[go: up one dir, main page]

CN101222612A - A method and system for securely transmitting media streams - Google Patents

A method and system for securely transmitting media streams Download PDF

Info

Publication number
CN101222612A
CN101222612A CN 200710000851 CN200710000851A CN101222612A CN 101222612 A CN101222612 A CN 101222612A CN 200710000851 CN200710000851 CN 200710000851 CN 200710000851 A CN200710000851 A CN 200710000851A CN 101222612 A CN101222612 A CN 101222612A
Authority
CN
China
Prior art keywords
key
terminal
media stream
calling
called
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 200710000851
Other languages
Chinese (zh)
Inventor
孙恺
孔涛
高江海
黎静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 200710000851 priority Critical patent/CN101222612A/en
Priority to PCT/CN2007/071412 priority patent/WO2008083607A1/en
Publication of CN101222612A publication Critical patent/CN101222612A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0457Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply dynamic encryption, e.g. stream encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明提供一种安全传输媒体流的方法和系统,具体为:预先设置密钥生成单元,密钥生成单元在呼叫流程中获取终端的加密能力信息,并根据所述加密能力信息生成用于媒体流的密钥;再将生成的密钥分别发送给终端和媒体流承载设备;终端和媒体流承载设备利用获取的密钥传输媒体流。应用本发明方案,主叫终端和被叫终端自身并不生成密钥,而是由密钥生成单元生成密钥,无需进行时钟同步,也无需公钥基础设施(PKI)体系的支持,可以大大降低端到端媒体流密钥协商的复杂度,便于媒体流加密业务的推广并可以满足合法监听的实际需求。

Figure 200710000851

The present invention provides a method and system for securely transmitting media streams, specifically: a key generation unit is set in advance, and the key generation unit acquires encryption capability information of a terminal during a call flow, and generates a key for media according to the encryption capability information. Stream key; then send the generated key to the terminal and the media stream carrying device respectively; the terminal and the media stream carrying device use the obtained key to transmit the media stream. By applying the scheme of the present invention, the calling terminal and the called terminal do not generate keys themselves, but the keys are generated by the key generation unit, without the need for clock synchronization and the support of the public key infrastructure (PKI) system, which can greatly Reduce the complexity of end-to-end media stream key negotiation, facilitate the promotion of media stream encryption services and meet the actual needs of legal interception.

Figure 200710000851

Description

一种安全传输媒体流的方法和系统 A method and system for securely transmitting media streams

技术领域 technical field

本发明涉及媒体流加密技术,特别是涉及一种安全传输媒体流的方法和系统。The invention relates to media stream encryption technology, in particular to a method and system for safely transmitting media streams.

背景技术 Background technique

媒体流一般基于实时传输协议(RTP,Real-time Transport Protocol)进行传输,这里的所述的媒体流为音频媒体流、视频媒体流等。但由于RTP协议本身并不涉及安全问题,使媒体流在传输过程中存在泄密、被攻击等安全隐患。Media streams are generally transmitted based on Real-time Transport Protocol (RTP, Real-time Transport Protocol), and the media streams mentioned here are audio media streams, video media streams, and the like. However, since the RTP protocol itself does not involve security issues, there are security risks such as leaks and attacks during the transmission of media streams.

为了加强媒体流在传输过程中的安全性,目前已提出多种生成和分配密钥的方法,即密钥协商方法。之后,终端可以利用分配的密钥实现媒体流的传输,达到安全传输媒体流的目的。In order to enhance the security of media streams during transmission, various methods for generating and distributing keys, ie, key agreement methods, have been proposed. Afterwards, the terminal can use the assigned key to transmit the media stream, so as to achieve the purpose of securely transmitting the media stream.

在现有技术中,密钥协商方法中有两种典型方法:一种是多媒体因特网密钥(MIKEY)公钥模式,另一种是MIKEY DH模式。In the prior art, there are two typical methods in the key agreement method: one is the Multimedia Internet Key (MIKEY) public key mode, and the other is the MIKEY DH mode.

其中,MIKEY公钥模式的基本思想是:由主叫终端生成密钥和信封密钥,所述密钥用信封密钥进行加密,信封密钥再利用被叫终端证书的公钥进行加密,然后将加密后的密钥通过MIKEY协议发送到被叫终端,被叫终端解密后获得密钥,完成密钥协商过程。Among them, the basic idea of the MIKEY public key mode is: the calling terminal generates a key and an envelope key, the key is encrypted with the envelope key, and the envelope key is encrypted with the public key of the called terminal certificate, and then Send the encrypted key to the called terminal through the MIKEY protocol, and the called terminal obtains the key after decrypting it, and completes the key negotiation process.

在MIKEY公钥模式中,为了保障密钥协商过程的安全、顺利地进行,要求主叫终端和被叫终端之间进行时钟同步,并具备公钥基础设施(PKI)系统的支持。而实际应用中,实现时钟同步以及PKI系统支持比较复杂,不利于密钥协商的实现。比如:在电话会议中,存在多个需要传输媒体流的终端。如果要对多个终端的媒体流加密,则需要将多个终端进行时钟同步,这大大增加了密钥协商的困难。又比如:主叫终端和被叫终端为普通的移动终端,而由于移动终端数量大,将很难完成PKI系统中证书管理等工作,无法顺利进行密钥协商。In the MIKEY public key mode, in order to ensure the safe and smooth progress of the key negotiation process, clock synchronization between the calling terminal and the called terminal is required, and the support of the public key infrastructure (PKI) system is required. However, in practical applications, it is more complicated to implement clock synchronization and PKI system support, which is not conducive to the realization of key agreement. For example: in a conference call, there are multiple terminals that need to transmit media streams. If the media streams of multiple terminals are to be encrypted, the clocks of the multiple terminals need to be synchronized, which greatly increases the difficulty of key negotiation. Another example: the calling terminal and the called terminal are ordinary mobile terminals, and due to the large number of mobile terminals, it will be difficult to complete certificate management and other work in the PKI system, and key negotiation cannot be carried out smoothly.

MIKEY DH模式的基本思想是:在主叫终端和被叫终端分别生成DH值,再利用MIKEY协议交换彼此的DH值,然后根据双方的DH值产生密钥。The basic idea of MIKEY DH mode is: the calling terminal and the called terminal generate DH values separately, then use the MIKEY protocol to exchange each other's DH values, and then generate keys according to the DH values of both parties.

MIKEY DH模式也需要进行时钟同步,而且实现MIKEY DH模式非常复杂,计算量大,对终端性能要求高,不利于密钥协商的实现。The MIKEY DH mode also requires clock synchronization, and the implementation of the MIKEY DH mode is very complicated, with a large amount of calculation and high requirements on terminal performance, which is not conducive to the realization of key agreement.

另外,实际应用中,运营商为了安全机构满足合法监听的要求,需要获得媒体流中的密钥。而现有技术中,只有参与交互的终端才可以获得密钥,这里所述参与交互的终端可能为主叫和被叫两个终端,也可能为多个终端,任何参与交互之外的第三方都无法获得密钥,即无法满足合法监听的要求。In addition, in practical applications, the operator needs to obtain the key in the media stream in order for the security agency to meet the requirements of lawful interception. In the prior art, only the terminals participating in the interaction can obtain the key. The terminals participating in the interaction mentioned here may be two terminals, the calling terminal and the called terminal, or multiple terminals. Any third party other than the interaction may None of them can obtain the key, that is, they cannot meet the requirements of lawful interception.

发明内容 Contents of the invention

本发明提供一种安全传输媒体流的方法和系统,可以在保证链路安全的条件下,避免时钟同步、PKI支持、证书管理等过程,减少生成密钥的复杂度,便于媒体流加密业务的推广。The present invention provides a method and system for securely transmitting media streams, which can avoid processes such as clock synchronization, PKI support, and certificate management under the condition of ensuring link security, reduce the complexity of key generation, and facilitate media stream encryption services. promote.

为了达到上述目的,本发明提出的技术方案为:In order to achieve the above object, the technical scheme proposed by the present invention is:

一种安全传输媒体流的方法,预先设置密钥生成单元,该方法包括以下步骤:A method for securely transmitting media streams, presetting a key generation unit, the method includes the following steps:

A、密钥生成单元在呼叫流程中获取终端的加密能力信息,并根据所述加密能力信息生成用于媒体流的密钥;A. The key generation unit obtains the encryption capability information of the terminal during the call flow, and generates a key for the media stream according to the encryption capability information;

B、再将生成的密钥分别发送给终端和用于媒体流承载设备;B. Send the generated key to the terminal and the media stream carrying device respectively;

C、终端和媒体流承载设备利用获取的密钥传输媒体流。C. The terminal and the media stream bearing device transmit the media stream using the obtained key.

