使用终端深度定制(业务、语音、密钥)三个中间件技术实现了基于QKD量子密钥分发网络基于单密钥管理平台、多密钥管理平台下的VoLTE互通问题,实现客户自身密码系统建设安全性要求和全网互通需求的融合,提高VoLTE加密业务的兼容性。In addition, the three middleware technologies of terminal in-depth customization (service, voice, key) are used to realize the VoLTE interoperability problem under the single key management platform and multi-key management platform based on the QKD quantum key distribution network, and realize the customer's own password The integration of system construction security requirements and network-wide interoperability requirements improves the compatibility of VoLTE encryption services.
需要说明的是,本发明所述VoLTE语音加密通信终端的其他实施例或具有实现方法可参照上述各方法实施例,此处不再赘余。It should be noted that other embodiments of the VoLTE voice encrypted communication terminal according to the present invention or implementation methods may refer to the above-mentioned method embodiments, and no redundancy will be provided here.
此外,参照图8,本发明第三实施例提出了一种VoLTE语音加密通信系统,所述系统包括:量子密钥分发网络13、主叫终端5、被叫终端6、第一密钥管理平台9、第二密钥管理平台10、第一密码机11、第二密码机12、云端密话业务管理平台8和运营商IMS网络7;In addition, referring to Figure 8, the third embodiment of the present invention proposes a VoLTE voice encrypted communication system. The system includes: a quantum key distribution network 13, a calling terminal 5, a called terminal 6, and a first key management platform. 9. The second key management platform 10, the first encryption machine 11, the second encryption machine 12, the cloud encrypted voice service management platform 8 and the operator's IMS network 7;
所述主叫终端5和所述被叫终端6分别集成有安全芯片4,所述安全芯片4内存储有认证密钥;The calling terminal 5 and the called terminal 6 are respectively integrated with a security chip 4, and an authentication key is stored in the security chip 4;
所述主叫终端5连接所述第一密钥管理平台9,所述被叫终端6连接所述第二密钥管理平台10,所述第一密钥管理平台9经所述第一密码机11接入所述量子密钥分发网络13,所述第二密钥管理平台10经所述第二密码机12接入所述量子密钥分发网络13,所述主叫终端5和所述被叫终端6分别经所述运营商IMS网络7接入所述云端密话业务管理平台8;The calling terminal 5 is connected to the first key management platform 9, the called terminal 6 is connected to the second key management platform 10, and the first key management platform 9 is connected to the first encryption machine 11 is connected to the quantum key distribution network 13. The second key management platform 10 is connected to the quantum key distribution network 13 via the second encryption machine 12. The calling terminal 5 and the called terminal 5 are connected to the quantum key distribution network 13. The calling terminal 6 respectively accesses the cloud encrypted voice service management platform 8 via the operator's IMS network 7;
所述主叫终端5和所述被叫终端6内均设有中间组件,所述中间组件包括密钥中间件3、业务中间件1和语音中间件2,所述密钥中间件3与所述第一密钥管理平台9或所述第二密钥管理平台10连接,所述业务中间件1与所述云端密话业务管理平台8连接,所述语音中间件2与底层数据传输通道连接;The calling terminal 5 and the called terminal 6 are both provided with intermediate components. The intermediate components include key middleware 3, service middleware 1 and voice middleware 2. The key middleware 3 and the The first key management platform 9 or the second key management platform 10 is connected, the service middleware 1 is connected to the cloud encrypted voice service management platform 8, and the voice middleware 2 is connected to the underlying data transmission channel ;
所述密钥中间件3用于利用其对应安全芯片4内存储的认证密钥完成到其所属密钥管理平台的身份认证,所述业务中间件1向所述云端密话业务管理平台8请求登录,所述语音中间件2进行自启动;The key middleware 3 is used to use the authentication key stored in its corresponding security chip 4 to complete the identity authentication to the key management platform to which it belongs, and the business middleware 1 requests the cloud encrypted voice business management platform 8 Log in, and the voice middleware 2 starts automatically;
在主叫终端5发起通话后,所述业务中间件1用于向云端密话业务管理平台8发送验证请求,以获取所述云端密话业务管理平台8返回的密话标识;After the calling terminal 5 initiates a call, the service middleware 1 is used to send a verification request to the cloud encrypted call service management platform 8 to obtain the encrypted call identifier returned by the cloud encrypted call service management platform 8;
通话接通后,主叫终端5和被叫终端6播放提示音,所述业务中间件1调用所述密钥中间件3,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发网络13分发;After the call is connected, the calling terminal 5 and the called terminal 6 play a prompt tone, and the service middleware 1 calls the key middleware 3 and applies to the key management platform to which it belongs based on the encrypted call identification. The session key for the call, which is distributed by the quantum key distribution network 13;
所述密钥中间件3将所述会话密钥传递至所述语音中间件2,并由所述语音中间件2使用媒体信道完成主叫终端5和被叫终端6密钥获取状态同步后,主叫终端5和被叫终端6进行加密语音通话;The key middleware 3 transfers the session key to the voice middleware 2, and the voice middleware 2 uses the media channel to complete the key acquisition status synchronization of the calling terminal 5 and the called terminal 6, The calling terminal 5 and the called terminal 6 conduct an encrypted voice call;
在主叫终端5和被叫终端6挂断后,由所述语音中间件2发送加密结束消息,结束本次密钥通话。After the calling terminal 5 and the called terminal 6 hang up, the voice middleware 2 sends an encryption end message to end this key call.
需要说明的是,所述云端密话业务管理平台8用于提供基于VoLTE语音全网广域用户寻址管理、各密钥系统信息注册管理、VoLTE通话过程中入密标识生成、下发功能。It should be noted that the cloud encrypted voice service management platform 8 is used to provide VoLTE voice-based wide-area user addressing management, each key system information registration management, and the generation and delivery of encrypted identification during VoLTE calls.
所述运营商IMS网络7用于云端密话业务管理平台8与手机端之间数据的承载和传输以及两台手机之前存在的信令域和媒体域。The operator's IMS network 7 is used to carry and transmit data between the cloud encrypted call service management platform 8 and the mobile phone, as well as the signaling domain and media domain that previously existed on the two mobile phones.
所述中间组件能够实现VoLTE通话双方密钥管理平台寻址、VoLTE入密消息处理、密钥协商申请、获取功能、通话过程中通话数据进行实时加解密等功能。The intermediate component can realize functions such as addressing the key management platform of both VoLTE calls, VoLTE encrypted message processing, key negotiation application and acquisition functions, and real-time encryption and decryption of call data during the call.