上述方案中,所述密钥生成单元为主叫侧呼叫会话控制功能实体CSCF的功能单元,所述终端为主叫终端,则步骤A所述密钥生成单元获取加密能力信息的方法具体为:In the above solution, the key generation unit is a functional unit of the call session control function entity CSCF on the calling side, and the terminal is the calling terminal, then the method for the key generation unit in step A to obtain the encryption capability information is specifically as follows:

主叫终端发起呼叫,将携带有自身加密能力信息的呼叫请求消息发送给主叫侧CSCF,主叫侧CSCF从呼叫请求消息中获取主叫终端的加密能力信息。The calling terminal initiates a call, and sends a call request message carrying its own encryption capability information to the calling CSCF, and the calling side CSCF obtains the encryption capability information of the calling terminal from the call request message.

上述方案中,所述主叫终端的加密能力信息承载于呼叫请求消息的会话描述协议SDP中;或者承载于呼叫请求消息的会话初始协议SIP主叫属性接收协商Accept-contact头域中;或者承载于呼叫请求消息中SIP扩展协商域中,所述SIP扩展协商域为支持supported域;或者承载于呼叫请求消息中征求意见稿RFC 4568标准所定义的字段中。In the above solution, the encryption capability information of the calling terminal is carried in the Session Description Protocol SDP of the call request message; or carried in the Session Initiation Protocol SIP calling attribute receiving negotiation Accept-contact header field of the call request message; or carried In the SIP extension negotiation field in the call request message, the SIP extension negotiation field is a supported field; or carried in the field defined by the RFC 4568 standard in the call request message.

上述方案中,步骤B所述将密钥发送给主叫终端的方法为:In the above scheme, the method of sending the key to the calling terminal described in step B is:

当主叫侧CSCF接收到来自被叫终端的呼叫响应消息时,将事先生成的密钥携带于所述呼叫响应消息发送给主叫终端。When the CSCF at the calling side receives the call response message from the called terminal, it carries the key generated in advance in the call response message and sends it to the calling terminal.

上述方案中,所述媒体流承载设备为主叫侧媒体代理MP,步骤B所述将密钥发送给主叫侧MP的方法为:In the above scheme, the media stream bearing device is the calling side media agent MP, and the method of sending the key to the calling side MP in step B is:

主叫侧CSCF将携带有密钥的报文发送给主叫侧资源和接入控制子系统RACS,主叫侧RACS再将密钥发送给主叫侧MP。The CSCF at the calling side sends the message carrying the key to the resource and access control subsystem RACS at the calling side, and the RACS at the calling side sends the key to the MP at the calling side.

上述方案中,所述步骤C具体为:In the above scheme, the step C is specifically:

当媒体流从主叫终端传输给被叫终端时,主叫终端利用获取的密钥对媒体流进行加密,将加密的媒体流传输给主叫侧MP,主叫侧MP再利用获取的密钥对媒体流进行解密,然后将解密后的媒体流传输出去;和/或When the media stream is transmitted from the calling terminal to the called terminal, the calling terminal uses the obtained key to encrypt the media stream, and transmits the encrypted media stream to the MP on the calling side, and the MP on the calling side uses the obtained key decrypt the media stream and transmit the decrypted media stream; and/or

当媒体流从被叫终端传输给主叫终端时,主叫侧MP利用获取的密钥将来自被叫终端的媒体流进行加密,将加密的媒体流传输给主叫终端,主叫终端再利用获取的密钥对媒体流进行解密。When the media stream is transmitted from the called terminal to the calling terminal, the MP on the calling side uses the obtained key to encrypt the media stream from the called terminal, transmits the encrypted media stream to the calling terminal, and the calling terminal uses The obtained key decrypts the media stream.

上述方案中,所述密钥生成单元为被叫侧CSCF中的功能单元,所述终端为被叫终端,则步骤A所述获取加密能力信息的方法具体为:In the above solution, the key generation unit is a functional unit in the CSCF on the called side, and the terminal is the called terminal, then the method for obtaining the encryption capability information in step A is specifically as follows:

被叫终端通过被叫侧CSCF接收到来自主叫终端的呼叫请求消息,将携带有被叫终端自身加密能力信息的呼叫响应消息返回给被叫侧CSCF,被叫侧CSCF从呼叫响应消息中获取被叫终端的加密能力信息。The called terminal receives the call request message from the calling terminal through the called-side CSCF, and returns the call response message carrying the encryption capability information of the called terminal to the called-side CSCF, and the called-side CSCF obtains from the call response message Encryption capability information of the called terminal.

上述方案中,步骤B所述将密钥发送给被叫终端的方法为:In the above scheme, the method of sending the key to the called terminal as described in step B is:

当被叫侧CSCF接收到来自主叫终端与呼叫相关的消息时,将事先生成的密钥携带于所述与呼叫相关的消息发送给被叫终端。When the CSCF at the called side receives the message related to the call from the calling terminal, it carries the key generated in advance in the message related to the call and sends it to the called terminal.

上述方案中,所述媒体流承载设备为被叫侧MP,步骤B所述将密钥发送给被叫侧MP的方法为:In the above scheme, the media stream bearer device is the MP on the called side, and the method of sending the key to the MP on the called side as described in step B is:

被叫侧CSCF将携带有密钥的报文发送给被叫侧RACS,被叫侧RACS再将密钥发送给被叫侧MP。The CSCF at the called side sends the message carrying the key to the RACS at the called side, and the RACS at the called side sends the key to the MP at the called side.

上述方案中,所述步骤C具体为:In the above scheme, the step C is specifically:

当媒体流从主叫终端传输到被叫终端时,被叫侧MP利用获取的密钥将来自主叫终端的媒体流进行加密,将加密的媒体流传输给被叫终端,被叫终端再利用获取的密钥对媒体流进行解密;和/或When the media stream is transmitted from the calling terminal to the called terminal, the MP on the called side uses the acquired key to encrypt the media stream of the calling terminal, and transmits the encrypted media stream to the called terminal. to decrypt the media stream; and/or

当媒体流从被叫终端传输到主叫终端时,被叫终端利用获取的密钥对媒体流进行加密,将加密的媒体流传输给被叫侧MP,被叫侧MP再利用获取的密钥对媒体流进行解密,然后将解密后的媒体流传输出去。When the media stream is transmitted from the called terminal to the calling terminal, the called terminal uses the obtained key to encrypt the media stream, and transmits the encrypted media stream to the called side MP, and the called side MP uses the obtained key again Decrypt the media stream, and then transmit the decrypted media stream.

针对第二个发明目的,本发明提出的技术方案是:For the second purpose of the invention, the technical solution proposed by the present invention is:

一种安全传输媒体流的系统,包括终端、媒体流承载设备,该系统还包括密钥生成单元;A system for securely transmitting media streams, including a terminal, a media stream bearing device, and the system also includes a key generation unit;

所述终端,用于将自身加密能力信息发送给密钥生成单元,获取密钥,根据密钥负责传输媒体流;The terminal is used to send its own encryption capability information to the key generation unit, obtain the key, and be responsible for transmitting the media stream according to the key;

所述媒体流承载设备,用于接收由密钥生成单元生成的密钥,根据密钥负责传输媒体流;The media stream bearing device is used to receive the key generated by the key generation unit, and is responsible for transmitting the media stream according to the key;

所述密钥生成单元,用于接收终端输入的加密能力信息,生成密钥,并将生成的密钥分别发送给终端和媒体流承载设备。The key generating unit is configured to receive encryption capability information input by the terminal, generate a key, and send the generated key to the terminal and the media stream carrying device respectively.

上述方案中,所述密钥生成单元为P-CSCF中的功能单元,所述媒体流承载设备为MP,该系统进一步包括:In the above solution, the key generation unit is a functional unit in the P-CSCF, the media stream bearing device is an MP, and the system further includes:

RACS,用于接收由P-CSCF中密钥生成单元所生成的密钥,并将密钥转发给MP。RACS is used to receive the key generated by the key generation unit in the P-CSCF, and forward the key to the MP.

综上所述,本发明提出一种安全传输媒体流的方法和系统,终端自身并不生成密钥,而是由密钥生成单元生成密钥,无需进行时钟同步,也无需PKI体系的支持,可以大大降低生成密钥的复杂度,实现安全传输媒体流目的,也便于媒体流加密业务的推广。由于主叫侧和被叫侧可以独立生成自身的密钥,无需与对方协商,所以,在生成和下发密钥的过程中,不影响呼叫流程的执行。另外,由于主叫侧和被叫侧的媒体流承载设备之间传输的是明文,可以满足合法监听的实际需求。To sum up, the present invention proposes a method and system for securely transmitting media streams. The terminal itself does not generate the key, but the key generation unit generates the key, without the need for clock synchronization and without the support of the PKI system. It can greatly reduce the complexity of key generation, achieve the purpose of securely transmitting media streams, and facilitate the promotion of media stream encryption services. Since the calling side and the called side can independently generate their own keys without negotiating with each other, the process of generating and issuing keys does not affect the execution of the call process. In addition, since the transmission between the media stream bearing devices on the calling side and the called side is in plain text, the actual requirement of lawful interception can be met.