所述安全芯片4为符合国家商用密码局颁发证书,具备安全保护能力的安全介质,能够和密钥管理平台对接实现安全芯片4内密钥充注功能,实现以安全芯片4内密钥为认证密钥到密钥管理平台身份认证、会话密钥一次一密的下发。The security chip 4 is a security medium that complies with the certificate issued by the National Commercial Cryptozoology Bureau and has security protection capabilities. It can be connected with the key management platform to realize the key filling function in the security chip 4 and realize the authentication using the key in the security chip 4. The key is delivered to the key management platform for identity authentication and session key one-time padding.
所述密钥管理平台:用于提供所述密钥管理中间件的服务端API接口,用以和所述手机端中间件对接实现用户以安全芯片4内充注密钥为核心的用户登录时的身份校验、会话密钥协商,以及加密通话建立过程中会话密钥的生 成和下发,并且密钥管理平台可以在单独部署或者部署在量子密钥分发网络13中,具备对接密码机获取密钥并分发到量子中间件功能。The key management platform: used to provide a server-side API interface of the key management middleware to interface with the mobile phone-side middleware to realize user login with the key filled in the security chip 4 as the core. Identity verification, session key negotiation, and the generation and issuance of session keys during the establishment of encrypted calls, and the key management platform can be deployed separately or in the quantum key distribution network 13, with the ability to obtain docking cryptographic machines keys and distributed to quantum middleware functions.
所述第一密码机11和第二密码机12,采用三级密钥管理体系,使用密码卡实现密钥本地安全存储。支持“一次一密”、国密算法两种加密方式,实现密钥交换与输出。用于提供基于国密算法的密码运算,支持将量子保密通信网络、量子随机数发生器、本机密码卡作为密钥源。The first cryptographic machine 11 and the second cryptographic machine 12 adopt a three-level key management system and use cryptographic cards to achieve local secure storage of keys. Supports two encryption methods: "one-time pad" and national secret algorithm to realize key exchange and output. It is used to provide cryptographic operations based on national secret algorithms, and supports quantum secure communication networks, quantum random number generators, and local cryptographic cards as key sources.
所述量子密钥分发网络13是指量子满足量子保密通信在不同场景下的组网和应用需求,将点对点QKD链路扩展为多用户的QKD网络。主要包括QKD网络中的QKD模块、密钥管理器(KM)、QKDN控制器和QKDN网管系统,以及QKD模块间的QKD链路、KM间的KM链路;用户网络中的密码应用(KMS)等模块。The quantum key distribution network 13 refers to quantum meeting the networking and application requirements of quantum secure communication in different scenarios, and extending the point-to-point QKD link into a multi-user QKD network. It mainly includes the QKD module, key manager (KM), QKDN controller and QKDN network management system in the QKD network, as well as QKD links between QKD modules and KM links between KMs; password applications (KMS) in the user network and other modules.
需要说明的是,在一些场景下,会存在基于SIP拓展字段请求分发入密标识定制终端和不依赖SIP拓展字段的定制终端共存的方案,两个定制终端主要区别是SIP类终端实现对模组侧改造具备处理SIP拓展字段能力,相同点是拥有类似的密钥中间件和语音中间件结构实现密钥协商以及语音加解密,因此只需要完成云端管理平台和IMS负责负责密钥标识分发的服务AS(业务鉴权平台)对接,就可以实现不修改终端的情况下的VoLTE互通功能。It should be noted that in some scenarios, there will be a solution for coexistence of customized terminals based on SIP extended field requests to distribute encryption IDs and customized terminals that do not rely on SIP extended fields. The main difference between the two customized terminals is that the SIP terminal implements module The side transformation has the ability to process SIP extended fields. The same point is that it has a similar key middleware and voice middleware structure to implement key negotiation and voice encryption and decryption. Therefore, it only needs to complete the cloud management platform and IMS responsible for key identification distribution services. AS (Service Authentication Platform) docking can realize VoLTE interoperability function without modifying the terminal.
本系统具备对现有2种类型终端无改动,容易实施的特点,其具体流程如下:This system has the characteristics of no modification to the existing two types of terminals and is easy to implement. The specific process is as follows:
(1)IMS组件负责密钥标识分发的服务AS(业务鉴权平台)需要和云端密话业务管理平台完成用户同步接口、密话标识推送接口即可。(1) The service AS (service authentication platform) of the IMS component responsible for key identification distribution needs to complete the user synchronization interface and the encryption identification push interface with the cloud encrypted voice service management platform.
(2-1)第一种场景为主叫方为SIP终端:(2-1) In the first scenario, the calling party is a SIP terminal:
主叫发起通话后,呼叫请求会发送到IMS网络负责密钥标识分发的服务AS(业务鉴权平台),AS会查询本地同步数据库确定该账号终端类型,符合入密条件则生成对应的密话标识并发送该标识到云端密话业务管理平台,云端密话业务管理平台推送该密话标识到对端终端,对于SIP终端则继续使用AS下发密话标识完成入密。After the caller initiates a call, the call request will be sent to the service AS (service authentication platform) responsible for key identification distribution in the IMS network. The AS will query the local synchronization database to determine the account terminal type. If the encryption conditions are met, the corresponding encrypted message will be generated. Identify and send the identification to the cloud encrypted call service management platform. The cloud encrypted call service management platform will push the encrypted call identifier to the peer terminal. For SIP terminals, the AS will continue to use the encrypted call identifier issued by the AS to complete the encryption.
(2-2)第二种场景为SIP终端为被叫端:(2-2) The second scenario is that the SIP terminal is the called party:
正常主叫端发起通话,通过云端密话业务管理平台查询对端为SIP终端,云端密话业务管理平台生成密话标识并推送对应的密话标识到IMS网络负责密钥标识分发的服务AS(业务鉴权平台),由AS下发对应的入密标识到对应SIP终端完成入密。The normal calling party initiates a call and checks that the peer is a SIP terminal through the cloud encrypted call service management platform. The cloud encrypted call service management platform generates the encrypted call identifier and pushes the corresponding encrypted call identifier to the service AS responsible for key identifier distribution in the IMS network ( Business authentication platform), the AS issues the corresponding encryption ID to the corresponding SIP terminal to complete the encryption.