附图说明 Description of drawings

图1是本发明的流程图;Fig. 1 is a flow chart of the present invention;

图2是方法实施例中的消息流示意图;Fig. 2 is a schematic diagram of a message flow in a method embodiment;

图3是本发明系统的基本结构图;Fig. 3 is the basic structural diagram of the system of the present invention;

图4是系统实施例的结构图。Fig. 4 is a structural diagram of a system embodiment.

具体实施方式 Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合附图及具体实施例对本发明作进一步地详细描述。In order to make the purpose, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

本发明的基本思想是:预先设置密钥生成单元,负责密钥的生成和分配;终端和媒体流承载设备利用从密钥生成单元获取的密钥传输媒体流,从而达到安全传输媒体流的目的。The basic idea of the present invention is: a key generation unit is set in advance, which is responsible for the generation and distribution of keys; terminals and media stream bearing devices use the keys obtained from the key generation unit to transmit media streams, so as to achieve the purpose of securely transmitting media streams .

图1是本发明的流程图。如图1所示,本发明包括以下步骤:Fig. 1 is a flow chart of the present invention. As shown in Figure 1, the present invention comprises the following steps:

步骤101:密钥生成单元在呼叫流程中获取终端的加密能力信息,并根据所述加密能力信息生成用于媒体流的密钥。Step 101: The key generation unit acquires encryption capability information of the terminal during a call flow, and generates a key for media streams according to the encryption capability information.

步骤102:密钥生成单元再将生成的密钥分别发送给终端和用于媒体流承载设备。Step 102: The key generating unit sends the generated key to the terminal and the media stream carrying device respectively.

步骤103:终端和媒体流承载设备利用获取的密钥传输媒体流。Step 103: The terminal and the media stream bearing device transmit the media stream using the obtained key.

由于呼叫流程涉及主叫侧和被叫侧,本发明实现安全传输媒体流也相应地分为主叫侧和被叫侧两种情况。Since the call process involves the calling side and the called side, the present invention realizes the secure transmission of the media flow and is correspondingly divided into two cases: the calling side and the called side.

对于主叫侧来说,所述终端为主叫终端;所述密钥生成单元为主叫侧密钥生成单元,主叫侧密钥生成单元可以是主叫侧CSCF中的功能单元;所述媒体流承载设备为主叫侧媒体流承载设备,即主叫侧MP。For the calling side, the terminal is the calling terminal; the key generation unit is the calling side key generation unit, and the calling side key generation unit may be a functional unit in the calling side CSCF; the The media stream bearing device is the calling side media stream bearing device, that is, the calling side MP.

在这种情况下,步骤101所述获取主叫终端加密能力信息的方法为:主叫终端发起呼叫,将携带有自身加密能力信息的呼叫请求消息发送给主叫侧CSCF,主叫侧CSCF从呼叫请求消息中获取主叫终端的加密能力信息。In this case, the method for obtaining the encryption capability information of the calling terminal in step 101 is: the calling terminal initiates a call, sends a call request message carrying its own encryption capability information to the calling CSCF, The encryption capability information of the calling terminal is obtained from the call request message.

相应地,步骤102中所述将密钥发送给主叫终端的方法为:当主叫侧CSCF接收到来自被叫终端的呼叫响应消息时,将事先生成的密钥携带于所述呼叫响应消息发送给主叫终端。Correspondingly, the method for sending the key to the calling terminal in step 102 is: when the CSCF on the calling side receives the call response message from the called terminal, carry the key generated in advance in the call response message sent to the calling terminal.

相应地,步骤102中所述将密钥发送给主叫侧MP的方法为:主叫侧CSCF将携带有密钥的报文发送给主叫侧资源和接入控制子系统RACS;主叫侧RACS再将密钥发送给主叫侧MP。Correspondingly, the method for sending the key to the MP on the calling side described in step 102 is: the CSCF on the calling side sends the message carrying the key to the resource and access control subsystem RACS on the calling side; The RACS then sends the key to the MP on the calling side.

此时,主叫终端和主叫侧MP都从主叫侧P-CSCF中获取了密钥,就可以利用所述密钥传输媒体流。这里所述传输媒体流又可以分为两种情况:At this point, both the calling terminal and the calling-side MP have obtained the key from the calling-side P-CSCF, and can use the key to transmit the media stream. The transmission media stream described here can be divided into two situations:

一种情况是:当媒体流从主叫终端传输给被叫终端时,主叫终端利用获取的密钥对媒体流进行加密,将加密的媒体流传输给主叫侧MP,主叫侧MP再利用获取的密钥对媒体流进行加密,然后将解密后的媒体流传输出去,即传输给被叫侧。One situation is: when the media stream is transmitted from the calling terminal to the called terminal, the calling terminal uses the obtained key to encrypt the media stream, and transmits the encrypted media stream to the calling side MP, and the calling side MP then The obtained key is used to encrypt the media stream, and then the decrypted media stream is transmitted, that is, to the called side.

另外一种情况是:当媒体流从被叫终端传输给主叫终端时,主叫侧MP利用获取的密钥将来自被叫终端的媒体流进行加密,将加密的媒体流传输给主叫终端,主叫终端再利用获取的密钥对媒体流进行解密。Another situation is: when the media stream is transmitted from the called terminal to the calling terminal, the MP on the calling side uses the obtained key to encrypt the media stream from the called terminal, and transmit the encrypted media stream to the calling terminal , the calling terminal then uses the obtained key to decrypt the media stream.

实际应用中,媒体流可以仅从主叫终端传输给被叫终端,或者仅从被叫终端传输给主叫终端,或者主叫终端和被叫终端都向对方传输媒体流。In practical application, the media stream may be transmitted only from the calling terminal to the called terminal, or only from the called terminal to the calling terminal, or both the calling terminal and the called terminal may transmit media streams to each other.

对于被叫侧来说,所述终端为被叫终端;所述密钥生成单元为被叫侧密钥生成单元,被叫侧密钥生成单元可以是被叫侧CSCF中的功能单元;所述媒体流承载设备为被叫侧媒体流承载设备,即被叫侧MP。For the called side, the terminal is the called terminal; the key generation unit is the called side key generation unit, and the called side key generation unit may be a functional unit in the called side CSCF; The media stream bearer device is the called side media stream bearer device, that is, the called side MP.

在这种情况下,步骤101所述获取被叫终端加密能力信息的方法为:被叫终端通过被叫侧CSCF接收到来自主叫终端的呼叫请求消息,将携带有被叫终端自身加密能力信息的呼叫响应消息返回给被叫侧CSCF,被叫侧CSCF从呼叫响应消息中获取被叫终端的加密能力信息。In this case, the method for obtaining the encryption capability information of the called terminal in step 101 is: the called terminal receives the call request message from the calling terminal through the called side CSCF, and will carry the encryption capability information of the called terminal itself The call response message is returned to the CSCF at the called side, and the CSCF at the called side obtains the encryption capability information of the called terminal from the call response message.

相应地,步骤102所述将密钥发送给被叫终端的方法为:当被叫侧CSCF接收到来自主叫终端与呼叫相关的消息时,将事先生成的密钥携带于所述与呼叫相关的消息发送给被叫终端。这里所述的与呼叫相关的消息可以为确认消息或信息更改消息等。Correspondingly, the method for sending the key to the called terminal in step 102 is: when the CSCF at the called side receives a call-related message from the calling terminal, carry the key generated in advance in the call-related message. The message is sent to the called terminal. The message related to the call mentioned here may be a confirmation message or an information change message.

相应地,步骤102所述将密钥发送给被叫侧MP的方法为:被叫侧CSCF将携带有密钥的报文发送给被叫侧RACS,被叫侧RACS再将密钥发送给被叫侧MP。Correspondingly, the method for sending the key to the MP on the called side in step 102 is: the CSCF on the called side sends the message carrying the key to the RACS on the called side, and the RACS on the called side sends the key to the MP on the called side. Called side MP.

此时,被叫终端和被叫侧MP都从被叫侧P-CSCF中获取了密钥,就可以利用所述密钥传输媒体流。与主叫侧相似,这里所述传输媒体流又可以分为两种情况:At this time, both the called terminal and the MP on the called side have obtained the key from the P-CSCF on the called side, and can use the key to transmit the media stream. Similar to the calling side, the transmission media stream described here can be divided into two cases:

一种情况是:当媒体流从主叫终端传输到被叫终端时,被叫侧MP利用获取的密钥将来自主叫终端的媒体流进行加密,将加密的媒体流传输给被叫终端,被叫终端再利用获取的密钥对媒体流进行解密。One situation is: when the media stream is transmitted from the calling terminal to the called terminal, the MP on the called side uses the obtained key to encrypt the media stream of the calling terminal, and transmits the encrypted media stream to the called terminal. Ask the terminal to decrypt the media stream by using the obtained key.