(3)密话标识下发后,SIP终端会将基带芯片处理后的入密标识传递到语音中间件,语音中间件在调用密钥中间件完成根据入密标识到密钥管理平台获取密钥,针对非SIP类拓展字段,则根据业务中间件推送入密标识到密钥中间件方式实现密钥的获取。(3) After the encryption ID is issued, the SIP terminal will pass the encryption ID processed by the baseband chip to the voice middleware. The voice middleware will call the key middleware to obtain the key from the key management platform based on the encryption ID. , for non-SIP extended fields, the key is obtained by pushing the encryption ID to the key middleware according to the business middleware.
(4)呼叫双方使用密钥中间件完成密钥获取,可以遵循e1)流程描述的媒体信道实现密钥获取状态双端同步。(4) Both calling parties use key middleware to complete key acquisition, and can follow the media channel described in e1) process to achieve dual-end synchronization of the key acquisition status.
(5)呼叫双方使用密钥中间件完成密钥获取,可以遵循e1)流程描述实现会话密钥获取以及密钥获取状态双端同步,并将会话密钥加密传递到语音中间件。(5) Both calling parties use key middleware to complete key acquisition. They can follow the process description in e1) to achieve session key acquisition and key acquisition status dual-end synchronization, and encrypt the session key and pass it to the voice middleware.
(6)双方使用语音中间件,遵照e2)、e3)实现语音加密功能。(6) Both parties use voice middleware to implement voice encryption functions in accordance with e2) and e3).
需要说明的是,本发明所述VoLTE语音加密通信系统的其他实施例或具有实现方法可参照上述各方法实施例,此处不再赘余。It should be noted that for other embodiments of the VoLTE voice encrypted communication system of the present invention or implementation methods, please refer to the above method embodiments, and no redundancy is required here.
需要说明的是,在流程图中表示或在此以其他方式描述的逻辑和/或步骤,例如,可以被认为是用于实现逻辑功能的可执行指令的定序列表,可以具体实现在任何计算机可读介质中,以供指令执行系统、装置或设备(如基于计算机的系统、包括处理器的系统或其他可以从指令执行系统、装置或设备取指令并执行指令的系统)使用,或结合这些指令执行系统、装置或设备而使用。就本说明书而言,“计算机可读介质”可以是任何可以包含、存储、通信、传播或传输程序以供指令执行系统、装置或设备或结合这些指令执行系统、装置或设备而使用的装置。计算机可读介质的更具体的示例(非穷尽性列表)包括以下:具有一个或多个布线的电连接部(电子装置),便携式计算机盘盒(磁装置),随机存取存储器(RAM),只读存储器(ROM),可擦除可编辑只读存储器(EPROM或闪速存储器),光纤装置,以及便携式光盘只读存储器(CDROM)。另外,计算机可读介质甚至可以是可在其上打印所述程序的纸或其他合适的介 质,因为可以例如通过对纸或其他介质进行光学扫描,接着进行编辑、解译或必要时以其他合适方式进行处理来以电子方式获得所述程序,然后将其存储在计算机存储器中。It should be noted that the logic and/or steps represented in the flowcharts or otherwise described herein, for example, may be considered to be a sequenced list of executable instructions for implementing logical functions, which may be embodied in any computer. in a readable medium for use by, or in conjunction with, an instruction execution system, apparatus, or device (such as a computer-based system, a system including a processor, or other system that can retrieve and execute instructions from the instruction execution system, apparatus, or device) Used by instruction execution systems, devices or equipment. For the purposes of this specification, a "computer-readable medium" may be any device that can contain, store, communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. More specific examples (non-exhaustive list) of computer readable media include the following: electrical connections with one or more wires (electronic device), portable computer disk cartridges (magnetic device), random access memory (RAM), Read-only memory (ROM), erasable and programmable read-only memory (EPROM or flash memory), fiber optic devices, and portable compact disc read-only memory (CDROM). Additionally, the computer-readable medium may even be paper or other suitable medium on which the program may be printed, as the paper or other medium may be optically scanned, for example, and subsequently edited, interpreted, or otherwise suitable as necessary. process to obtain the program electronically and then store it in computer memory.
应当理解,本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。It should be understood that various parts of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if it is implemented in hardware, as in another embodiment, it can be implemented by any one or a combination of the following technologies known in the art: a logic gate circuit with a logic gate circuit for implementing a logic function on a data signal. Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, programmable gate arrays (PGA), field programmable gate arrays (FPGA), etc.
在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of this specification, reference to the terms "one embodiment," "some embodiments," "an example," "specific examples," or "some examples" or the like means that specific features are described in connection with the embodiment or example. , structures, materials or features are included in at least one embodiment or example of the invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
此外,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。在本发明的描述中,“多个”的含义是至少两个,例如两个,三个等,除非另有明确具体的限定。In addition, the terms “first” and “second” are used for descriptive purposes only and cannot be understood as indicating or implying relative importance or implicitly indicating the quantity of indicated technical features. Therefore, features defined as "first" and "second" may explicitly or implicitly include at least one of these features. In the description of the present invention, "plurality" means at least two, such as two, three, etc., unless otherwise expressly and specifically limited.
尽管上面已经示出和描述了本发明的实施例,可以理解的是,上述实施例是示例性的,不能理解为对本发明的限制,本领域的普通技术人员在本发明的范围内可以对上述实施例进行变化、修改、替换和变型。Although the embodiments of the present invention have been shown and described above, it can be understood that the above-mentioned embodiments are illustrative and should not be construed as limitations of the present invention. Those of ordinary skill in the art can make modifications to the above-mentioned embodiments within the scope of the present invention. The embodiments are subject to changes, modifications, substitutions and variations.