另外一种情况是:当媒体流从被叫终端传输到主叫终端时,被叫终端利用获取的密钥对媒体流进行加密,将加密的媒体流传输给被叫侧MP,被叫侧MP再利用获取的密钥对媒体流进行加密,然后将解密后的媒体流传输出去。Another situation is: when the media stream is transmitted from the called terminal to the calling terminal, the called terminal uses the obtained key to encrypt the media stream, and transmits the encrypted media stream to the MP on the called side, and the MP on the called side Then use the obtained key to encrypt the media stream, and then transmit the decrypted media stream.

本发明中,主叫侧和被叫侧都是独立地生成密钥,并将生成的密钥下发给本侧的终端和媒体流承载设备。也就是说,当某一侧生成密钥时,由于该密钥只用于在本侧所属的区域内传输媒体流,而主叫侧和被叫侧区域之外都采用明文传输,所以,在生成密钥时,并不需要与对方进行协商,也不需要将自身生成的密钥发送给对方。In the present invention, both the calling side and the called side generate keys independently, and deliver the generated keys to the terminal and the media stream bearing device at this side. That is to say, when a certain side generates a key, since the key is only used to transmit media streams in the area to which this side belongs, while both the calling side and the called side use clear text transmission outside the area, so, in When generating a key, it does not need to negotiate with the other party, nor does it need to send the key generated by itself to the other party.

需要注意的是,本发明是以主叫侧或被叫侧一方来说明安全传输媒体流的方法,而在实际应用中,由于呼叫过程和传输媒体流将同时涉及主叫侧和被叫侧。为了更好的说明本发明方案,下面的较佳实施例同时涉及主叫侧和被叫侧,以完整说明安全传输媒体流的方法。It should be noted that the present invention uses the calling side or the called side to illustrate the method of secure media stream transmission, but in practical applications, the calling process and the media stream transmission will involve both the calling side and the called side. In order to better illustrate the solutions of the present invention, the following preferred embodiments involve both the calling side and the called side, so as to fully describe the method for securely transmitting media streams.

方法实施例method embodiment

本实施例中,事先在主叫侧和被叫侧设置密钥生成单元,主叫侧密钥生成单元为主叫侧P-CSCF中的功能单元,被叫侧密钥生成单元为被叫侧P-CSCF中的功能单元;当然,实际应用中,密钥生成单元也可以不是P-CSCF中的功能单元,而是一个独立的服务器。In this embodiment, the key generation unit is set on the calling side and the called side in advance, the calling side key generating unit is a functional unit in the calling side P-CSCF, and the called side key generating unit is the called side A functional unit in the P-CSCF; of course, in practical applications, the key generation unit may not be a functional unit in the P-CSCF, but an independent server.

本实施例中,主叫侧还包括主叫终端、主叫侧RACS、主叫侧MP;被叫侧还包括被叫终端、被叫侧RACS、被叫侧MP。In this embodiment, the calling side further includes the calling terminal, the calling side RACS, and the calling side MP; the called side further includes the called terminal, the called side RACS, and the called side MP.

另外假设主叫侧P-CSCF生成的密钥为x,被叫侧P-CSCF生成的密钥为y。In addition, it is assumed that the key generated by the P-CSCF at the calling side is x, and the key generated by the P-CSCF at the called side is y.

图2是本实施例的消息流示意图。如图2所示,本实施例包括以下步骤:Fig. 2 is a schematic diagram of message flow in this embodiment. As shown in Figure 2, this embodiment includes the following steps:

步骤201:主叫侧发起呼叫,将携带有自身加密能力信息的呼叫请求消息发送给主叫侧P-CSCF。Step 201: The calling side initiates a call, and sends a call request message carrying its own encryption capability information to the calling side P-CSCF.

这里所述的呼叫请求消息为SIP协议中的INVITE消息,可以采用四种方法将主叫终端的加密能力信息承载在INVITE消息中:第一种方法是承载在INVITE消息的SDP中;第二种方法是承载在INVITE消息中SIP主叫属性接收协商(Accept-contact)头域中;第三种方法是承载在INVITE消息中SIP的扩展协商域中;第四种方法是承载在INVITE消息中征求意见稿(RFC4568)标准所定义的字段中。The call request message described here is the INVITE message in the SIP protocol, and four methods can be used to carry the encryption capability information of the calling terminal in the INVITE message: the first method is to carry in the SDP of the INVITE message; the second The method is carried in the SIP caller attribute acceptance negotiation (Accept-contact) header field in the INVITE message; the third method is carried in the extended negotiation domain of SIP in the INVITE message; the fourth method is carried in the INVITE message soliciting In the fields defined by the standard for comments (RFC4568).

对于第一种承载方法,即承载在会话描述协议(SDP)中,所述加密能力信息的格式为:For the first bearer method, that is, bearer in the Session Description Protocol (SDP), the format of the encryption capability information is:

m=<media><port>srtp/avp<format-list>m=<media><port>srtp/avp<format-list>

   [a=media_encryption:[a=media_encryption:

                   SRTP&SRTP&

                   [Lists of the Encrypted Algorithms]&[Lists of the Encrypted Algorithms]&

                   [Lists of the Encrypted Key Length]&[Lists of the Encrypted Key Length]&

              [Lists of the Message Authentication Algorithms]&[Lists of the Message Authentication Algorithms]&

              [Lists of the Message Authentication Key Length]&[Lists of the Message Authentication Key Length]&

              [Key Generation side declartion]&[Key Generation side declaration]&

              [Key derivation rate];]...[Key derivation rate];]...

其中,m字段携带媒体信息,支持媒体能力声明;a字段则用来对媒体流进行属性描述,这些属性描述的含义如表一所示:Among them, the m field carries media information and supports media capability declaration; the a field is used to describe the attributes of the media stream, and the meanings of these attribute descriptions are shown in Table 1:

Figure A20071000085100131
Figure A20071000085100131

表一Table I

如果主叫终端指定:采用SRTP协议,AES-CM加密算法,加密密钥的长度为128比特或256比特,消息认证与完整性保护算法采用HMAC-SHA1,消息认证与完整性保护密钥长度位160比特,密钥更新速率为24,则所述呼叫请求消息中的密钥能力信息为:If the calling terminal specifies: SRTP protocol, AES-CM encryption algorithm, encryption key length of 128 bits or 256 bits, message authentication and integrity protection algorithm using HMAC-SHA1, message authentication and integrity protection key length 160 bits, and the key update rate is 24, then the key capability information in the call request message is:

m=<media><port>srtp/avp<format-list>m=<media><port>srtp/avp<format-list>

a=media_encryption:SRTP&AES-CM&128;256&HMAC-SHA1&160&24a=media_encryption:SRTP&AES-CM&128;256&HMAC-SHA1&160&24

对于第二种承载方法,即承载在SIP主叫属性Accept-contact头域中,其格式为:For the second bearer method, that is, bearer in the SIP calling attribute Accept-contact header field, its format is:

Accept_Contact:*;media_encryption=Accept_Contact: *; media_encryption =

                  ”SRTP&"SRTP&

                  [Lists of the Encrypted Algorithms]&[Lists of the Encrypted Algorithms]&

                  [Lists of the Encrypted Key Length]&[Lists of the Encrypted Key Length]&

                  [Lists of the Message Authentication Algorithms]&[Lists of the Message Authentication Algorithms]&

                  [Lists of the Message Authentication Key Length]&[Lists of the Message Authentication Key Length]&

                  [Key Generation side declartion]&[Key Generation side declaration]&

                  [Key derivation rate]”;....[Key derivation rate]”;. …

其中,media_encryption字段中各个子字段的含义与表一相同,此处不再赘述。Wherein, the meanings of each subfield in the media_encryption field are the same as those in Table 1, and will not be repeated here.

如果主叫终端的加密能力信息与第一种方法相同,其格式为:Accept_Contact:media_encryption=”SRTP&AES-CM&128;256&HMAC-SHA1&160&24”If the encryption capability information of the calling terminal is the same as the first method, its format is: Accept_Contact:media_encryption="SRTP&AES-CM&128;256&HMAC-SHA1&160&24"

对于第三种承载方法,即承载在SIP的扩展协商域中,则直接将主叫终端的能力信息写入Supported头域中即可,比如:For the third bearer method, that is, bearer in the extended negotiation field of SIP, the capability information of the calling terminal can be directly written into the Supported header field, for example:

Supported:media_encryption=SRTP-[AES-CM]-[128;256;512]-[HMAC-SHA1]-[160]Supported: media_encryption=SRTP-[AES-CM]-[128;256;512]-[HMAC-SHA1]-[160]

其中子字段的含义与表一相同,此处不再赘述。The meanings of the subfields are the same as those in Table 1, and will not be repeated here.