Claims (12)

  1. 一种VoLTE语音加密通信方法,其特征在于,主叫终端和被叫终端内分别集成有安全芯片,所述方法包括:A VoLTE voice encrypted communication method, characterized in that security chips are integrated into the calling terminal and the called terminal respectively. The method includes:
    主叫终端和被叫终端分别通过其对应安全芯片内存储的认证密钥完成到其所属密钥管理平台的身份认证;The calling terminal and the called terminal respectively complete the identity authentication to the key management platform to which they belong through the authentication keys stored in their corresponding security chips;
    主叫终端发起通话,主叫终端和被叫终端向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识;The calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;
    通话接通后,主叫终端和被叫终端播放提示音,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发网络分发;After the call is connected, the calling terminal and the called terminal play prompt tones and apply to their respective key management platforms for session keys for this call based on the encrypted call identification. The session keys are provided by the quantum key distribution network. distribution;
    主叫终端和被叫终端基于所述会话密钥,使用媒体信道同步主叫终端和被叫终端密钥获取状态后,进行加密语音通话;The calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, and then conduct an encrypted voice call;
    主叫终端和被叫终端发送加密结束消息,结束本次密钥通话。The calling terminal and the called terminal send encrypted end messages to end this key call.
  2. 如权利要求1所述的VoLTE语音加密通信方法,其特征在于,所述主叫终端和被叫终端分别通过其对应安全芯片内存储的认证密钥完成到密钥管理平台的身份认证,包括:The VoLTE voice encrypted communication method according to claim 1, wherein the calling terminal and the called terminal respectively complete the identity authentication to the key management platform through the authentication keys stored in their corresponding security chips, including:
    所述安全芯片分别获取其所属密钥管理平台的标识;The security chips respectively obtain the identification of the key management platform to which they belong;
    所述主叫终端和被叫终端分别调用其对应安全芯片内存储的所述认证密钥,完成到其所属密钥管理平台的身份认证;The calling terminal and the called terminal respectively call the authentication keys stored in their corresponding security chips to complete the identity authentication to the key management platform to which they belong;
    所述主叫终端和被叫终端将其所属密钥管理平台的标识及自身的终端标识上传至所述云端密话业务管理平台,以使所述云端密钥业务管理平台生成终端标识和密钥管理平台标识的对照表并存储。The calling terminal and the called terminal upload the identification of the key management platform to which they belong and their own terminal identification to the cloud encrypted voice service management platform, so that the cloud key service management platform generates the terminal identification and key Manage and store the comparison table of platform identifiers.
  3. 如权利要求2所述的VoLTE语音加密通信方法,其特征在于,所述主叫终端发起通话,主叫终端和被叫终端向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识,包括:The VoLTE voice encrypted communication method according to claim 2, characterized in that the calling terminal initiates a call, and the calling terminal and the called terminal send verification requests to the cloud encrypted voice service management platform to obtain the cloud encrypted voice. The secret message ID returned by the business management platform includes:
    所述主叫终端和被叫终端向所述云端密话业务管理平台上报本次通话的主叫号码和被叫号码,以使所述云端密话业务管理平台根据所述主叫号码和被 叫号码生成本次通话的所述密话标识;The calling terminal and the called terminal report the calling number and the called number of the current call to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform can use the calling number and the called number according to the calling number and the called number. The number generates the secret code ID for this call;
    在所述云端密话业务管理平台基于所述对照表确定所述主叫终端和被叫终端所属的密钥管理平台标识不一致时,所述主叫终端和被叫终端获取所述云端密话业务管理平台返回的所述密话标识以及对端所属密钥管理平台的标识。When the cloud encrypted voice service management platform determines that the key management platform identities of the calling terminal and the called terminal are inconsistent based on the comparison table, the calling terminal and the called terminal obtain the cloud encrypted voice service. The secret conversation identifier returned by the management platform and the identifier of the key management platform to which the peer belongs.
  4. 如权利要求3所述的VoLTE语音加密通信方法,其特征在于,所述通话接通后,主叫终端和被叫终端播放提示音,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发系统分发,包括:The VoLTE voice encrypted communication method according to claim 3, characterized in that after the call is connected, the calling terminal and the called terminal play prompt tones, and apply to the key management platform to which they belong based on the encrypted call identification. The session key for this call, which is distributed by the quantum key distribution system, includes:
    所述被叫终端向其所属密钥管理平台发送第一密钥请求,以使所述密钥管理平台从密码机中获取密钥标识并返回至所述被叫终端,所述第一密钥请求携带有所述密话标识以及对端所属密钥管理平台的标识;The called terminal sends a first key request to the key management platform to which it belongs, so that the key management platform obtains the key identification from the cryptographic machine and returns it to the called terminal. The first key The request carries the secret conversation identifier and the identifier of the key management platform to which the peer belongs;
    所述被叫终端将所述密钥标识和所述密话标识推送至所述云端密话业务管理平台,以使所述云端密话业务管理平台将所述密钥标识和所述密话标识推送至所述主叫终端;The called terminal pushes the key identifier and the encrypted call identifier to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform Push to the calling terminal;
    所述主叫终端向其所属密钥管理平台发送第二密钥请求,以使密钥管理平台返回所述会话密钥至所述主叫终端,所述第二密钥请求携带所述密钥标识和所述密话标识。The calling terminal sends a second key request to the key management platform to which it belongs, so that the key management platform returns the session key to the calling terminal, and the second key request carries the key Identity and said secret phrase identification.
  5. 如权利要求4所述的VoLTE语音加密通信方法,其特征在于,所述密钥管理平台从密码机中获取密钥标识并返回至所述被叫终端,包括:The VoLTE voice encrypted communication method according to claim 4, wherein the key management platform obtains the key identification from the encryption machine and returns it to the called terminal, including:
    所述密钥管理平台向所述密码机发送第一密钥申请,以使所述密码机根据所述第一密钥申请向其连接的QKD网络发起第二密钥申请,其中,所述第一密钥申请携带信息包括所述密话标识、所述主叫号码、所述被叫号码及对端所属密钥管理平台的标识,所述第二密钥申请携带的信息包括对端所属密钥管理平台的标识;The key management platform sends a first key application to the cryptographic machine, so that the cryptographic machine initiates a second key application to the QKD network to which it is connected based on the first key application, wherein the first key application is sent to the cryptographic machine. The information carried in the first key application includes the encrypted call identifier, the calling number, the called number and the identification of the key management platform to which the opposite end belongs, and the information carried in the second key application includes the key management platform to which the opposite end belongs. The identification of the key management platform;
    所述QKD网络根据所述第二密钥申请,获取所述主叫终端和所述被叫终端所属QKD节点的一支对称密钥,并将所述对称密钥返回至所述密码机;The QKD network obtains a symmetric key of the QKD node to which the calling terminal and the called terminal belong based on the second key application, and returns the symmetric key to the cryptographic machine;
    所述密码机通过所述密钥管理平台返回所述对称密钥及密钥标识至所述被叫终端。The cryptographic machine returns the symmetric key and key identification to the called terminal through the key management platform.
  6. 如权利要求1所述的VoLTE语音加密通信方法,其特征在于,所述主叫终端和被叫终端基于所述会话密钥,使用媒体信道同步主叫终端和被叫终端密钥获取状态后,进行加密语音通话,包括:The VoLTE voice encrypted communication method according to claim 1, characterized in that, after the calling terminal and the called terminal use the media channel to synchronize the key acquisition status of the calling terminal and the called terminal based on the session key, Make encrypted voice calls, including:
    所述主叫终端和被叫终端获取所述会话密钥;The calling terminal and the called terminal obtain the session key;
    所述主叫终端和被叫终端向所述云端密话业务管理平台同步密钥获取的通知信息,以使所述云端密话业务管理平台将所述通知信息透传至所述主叫终端和被叫终端,完成密钥获取状态同步。The calling terminal and the called terminal synchronize the notification information of key acquisition to the cloud encrypted call service management platform, so that the cloud encrypted call service management platform transparently transmits the notification information to the calling terminal and the called terminal. The called terminal completes key acquisition status synchronization.
  7. 如权利要求1所述的VoLTE语音加密通信方法,其特征在于,在所述主叫终端和被叫终端中至少一个为基于SIP拓展字段请求分发入密标识的SIP终端时,所述方法还包括:The VoLTE voice encrypted communication method according to claim 1, wherein when at least one of the calling terminal and the called terminal is a SIP terminal that requests distribution of an encryption identifier based on the SIP extension field, the method further includes :
    所述云端密话业务管理平台与IMS网络完成用户同步接口和密话标识推送接口;The cloud encrypted call service management platform and the IMS network complete a user synchronization interface and an encrypted call identification push interface;
    由所述云端密话业务管理平台或所述IMS网络生成所述密话标识,并由所述IMS网络下发对应的密话标识至所述SIP终端,所述SIP终端包括密钥中间件和语音中间件;The cloud encrypted call service management platform or the IMS network generates the encrypted call identifier, and the IMS network delivers the corresponding encrypted call identifier to the SIP terminal. The SIP terminal includes a key middleware and Voice middleware;
    所述语音中间件获取经基带芯片处理后的密话标识,并调用所述密钥中间件,向所述密钥管理平台申请获取所述会话密钥。The voice middleware obtains the secret speech identifier processed by the baseband chip, calls the key middleware, and applies to the key management platform to obtain the session key.
  8. 一种VoLTE语音加密通信终端,其特征在于,所述终端内设有安全芯片和中间组件,所述安全芯片内存储有认证密钥,所述中间组件包括密钥中间件、业务中间件和语音中间件,其中:A VoLTE voice encrypted communication terminal, characterized in that the terminal is provided with a security chip and an intermediate component, an authentication key is stored in the security chip, and the intermediate component includes a key middleware, a business middleware and a voice middleware, which:
    所述密钥中间件,用于利用所述安全芯片内存储的认证密钥完成到其所属密钥管理平台的身份认证,所述业务中间件向云端密话业务管理平台请求登录,所述语音中间件进行自启动;The key middleware is used to use the authentication key stored in the security chip to complete the identity authentication to the key management platform to which it belongs. The business middleware requests login from the cloud encrypted voice business management platform. The voice Middleware performs self-starting;
    所述业务中间件,用于在通话双方发起通话后,向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识;所述业务中间件,用于在通话接通,所述终端播放提示音后,调用所述密钥中间件,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发网络分发;The business middleware is used to send a verification request to the cloud encrypted call service management platform after both parties initiate a call to obtain the encrypted call identifier returned by the cloud encrypted call service management platform; the business middleware is used to After the call is connected and the terminal plays the prompt tone, it calls the key middleware and applies to the key management platform to which it belongs for the session key for this call based on the secret speech identifier. The session key is provided by Quantum key distribution network distribution;
    所述密钥中间件,用于将所述会话密钥传递至所述语音中间件,并由所述语音中间件使用媒体信道完成通话双方密钥获取状态同步后,通话双方进行加密语音通话;The key middleware is used to transfer the session key to the voice middleware, and after the voice middleware uses the media channel to complete the key acquisition status synchronization of both parties, the two parties conduct encrypted voice calls;
    所述语音中间件,用于在通话挂断后,发送加密结束消息,结束本次密钥通话。The voice middleware is used to send an encrypted end message after the call is hung up to end the key call.
  9. 如权利要求8所述的VoLTE语音加密通信终端,其特征在于,所述业务中间件包括UI展示模块、密话通知模块、密话标识同步模块和密钥协商发起模块,其中:The VoLTE voice encrypted communication terminal according to claim 8, characterized in that the service middleware includes a UI display module, a secret conversation notification module, a secret conversation identification synchronization module and a key negotiation initiation module, wherein:
    所述UI展示模块,用于展示和所述云端密话业务管理平台协调用户签约的判断信息、本次密话通知和标识同步信息以及本次密话开始密钥协商状态;The UI display module is used to display the judgment information for coordinating user signing with the cloud secret conversation service management platform, the notification and identification synchronization information of this secret conversation, and the key negotiation status of the start of this secret conversation;
    所述密话通知模块,用于与所述云端密话业务管理平台的接口进行交互;The secret call notification module is used to interact with the interface of the cloud secret call service management platform;
    所述密话标识同步模块,用于在所述云端密话业务管理平台判断通话双方具备密话通话资格及条件后,获取所述云端密话业务管理平台返回的密话标识和对端获取状态,完成密话标识下发及同步;The secret conversation identification synchronization module is used to obtain the secret conversation identification and the peer acquisition status returned by the cloud secret conversation service management platform after the cloud secret conversation service management platform determines that both parties have the qualifications and conditions for a secret conversation call. , complete the issuance and synchronization of the secret call ID;
    所述密钥协商发起模块,用于在完成密钥标识同步后,基于所述密钥标识向所述密钥中间件发起密钥请求并获得对应的密钥协商状态。The key negotiation initiating module is configured to initiate a key request to the key middleware based on the key identification and obtain the corresponding key negotiation status after completing the key identification synchronization.
  10. 如权利要求8所述的VoLTE语音加密通信终端,其特征在于,所述密钥中间件包括对外服务接口、通用密码服务模块和密码设备服务模块,其中:The VoLTE voice encrypted communication terminal according to claim 8, characterized in that the key middleware includes an external service interface, a general cryptographic service module and a cryptographic device service module, wherein:
    所述对外服务接口,用于通过进程间通信方式连接外部应用;The external service interface is used to connect external applications through inter-process communication;
    所述通用密码服务模块,用于提供密钥管理、身份认证和密钥运算接口;The general cryptographic service module is used to provide key management, identity authentication and key calculation interfaces;
    所述密码设备服务模块,用于获取所述安全芯片内存储的认证密钥。The cryptographic device service module is used to obtain the authentication key stored in the security chip.
  11. 如权利要求8所述的VoLTE语音加密通信终端,其特征在于,所述语音中间件包括语音拦截模块、语音速率筛选模块、语音加密模块和语音回传模块,其中:The VoLTE voice encrypted communication terminal according to claim 8, characterized in that the voice middleware includes a voice interception module, a voice rate filtering module, a voice encryption module and a voice backhaul module, wherein:
    所述语音拦截模块,用于监听当前终端系统中的语音数传通道、拦截及回传语音通话数据;The voice interception module is used to monitor the voice data transmission channel in the current terminal system, intercept and return voice call data;