对于第四种承载方法,即承载在RFC 4568所定义的字段中,其格式为:For the fourth bearer method, that is, bearer in the field defined by RFC 4568, its format is:

a=crypto:1AES_CM_128_HMAC_SHAI_80a=crypto:1AES_CM_128_HMAC_SHAI_80

inline:inline:

其中子字段的含义也与表一相同,此处不再赘述。The meanings of the subfields are also the same as those in Table 1, and will not be repeated here.

步骤202:主叫侧P-CSCF将呼叫请求消息发送给被叫侧P-CSCF。Step 202: The P-CSCF at the calling side sends a call request message to the P-CSCF at the called side.

步骤203:主叫侧P-CSCF中的密钥生成单元根据主叫终端的加密能力信息生成密钥x。Step 203: The key generation unit in the P-CSCF on the calling side generates a key x according to the encryption capability information of the calling terminal.

本实施例中,新增加的密钥生成单元为P-CSCF中功能单元,实际应用还可以为其他的CSCF,比如S-CSCF。In this embodiment, the newly added key generation unit is a functional unit in the P-CSCF, and it can also be used in other CSCFs, such as the S-CSCF.

如果密钥生成单元不是P-CSCF中的功能单元,而是一个独立的服务器,则需要提供P-CSCF和该服务器之间的接口,P-CSCF通过接口从服务器获取生成的密钥。If the key generation unit is not a functional unit in the P-CSCF but an independent server, an interface between the P-CSCF and the server needs to be provided, and the P-CSCF obtains the generated key from the server through the interface.

步骤204:主叫侧P-CSCF发起资源预留过程,在资源预留过程中,主叫侧P-CSCF将生成的密钥x发送给主叫侧RACS。Step 204: The P-CSCF at the calling side initiates a resource reservation process. During the resource reservation process, the P-CSCF at the calling side sends the generated key x to the RACS at the calling side.

步骤205:主叫侧RACS再将密钥x发送给主叫侧MP。Step 205: The RACS at the calling side sends the key x to the MP at the calling side.

这里,所述的步骤204和步骤205是资源预留过程,主要确定服务质量(Qos)、门限控制等信息,并将确定的Qos、门限控制等信息通过策略下发消息发送给主叫侧MP。在资源预留过程中,P-CSCF可以在资源请求报文(AAR)中媒体组件描述符(Media-Component-Description)的媒体子组件数据值对(Media-Sub-Component AVP)中扩展一个用于承载密钥的字段,比如媒体加密密钥(Media-Encryption-Key)字段,将生成的密钥记录在该字段中,将密钥发送给主叫侧RACS。扩展后的格式可以为:Here, the steps 204 and 205 are resource reservation processes, which mainly determine the quality of service (Qos), threshold control and other information, and send the determined Qos, threshold control and other information to the calling side MP through a policy delivery message . During the resource reservation process, the P-CSCF can extend a Media-Sub-Component data-value pair (Media-Sub-Component AVP) in the Media-Component-Description (Media-Component-Description) in the resource request message (AAR) For a field carrying a key, such as a Media-Encryption-Key field, record the generated key in this field, and send the key to the RACS at the calling side. The expanded format can be:

Media-Component-Description::=<AVP Header:519>Media-Component-Description::=<AVP Header:519>

{Media-Component-Number}{Media-Component-Number}

*[Media-Sub-Component]*[Media-Sub-Component]

[AF-Application-Identifier][AF-Application-Identifier]

[Media-Type][Media-Type]

[Max-Requested-Bandwidth-UL][Max-Requested-Bandwidth-UL]

[Max-Requested-Bandwidth-DL][Max-Requested-Bandwidth-DL]

[Flow-Status][Flow-Status]

[RS-Bandwidth][RS-Bandwidth]

[RR-Bandwidth][RR-Bandwidth]

[Media-Encryption-Key][Media-Encryption-Key]

其中,[Media-Encryption-Key]就是扩展的字段,用于承载密钥。Among them, [Media-Encryption-Key] is an extended field for carrying the key.

当然,实际应用中,密钥也可以不通过AAR报文发送给主叫侧RACS,而通过其他报文下发,比如资源修改报文等,至于如何下发以及如何扩展则与具体的实现相关,此处不再赘述。Of course, in practical applications, the key may not be sent to the RACS on the calling side through the AAR message, but delivered through other messages, such as resource modification messages, etc. How to deliver and how to expand is related to the specific implementation , which will not be repeated here.

当主叫侧RACS接收到密钥后,可以通过H.248协议或公共开放策略服务(COPS)协议将密钥发送给主叫侧MP。After receiving the key, the RACS at the calling side can send the key to the MP at the calling side through the H.248 protocol or the Common Open Policy Service (COPS) protocol.

如果主叫侧RACS向主叫侧MP发送COPS消息,其格式为:If the RACS at the calling side sends a COPS message to the MP at the calling side, its format is:

<Decision Message>::=<Common Header><Decision Message>::=<Common Header>

                        <Client Handle><Client Handle>

                         *(<Decision>)|<Error>*(<Decision>)|<Error>

                        [<Integrity>][<Integrity>]

        <Decision>::=<Context><Decision>::=<Context>

                        <Decision Flags><Decision Flags>

                        [<Named Decision Data:Provisioning>][<Named Decision Data:Provisioning>]

        <Named Decision Data:Provisioning>::=<Install Decision><Named Decision Data:Provisioning>::=<Install Decision>

      <Install Decision>::=*(<PRID><EPD>)<Install Decision>::=*(<PRID><EPD>)

此时,可以指定:Common Header中Op Code=2,Flags=1;Client Handler对象必选;在Decision对象中指定Command-Code=1(Install),Flags=0x02;在Named Decision Data:Provisioning对象中指定C-Num=5;在Install Decision对象中扩展Media-Encryption-Key字段,用于承载主叫侧RACS接收到的密钥。At this point, you can specify: Op Code=2, Flags=1 in the Common Header; the Client Handler object is mandatory; specify Command-Code=1 (Install) in the Decision object, Flags=0x02; in the Named Decision Data:Provisioning object Specify C-Num=5; expand the Media-Encryption-Key field in the Install Decision object to carry the key received by the RACS on the calling side.

如果是通过H.248协议下发密钥,则可以在使用添加(Add)命令向关联中增加终结点时,基于媒体描述(Media Descriptor)的流描述(Stream Descriptor)来承载密钥,即将Diameter消息中Media-Encryption-Key字段值拷贝到MediaDescriptor的特性标识符SDP_A和encryptkey中。If the key is delivered through the H.248 protocol, when using the Add command to add an endpoint to the association, the key can be carried based on the stream description (Stream Descriptor) of the Media Descriptor, that is, the Diameter The value of the Media-Encryption-Key field in the message is copied to the characteristic identifier SDP_A and encryptkey of the MediaDescriptor.

另外,当步骤202中主叫侧P-CSCF接收到呼叫请求消息后,一面继续执行后续的呼叫流程,即执行步骤206;一面生成和下发密钥,即执行步骤203~步骤205。也就是说,后续的呼叫流程与密钥的生成和下发是两个并列的流程,在时间上并没有严格的先后顺序。In addition, after receiving the call request message in step 202, the P-CSCF on the calling side continues to execute the subsequent call process, that is, executes step 206; while generating and issuing a key, that is, executes steps 203 to 205. In other words, the subsequent call process and key generation and distribution are two parallel processes, and there is no strict sequence in time.

另外,本实施例中,主叫侧P-CSCF是通过发起资源预留过程将密钥发送给主叫侧MP,而在实际应用中,也可以通过一个独立的下发密钥的过程将密钥发送给主叫侧MP。也就是说,只要能够将生成的密钥发送给主叫MP即可。In addition, in this embodiment, the P-CSCF on the calling side sends the key to the MP on the calling side by initiating a resource reservation process. The key is sent to the MP on the calling side. In other words, as long as the generated key can be sent to the calling MP.

步骤206:被叫侧P-CSCF将呼叫请求消息发送给被叫终端。Step 206: The P-CSCF at the called side sends the call request message to the called terminal.

步骤207:被叫终端向被叫侧P-CSCF返回携带有自身加密能力信息的呼叫响应消息,被叫侧P-CSCF从呼叫响应消息中获取被叫终端的加密能力信息。Step 207: The called terminal returns a call response message carrying its encryption capability information to the called P-CSCF, and the called P-CSCF obtains the encryption capability information of the called terminal from the call response message.

这里,所述的呼叫响应消息与被叫终端接收到的呼叫请求消息相关,可以为183消息,也可以为200OK消息。Here, the call response message is related to the call request message received by the called terminal, and may be a 183 message or a 200 OK message.

步骤208:被叫侧P-CSCF将呼叫响应消息发送给主叫侧P-CSCF。Step 208: The P-CSCF at the called side sends a call response message to the P-CSCF at the calling side.

步骤209:主叫侧P-CSCF通过呼叫响应消息将自身事先生成的密钥返回给主叫终端。Step 209: The P-CSCF at the calling side returns the key generated by itself to the calling terminal through a call response message.

本步骤中,如果呼叫响应消息为183消息,则主叫侧P-CSCF可以将事先生成的密钥x承载于SDP的k字段中发送给主叫终端。另外,如果之前采用RFC 4568的声明机制,才可以将密钥承载到inline字段中。In this step, if the call response message is a 183 message, the P-CSCF at the calling side may carry the key x generated in advance in the k field of the SDP and send it to the calling terminal. In addition, if the declaration mechanism of RFC 4568 is used before, the key can be carried in the inline field.

如果呼叫响应消息为200OK消息,则可以在200OK消息扩展一个SIP头域来承载密钥x。比如:扩展一个Media-Key头域,其格式如下所示:If the call response message is a 200OK message, a SIP header field may be extended in the 200OK message to carry the key x. For example: to extend a Media-Key header field, its format is as follows:

Media-Key:<Key>Media-Key:<Key>

其中,Key表示生成的密钥。这样,就可以利用200OK将密钥x返回给主叫终端。Among them, Key represents the generated key. In this way, the key x can be returned to the calling terminal by using 200OK.

步骤210:被叫侧P-CSCF中的生成密钥单元根据被叫终端的加密能力信息生成密钥y。Step 210: The generating key unit in the P-CSCF at the called side generates a key y according to the encryption capability information of the called terminal.

步骤211:被叫侧P-CSCF发起资源预留过程,在所述资源预留过程中将携带有密钥y的报文发送给被叫侧RACS。Step 211: The P-CSCF at the called side initiates a resource reservation process, and sends a message carrying the key y to the RACS at the called side during the resource reservation process.

步骤212:被叫侧RACS再将密钥y发送给被叫侧MP。Step 212: The RACS at the called side sends the key y to the MP at the called side.

这里,所述步骤211~步骤212是被叫侧P-CSCF将生成的密钥过程资源预留过程下发给被叫侧MP,其方法与步骤204~步骤205相同,此处不再详细描述。Here, the steps 211 to 212 are that the P-CSCF at the called side sends the generated key process resource reservation process to the MP at the called side. The method is the same as steps 204 to 205, and will not be described in detail here. .

当主叫侧P-CSCF接收到呼叫响应消息时,一面执行后续的呼叫流程,即执行步骤208~步骤209;一面生成和下发密钥,即执行步骤210~步骤212。也就是说,在被叫侧,后续的呼叫流程与密钥的生成和下发也是两个并列的流程,在时间上并没有严格的先后顺序。When the P-CSCF on the calling side receives the call response message, it executes the subsequent call process, that is, executes steps 208 to 209; while generating and issuing a key, that is, executes steps 210 to 212. That is to say, on the called side, the subsequent call process and key generation and delivery are also two parallel processes, and there is no strict sequence in time.

步骤213~步骤214:主叫终端通过主叫侧P-CSCF将确认消息发送给被叫侧P-CSCF。Steps 213 to 214: the calling terminal sends a confirmation message to the called P-CSCF through the calling P-CSCF.

步骤215:被叫侧P-CSCF通过确认消息将生成的密钥y发送给被叫终端。Step 215: The P-CSCF at the called side sends the generated key y to the called terminal through a confirmation message.

本实施例中,被叫侧P-CSCF是通过确认消息,即PRACK消息或ACK消息将密钥y发送给被叫终端。如果被叫终端之前返回的是183消息,则主叫终端需要向被叫终端发送PRACK消息,被叫侧P-CSCF可以将密钥y承载于PRACK消息中SDP的k字段中;如果被叫终端之前返回的是200OK消息,则主叫终端需要向被叫终端发送ACK消息,被叫侧P-CSCF可以将密钥y承载于ACK消息中扩展的Media-Key字段中。In this embodiment, the P-CSCF at the called side sends the key y to the called terminal through a confirmation message, that is, a PRACK message or an ACK message. If the called terminal returned a 183 message before, the calling terminal needs to send a PRACK message to the called terminal, and the P-CSCF at the called side can carry the key y in the k field of the SDP in the PRACK message; if the called terminal If the 200OK message was returned before, the calling terminal needs to send an ACK message to the called terminal, and the P-CSCF at the called side can carry the key y in the extended Media-Key field in the ACK message.

步骤216:主叫终端、主叫侧MP、被叫侧MP和被叫终端利用各自获取的密钥传输媒体流。Step 216: the calling terminal, the calling MP, the called MP and the called terminal transmit the media stream by using the keys obtained respectively.

实际应用中,当主叫终端呼叫被叫终端时,交互的消息或信令应该通过信令链路传输,而但呼叫成功后,媒体流数据则应该通过数据链路传输,即通过主叫终端、主叫侧MP、被叫侧MP和被叫终端传输。In practical applications, when the calling terminal calls the called terminal, the interactive message or signaling should be transmitted through the signaling link, but after the call is successful, the media stream data should be transmitted through the data link, that is, through the calling terminal , the MP on the calling side, the MP on the called side, and the called terminal.

传输媒体流的方法具体为:The method of transmitting the media stream is as follows:

当媒体流从主叫终端传输给被叫终端时,主叫终端利用获取的密钥x对媒体流进行加密,将加密的媒体流传输给主叫侧MP;主叫侧MP再利用获取的密钥x对媒体流进行解密,然后将解密后的媒体流传输给被叫侧MP;被叫侧MP利用获取的密钥y将媒体流进行加密,将加密的媒体流传输给被叫终端,被叫终端再利用获取的密钥y对媒体流进行解密。When the media stream is transmitted from the calling terminal to the called terminal, the calling terminal uses the obtained key x to encrypt the media stream, and transmits the encrypted media stream to the MP on the calling side; the MP on the calling side uses the obtained key x key x to decrypt the media stream, and then transmit the decrypted media stream to the called MP; Ask the terminal to use the obtained key y to decrypt the media stream.

当媒体流从被叫终端传输给主叫终端时,被叫终端利用密钥y对媒体流进行加密,将加密的媒体流传输给被叫侧MP;被叫侧MP再利用密钥y对媒体流进行解密,然后将解密后的媒体流传输给主叫侧MP;主叫侧MP利用密钥x将媒体流进行加密,将加密的媒体流传输给主叫终端;主叫终端再利用密钥x对媒体流进行解密。When the media stream is transmitted from the called terminal to the calling terminal, the called terminal uses the key y to encrypt the media stream, and transmits the encrypted media stream to the MP on the called side; the MP on the called side uses the key y to encrypt the media stream The stream is decrypted, and then the decrypted media stream is transmitted to the calling side MP; the calling side MP uses the key x to encrypt the media stream, and transmits the encrypted media stream to the calling terminal; the calling terminal uses the key x x decrypts the media stream.

也就是说,媒体流在主叫侧用密钥x加密后进行安全传输,在被叫侧用密钥y加密后进行安全传输。That is to say, the media stream is encrypted with the key x on the calling side for secure transmission, and encrypted with the key y at the called side for secure transmission.

另外,实际应用中,如果被叫终端返回183消息,主叫终端还需要在发送PRACK消息后,向被叫终端发送信息更新消息,即UPDATE消息。此时,被叫侧P-CSCF也可以不通过PACK消息向被叫终端发送密钥y,而是通过UPDATE消息向被叫终端发送密钥y。In addition, in practical applications, if the called terminal returns a 183 message, the calling terminal also needs to send an information update message, ie, an UPDATE message, to the called terminal after sending the PRACK message. At this time, the P-CSCF at the called side may not send the key y to the called terminal through a PACK message, but send the key y to the called terminal through an UPDATE message.

总之,本发明需要强调的是:密钥生成单元在呼叫流程中获取终端的加密能力信息,根据加密能力信息生成密钥,再将密钥分别发送给终端和媒体流承载设备。至于从呼叫流程中的哪一条消息中获取加密能力信息,通过哪一条消息将密钥下发给终端,以及如何将密钥下发给媒体流承载设备都可以由应用本发明方案的用户自行确定,此处不再赘述。In a word, what needs to be emphasized in the present invention is that the key generation unit obtains the encryption capability information of the terminal during the call process, generates a key according to the encryption capability information, and then sends the key to the terminal and the media stream bearing device respectively. As for which message in the call process to obtain the encryption capability information, which message to send the key to the terminal, and how to send the key to the media stream bearing device can be determined by the user applying the solution of the present invention , which will not be repeated here.

本发明实施例是以含有IP多媒体子系统(IMS)的网络,并且在IMS网络中信令链路可以提供安全保障的情况为例进行说明的。实际应用中,还可以将本发明方法应用于其他类型的网络中,如:基于软交换的下一代网络,其方法与本发明类似,此处不再一一列举。The embodiment of the present invention is described by taking a network containing an IP Multimedia Subsystem (IMS) as an example, and the signaling link in the IMS network can provide security guarantee. In practical applications, the method of the present invention can also be applied to other types of networks, such as the next generation network based on softswitch, the method is similar to the present invention, and will not be listed here.