    所述语音速率筛选模块,用于接收并检测所述语音拦截模块传输的语音通话数据,获得AMR净荷数据;The voice rate screening module is used to receive and detect the voice call data transmitted by the voice interception module to obtain AMR payload data;
    所述语音加密模块,用于进行密钥处理、会话密钥状态协商及语音数据加解密收发;The voice encryption module is used for key processing, session key status negotiation, and voice data encryption and decryption to send and receive;
    所述语音回传模块,用于将所述AMR净荷数据按单帧方式发送到所述语音加密模块,并将所述语音加密模块处理好的语音加密数据回传至所述语音速率筛选模块。The voice return module is used to send the AMR payload data to the voice encryption module in a single frame, and return the voice encryption data processed by the voice encryption module to the voice rate screening module. .
  12. 一种VoLTE语音加密通信系统,其特征在于,所述系统包括:量子密钥分发网络、主叫终端、被叫终端、第一密钥管理平台、第二密钥管理平台、第一密码机、第二密码机、云端密话业务管理平台和运营商网络;A VoLTE voice encrypted communication system, characterized in that the system includes: a quantum key distribution network, a calling terminal, a called terminal, a first key management platform, a second key management platform, a first encryption machine, Second cipher machine, cloud encrypted voice service management platform and operator network;
    所述主叫终端和所述被叫终端分别集成有安全芯片,所述安全芯片内存储有认证密钥;The calling terminal and the called terminal are respectively integrated with security chips, and an authentication key is stored in the security chip;
    所述主叫终端连接所述第一密钥管理平台,所述被叫终端连接所述第二密钥管理平台,所述第一密钥管理平台经所述第一密码机接入所述量子密钥分发网络,所述第二密钥管理平台经所述第二密码机接入所述量子密钥分发网络,所述主叫终端和所述被叫终端分别经所述运营商网络接入所述云端密话业务管理平台;The calling terminal is connected to the first key management platform, the called terminal is connected to the second key management platform, and the first key management platform is connected to the quantum computer via the first cryptographic machine. Key distribution network, the second key management platform is connected to the quantum key distribution network via the second encryption machine, and the calling terminal and the called terminal are respectively connected via the operator network The cloud encrypted voice business management platform;
    所述主叫终端和所述被叫终端内均设有中间组件,所述中间组件包括密钥中间件、业务中间件和语音中间件,所述密钥中间件与所述第一密钥管理平台或所述第二密钥管理平台连接,所述业务中间件与所述云端密话业务管理平台连接,所述语音中间件与底层数据传输通道连接;The calling terminal and the called terminal are both provided with intermediate components. The intermediate components include key middleware, service middleware and voice middleware. The key middleware and the first key management The platform or the second key management platform is connected, the business middleware is connected with the cloud encrypted voice business management platform, and the voice middleware is connected with the underlying data transmission channel;
    所述密钥中间件用于利用其对应的所述安全芯片内存储的认证密钥完成到其所属密钥管理平台的身份认证,所述业务中间件向所述云端密话业务管理平台请求登录,所述语音中间件进行自启动;The key middleware is used to use the authentication key stored in the corresponding security chip to complete the identity authentication to the key management platform to which it belongs, and the business middleware requests login from the cloud encrypted voice business management platform , the voice middleware performs self-starting;
    在主叫终端发起通话后,所述业务中间件用于向云端密话业务管理平台发送验证请求,以获取所述云端密话业务管理平台返回的密话标识;After the calling terminal initiates a call, the service middleware is used to send a verification request to the cloud encrypted call service management platform to obtain the encrypted call identifier returned by the cloud encrypted call service management platform;
    通话接通后,主叫终端和被叫终端播放提示音,所述业务中间件调用所述密钥中间件,并基于所述密话标识向其所属密钥管理平台申请本次通话的会话密钥,所述会话密钥由量子密钥分发网络分发;After the call is connected, the calling terminal and the called terminal play prompt tones, and the business middleware calls the key middleware and applies to the key management platform to which it belongs for the session secret for this call based on the secret conversation identifier. Key, the session key is distributed by the quantum key distribution network;
    所述密钥中间件将所述会话密钥传递至所述语音中间件,并由所述语音中 间件使用媒体信道完成主叫终端和被叫终端密钥获取状态同步后,主叫终端和被叫终端进行加密语音通话;The key middleware transfers the session key to the voice middleware, and after the voice middleware uses the media channel to complete the key acquisition status synchronization of the calling terminal and the called terminal, the calling terminal and the called terminal Call the terminal to make an encrypted voice call;
    在通话挂断后,由所述语音中间件发送加密结束消息,结束本次密钥通话。After the call is hung up, the voice middleware sends an encrypted end message to end this key call.
PCT/CN2022/117510 2022-04-26 2022-09-07 Volte voice encrypted communication method, terminal and system WO2023206909A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2023541525A JP2024520245A (en) 2022-04-26 2022-09-07 VoLTE voice encryption communication method, terminal and system