针对安全传输媒体流的方法,本发明还提出一种安全传输媒体流的系统。图3是安全传输媒体流系统的基本结构示意图。如图3所示,该系统包括:终端301、媒体流承载设备302和密钥生成单元303。Aiming at the method for securely transmitting media streams, the present invention also proposes a system for securely transmitting media streams. FIG. 3 is a schematic diagram of a basic structure of a system for securely transmitting media streams. As shown in FIG. 3 , the system includes: a terminal 301 , a media stream bearing device 302 and a key generation unit 303 .

其中,所述终端301,用于将自身加密能力信息发送给密钥生成单元303,获取密钥并根据密钥负责媒体流。Wherein, the terminal 301 is configured to send its own encryption capability information to the key generation unit 303, obtain the key and be responsible for the media stream according to the key.

所述媒体流承载设备302,用于接收由密钥生成单元303生成的密钥,根据密钥负责传输媒体流。The media stream bearing device 302 is configured to receive the key generated by the key generation unit 303, and is responsible for transmitting the media stream according to the key.

所述密钥生成单元303,用于接收终端301输入的加密能力信息,生成密钥,并将生成的密钥分别发送给终端301和媒体流承载设备302。The key generating unit 303 is configured to receive the encryption capability information input by the terminal 301, generate a key, and send the generated key to the terminal 301 and the media stream bearing device 302 respectively.

这里,所述终端301可以为主叫终端或被叫终端;所述媒体流承载设备302可以为主叫侧所述媒体流承载设备或被叫侧媒体流承载设备;所述密钥生成单元303可以为主叫侧密钥生成单元或被叫侧密钥生成单元,密钥生成单元可以为P-CSCF中的功能单元,也可以为独立的服务器。Here, the terminal 301 may be a calling terminal or a called terminal; the media stream bearing device 302 may be the media stream bearing device on the calling side or the media stream bearing device on the called side; the key generating unit 303 It can be a key generation unit at the calling side or a key generation unit at the called side, and the key generation unit can be a functional unit in the P-CSCF or an independent server.

为了更好地说明本发明系统结构和功能,下面用一个系统实施例进行详细描述。In order to better illustrate the structure and functions of the system of the present invention, a system embodiment is used for a detailed description below.

系统实施例System embodiment

本实施例中,密钥生成单元为P-CSCF中的功能单元,媒体流承载设备为MP,通过RACS获取密钥。In this embodiment, the key generation unit is a functional unit in the P-CSCF, the media stream bearing device is an MP, and the key is obtained through RACS.

图4是本发明的系统结构示意图。如图4所示,本实施例包括主叫终端401、主叫侧P-CSCF402、主叫侧RACS403、主叫侧MP404、被叫终端405、被叫侧P-CSCF406、被叫侧RACS407、被叫侧MP408。Fig. 4 is a schematic diagram of the system structure of the present invention. As shown in Figure 4, this embodiment includes calling terminal 401, calling side P-CSCF402, calling side RACS403, calling side MP404, called terminal 405, called side P-CSCF406, called side RACS407, called Call side MP408.

所述主叫终端401和被叫终端405,分别将自身加密能力信息发送给主叫侧P-CSCF402和被叫侧P-CSCF406,获取密钥,根据密钥负责传输媒体流。The calling terminal 401 and the called terminal 405 respectively send their own encryption capability information to the calling side P-CSCF 402 and the called side P-CSCF 406 to obtain a key and be responsible for transmitting media streams according to the key.

所述主叫侧P-CSCF402和被叫侧P-CSCF406,分别生成密钥,并将生成的密钥分别发送给主叫侧RACS403和被叫侧RACS407。The P-CSCF402 on the calling side and the P-CSCF406 on the called side generate keys respectively, and send the generated keys to the RACS403 on the calling side and the RACS407 on the called side respectively.

所述主叫侧RACS403和被叫侧RACS407,分别将主叫侧P-CSCF402和被叫侧P-CSCF406生成的密钥转发给主叫侧MP404和被叫侧MP408。The calling side RACS403 and called side RACS407 forward the key generated by the calling side P-CSCF402 and the called side P-CSCF406 to the calling side MP404 and called side MP408 respectively.

所述主叫侧MP404和被叫侧MP408,分别从主叫侧RACS403和被叫侧RACS407接收密钥,根据密钥负责传输媒体流。The MP404 on the calling side and the MP408 on the called side receive keys from the RACS403 on the calling side and the RACS407 on the called side respectively, and are responsible for transmitting media streams according to the keys.

当主叫终端401发起呼叫时,主叫终端401向主叫侧P-CSCF402发送携带有自身加密能力信息的呼叫请求消息;主叫侧P-CSCF402通过被叫侧P-CSCF406将呼叫请求消息发送给被叫终端405,同时,主叫侧P-CSCF402根据主叫终端401的加密能力信息生成密钥,并通过主叫侧RACS403将密钥发送给主叫侧MP404;当被叫终端405接收到呼叫请求消息时,向被叫侧P-CSCF406返回携带有自身加密能力信息的呼叫响应消息;被叫侧P-CSCF406将呼叫响应消息返回给主叫侧P-CSCF402,主叫侧P-CSCF402再将事先生成的密钥携带于呼叫响应消息返回给主叫终端401,同时,被叫侧P-CSCF406根据被叫终端405的加密能力信息生成密钥,并通过被叫侧RACS407将密钥发送给主叫侧MP408;此后,主叫终端401、主叫侧MP404、被叫侧RACS407和被叫终端405再利用密钥传输媒体流。When the calling terminal 401 initiates a call, the calling terminal 401 sends a call request message carrying its own encryption capability information to the calling side P-CSCF402; the calling side P-CSCF402 sends the call request message through the called side P-CSCF406 To the called terminal 405, at the same time, the P-CSCF402 of the calling side generates a key according to the encryption capability information of the calling terminal 401, and sends the key to the calling side MP404 through the calling side RACS403; when the called terminal 405 receives When calling a request message, return a call response message carrying its own encryption capability information to the called side P-CSCF406; the called side P-CSCF406 returns the call response message to the calling side P-CSCF402, and the calling side P-CSCF402 then Carry the pre-generated key in the call response message and return it to the calling terminal 401. At the same time, the P-CSCF406 on the called side generates a key according to the encryption capability information of the called terminal 405, and sends the key to the The calling side MP408; thereafter, the calling terminal 401, the calling side MP404, the called side RACS407, and the called terminal 405 use the key to transmit the media stream.

应用本发明方案,终端和媒体流承载设备可以获取由密钥生成单元生成的密钥,不需要进行证书管理、时钟同步等比较复杂的过程,可以很容易地实现安全传输媒体流;主叫侧媒体流承载设备与被叫侧媒体流承载设备之间传输的是未经过加密的媒体流,可以满足合法机构在没有密钥的情况下,实现进行合法监听的实际需求;另外,由于主叫侧和被叫侧生成密钥是独立的,无需进行协商,在生成和下发密钥时可以不影响呼叫流程的执行。By applying the scheme of the present invention, the terminal and the media stream bearing device can obtain the key generated by the key generation unit, without the need for relatively complicated processes such as certificate management and clock synchronization, and can easily realize secure transmission of the media stream; the calling side The unencrypted media stream is transmitted between the media stream bearing device and the media stream bearing device on the called side, which can meet the actual needs of legal agencies to implement legal interception without a key; in addition, because the calling side The generation of the key is independent from the called side, no negotiation is required, and the execution of the call process may not be affected when the key is generated and issued.

综上所述,以上仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。To sum up, the above are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (12)

1. the method for a safely transmitting media stream is characterized in that, sets in advance the key generation unit, and this method may further comprise the steps:
A, key generation unit obtain the cryptographic capabilities information of terminal in call flow, and generate the key that is used for Media Stream according to described cryptographic capabilities information;
B, again the key that generates is sent to terminal respectively and is used for media stream bearing equipment;
The cipher key delivery Media Stream that C, terminal and media stream bearing equipment utilization are obtained.
2. method according to claim 1, it is characterized in that, described key generation unit is the functional unit of Calling Side call conversation control function entity CSCF, and described terminal is a calling terminal, and then the described key generation unit of the steps A method of obtaining cryptographic capabilities information is specially:
Calling terminal makes a call, and the call request message that carries the self-encryption ability information is sent to Calling Side CSCF, and Calling Side CSCF obtains the cryptographic capabilities information of calling terminal from call request message.
3. method according to claim 2 is characterized in that, the cryptographic capabilities information-bearing of described calling terminal is in the Session Description Protocol SDP of call request message; The session initiation protocol SIP caller attributes that perhaps is carried on call request message receives to be consulted in the Accept-contact header field; Perhaps be carried in the call request message in the SIP extension negotiation territory, described SIP extension negotiation territory is for supporting the supported territory; Perhaps be carried in the call request message in the defined field of exposure draft RFC 4568 standards.
4. method according to claim 2 is characterized in that, the described method that key is sent to calling terminal of step B is:
When Calling Side CSCF receives call message from terminal called, the key that generates in advance is carried on described call message sends to calling terminal.
5. method according to claim 2 is characterized in that, described media stream bearing equipment is Calling Side Media proxy MP, and the described method that key is sent to Calling Side MP of step B is:
The message that Calling Side CSCF will carry key sends to Calling Side resource and access control subsystem RACS, and Calling Side RACS sends to key Calling Side MP again.
6. method according to claim 2 is characterized in that, described step C is specially:
When Media Stream when calling terminal is transferred to terminal called, the key that the calling terminal utilization is obtained is encrypted Media Stream, give Calling Side MP with the encrypted media flow transmission, Calling Side MP utilizes the key that obtains that Media Stream is decrypted again, and the media flow transmission after will deciphering is then gone out; And/or
When Media Stream when terminal called is transferred to calling terminal, Calling Side MP utilizes the key that obtains to encrypt from the Media Stream of terminal called, gives calling terminal with the encrypted media flow transmission, calling terminal utilizes the key that obtains that Media Stream is decrypted again.
7. method according to claim 1 is characterized in that, described key generation unit is the functional unit among the callee side CSCF, and described terminal is a terminal called, and then the described method of obtaining cryptographic capabilities information of steps A is specially:
Terminal called receives call request message from calling terminal by callee side CSCF, the call message that carries terminal called self-encryption ability information is returned to callee side CSCF, and callee side CSCF obtains the cryptographic capabilities information of terminal called from call message.
8. method according to claim 7 is characterized in that, the described method that key is sent to terminal called of step B is:
When callee side CSCF receives from calling terminal when calling out relevant message, the key that generates in advance is carried on the described message relevant with calling sends to terminal called.
9. method according to claim 7 is characterized in that, described media stream bearing equipment is callee side MP, and the described method that key is sent to callee side MP of step B is:
The message that callee side CSCF will carry key sends to callee side RACS, and callee side RACS sends to key callee side MP again.
10. method according to claim 7 is characterized in that, described step C is specially:
When Media Stream when calling terminal is transferred to terminal called, callee side MP utilizes the key that obtains to encrypt from the Media Stream of caller terminal, gives terminal called with the encrypted media flow transmission, terminal called utilizes the key that obtains that Media Stream is decrypted again; And/or
When Media Stream when terminal called is transferred to calling terminal, the key that the terminal called utilization is obtained is encrypted Media Stream, give callee side MP with the encrypted media flow transmission, callee side MP utilizes the key that obtains that Media Stream is decrypted again, and the media flow transmission after will deciphering is then gone out.
11. the system of a safely transmitting media stream comprises terminal, media stream bearing equipment, it is characterized in that this system also comprises the key generation unit;
Described terminal is used for the self-encryption ability information is sent to the key generation unit, obtains key, is responsible for media stream according to key;
Described media stream bearing equipment is used to receive the key that is generated by the key generation unit, is responsible for media stream according to key;
Described key generation unit is used for the cryptographic capabilities information that receiving terminal is imported, and generates key, and the key that generates is sent to terminal and media stream bearing equipment respectively.
12. system according to claim 11 is characterized in that, described key generation unit is the functional unit among the P-CSCF, and described media stream bearing equipment is MP, and this system further comprises:
RACS is used for receiving the key that is generated by P-CSCF key generation unit, and key is transmitted to MP.
CN 200710000851 2007-01-12 2007-01-12 A method and system for securely transmitting media streams Pending CN101222612A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN 200710000851 CN101222612A (en) 2007-01-12 2007-01-12 A method and system for securely transmitting media streams
PCT/CN2007/071412 WO2008083607A1 (en) 2007-01-12 2007-12-29 Method and system of safely transferring media stream

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200710000851 CN101222612A (en) 2007-01-12 2007-01-12 A method and system for securely transmitting media streams

Publications (1)

Publication Number Publication Date
CN101222612A true CN101222612A (en) 2008-07-16

Family

ID=39608363

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200710000851 Pending CN101222612A (en) 2007-01-12 2007-01-12 A method and system for securely transmitting media streams

Country Status (2)

Country Link
CN (1) CN101222612A (en)
WO (1) WO2008083607A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011020332A1 (en) * 2009-08-20 2011-02-24 中兴通讯股份有限公司 Method and system for encrypting media data of ip multimedia subsystem session
WO2014166366A1 (en) * 2013-04-09 2014-10-16 中兴通讯股份有限公司 Method and device for performing capability negotiation in a long term evolution cluster network
CN104796401A (en) * 2015-03-12 2015-07-22 天翼电信终端有限公司 A method and a system for realizing encryption speech communication over an intermediate platform
CN111884802A (en) * 2020-08-25 2020-11-03 中移(杭州)信息技术有限公司 Media stream encryption transmission method, system, terminal and electronic equipment
CN116614240A (en) * 2022-02-08 2023-08-18 珠海格力电器股份有限公司 Data transmission method

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108123951B (en) * 2017-12-25 2020-10-09 成都三零瑞通移动通信有限公司 Cluster communication off-line direct-communication voice group call transmission encryption method and device

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1115924C (en) * 1999-09-09 2003-07-23 深圳市中兴通讯股份有限公司 Encryption method for mobile telephone
JP2003101570A (en) * 2001-09-21 2003-04-04 Sony Corp Communication processing system and method, and its server device and computer program
CN100512103C (en) * 2004-04-07 2009-07-08 华为技术有限公司 Secret key distributing method of end-to-end encrypted telecommunication
JP2007005878A (en) * 2005-06-21 2007-01-11 Kddi Corp Shared key generation method, shared key generation method, encrypted data copy method, shared key generation program, encrypted data transmission program, and encrypted data reception program
CN100527875C (en) * 2005-06-30 2009-08-12 华为技术有限公司 Method for achieving media flow security and communication system

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011020332A1 (en) * 2009-08-20 2011-02-24 中兴通讯股份有限公司 Method and system for encrypting media data of ip multimedia subsystem session
WO2014166366A1 (en) * 2013-04-09 2014-10-16 中兴通讯股份有限公司 Method and device for performing capability negotiation in a long term evolution cluster network
CN104796401A (en) * 2015-03-12 2015-07-22 天翼电信终端有限公司 A method and a system for realizing encryption speech communication over an intermediate platform
CN104796401B (en) * 2015-03-12 2017-11-03 天翼电信终端有限公司 A kind of method and system that enciphoring voice telecommunication is realized by halfpace
CN111884802A (en) * 2020-08-25 2020-11-03 中移(杭州)信息技术有限公司 Media stream encryption transmission method, system, terminal and electronic equipment
CN111884802B (en) * 2020-08-25 2023-04-11 中移(杭州)信息技术有限公司 Media stream encryption transmission method, system, terminal and electronic equipment
CN116614240A (en) * 2022-02-08 2023-08-18 珠海格力电器股份有限公司 Data transmission method

Also Published As

Publication number Publication date
WO2008083607A1 (en) 2008-07-17

Similar Documents

Publication Publication Date Title
CN101232368B (en) A method and multimedia subsystem for distributing media stream keys
US9537837B2 (en) Method for ensuring media stream security in IP multimedia sub-system
CN106936788B (en) A key distribution method suitable for VOIP voice encryption
CN101379802B (en) Method and device for the encoded transmission of media data between the media server and the subscriber terminal
WO2009021441A1 (en) Transmitting and receiving method, apparatus and system for security policy of multicast session
CN106899969A (en) Specific secrecy terminal system implementation method based on iOS system
CN101635823A (en) Method and system of terminal for encrypting videoconference data
CN101175074A (en) A method and system for realizing end-to-end media stream key agreement
CN101222320B (en) Method, system and device for media stream safety context negotiation
CN101227272A (en) A method and system for obtaining media stream protection key
CN101800734A (en) Session information interaction method, device and system
WO2008040213A1 (en) Message encryption and signature method, system and device in communication system
WO2005112338A1 (en) Key distribution method
CN101222612A (en) A method and system for securely transmitting media streams
CN100571133C (en) Realization method of secure transmission of media stream
CN115589292B (en) Method and system for realizing end-to-end VoIP multi-encrypted encrypted call
CN107395552A (en) A kind of data transmission method and device
CN102025485B (en) Key negotiation method, key management server and terminal
WO2009094813A1 (en) Security parameters negotiation method and apparatus for realizing the security of the media flow
EP2266251B1 (en) Efficient multiparty key exchange
CN101267298A (en) A key agreement method, device and system based on media stream service
WO2009094814A1 (en) A security parameter generating method for implementing media stream security and the apparatus thereof
CN106850521A (en) A kind of key exchange method of end-to-end voip coded communication
WO2008083620A1 (en) A method, a system and an apparatus for media flow security context negotiation
WO2015032734A1 (en) Srtp protocol extension

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20080716