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210442353.1A CN114553422B (en) 2022-04-26 2022-04-26 VoLTE voice encryption communication method, terminal and system
CN202210442353.1 2022-04-26

Publications (1)

Publication Number Publication Date
WO2023206909A1 true WO2023206909A1 (en) 2023-11-02

Family

ID=81667116

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/117510 WO2023206909A1 (en) 2022-04-26 2022-09-07 Volte voice encrypted communication method, terminal and system

Country Status (3)

Country Link
JP (1) JP2024520245A (en)
CN (1) CN114553422B (en)
WO (1) WO2023206909A1 (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114553422B (en) * 2022-04-26 2022-07-01 中电信量子科技有限公司 VoLTE voice encryption communication method, terminal and system
CN115022024B (en) * 2022-05-31 2023-09-29 中国电信股份有限公司 Method and device for encrypting call, storage medium and electronic equipment
CN115913528B (en) * 2022-09-22 2024-06-11 深圳市雄帝科技股份有限公司 Quantum key management method based on security chip and cloud cooperation
CN115567209B (en) * 2022-09-29 2023-09-22 中电信量子科技有限公司 VoIP encryption and decryption method by adopting transparent proxy and quantum key pre-filling
CN115996121B (en) * 2023-03-22 2023-06-20 南京数脉动力信息技术有限公司 Quantum encryption trusted video communication system and method based on VOLTE network
CN116546500B (en) * 2023-06-30 2023-09-22 中国电信股份有限公司 Terminal capability identification method, system, electronic equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106130727A (en) * 2016-08-31 2016-11-16 深圳市金立通信设备有限公司 A kind of call cryptographic key negotiation method and system
CN106936788A (en) * 2015-12-31 2017-07-07 北京大唐高鸿软件技术有限公司 A kind of cryptographic key distribution method suitable for VOIP voice encryptions
US20170214525A1 (en) * 2013-06-08 2017-07-27 Quantumctek Co., Ltd. Mobile secret communications method based on quantum key distribution network
CN114040385A (en) * 2021-11-17 2022-02-11 中国电信集团系统集成有限责任公司 VoLTE-based encrypted call system and method
CN114553422A (en) * 2022-04-26 2022-05-27 中电信量子科技有限公司 VoLTE voice encryption communication method, terminal and system

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7240366B2 (en) * 2002-05-17 2007-07-03 Microsoft Corporation End-to-end authentication of session initiation protocol messages using certificates
KR100987213B1 (en) * 2008-07-11 2010-10-12 삼성전자주식회사 Method for processing communication based on voice over internet protocol using bio key and apparatus for the same
CN102143487B (en) * 2010-02-03 2015-06-10 中兴通讯股份有限公司 Negotiation method and negotiation system for end-to-end session key
CN102934392B (en) * 2010-04-13 2015-07-15 康奈尔大学 Private overlay for information network
CN102196425B (en) * 2011-07-01 2013-04-03 安徽量子通信技术有限公司 Quantum-key-distribution-network-based mobile encryption system and communication method thereof
CN106972922B (en) * 2013-06-08 2019-06-14 科大国盾量子技术股份有限公司 A kind of mobile secret communication method based on quantum key distribution network
US20150142666A1 (en) * 2013-11-16 2015-05-21 Mads Landrok Authentication service
CN105337726A (en) * 2015-04-06 2016-02-17 安徽问天量子科技股份有限公司 End-to-end hand-held device encryption method based on quantum cryptography and system
CN108521404B (en) * 2018-03-09 2022-01-04 中国—东盟信息港股份有限公司 Mobile phone security privacy number protection platform based on IMS networking
CN111092905B (en) * 2019-12-27 2021-10-15 郑州信大捷安信息技术股份有限公司 VOIP-based encrypted call method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170214525A1 (en) * 2013-06-08 2017-07-27 Quantumctek Co., Ltd. Mobile secret communications method based on quantum key distribution network
CN106936788A (en) * 2015-12-31 2017-07-07 北京大唐高鸿软件技术有限公司 A kind of cryptographic key distribution method suitable for VOIP voice encryptions
CN106130727A (en) * 2016-08-31 2016-11-16 深圳市金立通信设备有限公司 A kind of call cryptographic key negotiation method and system
CN114040385A (en) * 2021-11-17 2022-02-11 中国电信集团系统集成有限责任公司 VoLTE-based encrypted call system and method
CN114553422A (en) * 2022-04-26 2022-05-27 中电信量子科技有限公司 VoLTE voice encryption communication method, terminal and system

Also Published As

Publication number Publication date
CN114553422B (en) 2022-07-01
JP2024520245A (en) 2024-05-24
CN114553422A (en) 2022-05-27

Similar Documents

Publication Publication Date Title
WO2023206909A1 (en) Volte voice encrypted communication method, terminal and system
EP1471708B1 (en) System and method for establishing secondary channels
KR101438243B1 (en) Sim based authentication
US8484712B2 (en) Personal token having enhanced signaling abilities
CN110213652B (en) Audio and video data transmission method and device and storage medium
CN100592720C (en) Method and system for implementing instant communication between external network user and LAN user
CN102546559B (en) The method, apparatus and system of end-to-end transmission data in limited network
US20140293997A1 (en) Method, Apparatus, and System for Implementing VOIP Call in Cloud Computing Environment
EP2547051B1 (en) Confidential communication method using vpn, a system and program for the same, and memory media for program therefor
WO2019178942A1 (en) Method and system for performing ssl handshake
CN114866234B (en) Voice communication method, device, equipment and storage based on quantum key encryption and decryption
CN113507358A (en) Communication system, authentication method, electronic device, and storage medium
US10595203B2 (en) Enhanced establishment of IMS session with secure media
CN103546442B (en) The communication monitoring method and device of browser
WO2016177222A1 (en) Missed call reminding method and device
CN114040385A (en) VoLTE-based encrypted call system and method
CN108270717B (en) VoIP communication method, equipment and communication system
CN115086491A (en) Video color ring playing method, transmission method, device and communication equipment
CN114679287B (en) Data processing method, system, electronic device and storage medium
CN115442061A (en) Security authentication method, readable medium, and electronic device
CN108206818A (en) A kind of message system login method, entering device and server of instant message
CN114222290A (en) Communication method, device, equipment and storage medium
CN111614688A (en) Generic protocol for blockchains
WO2024114135A1 (en) Network conference management method and apparatus
WO2024012529A1 (en) Key management method and apparatus, and device and storage medium

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 2023541525

Country of ref document: JP

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22939735

Country of ref document: EP

Kind code of ref document: A1