[go: up one dir, main page]

CN103974242B - A kind of data processing method of voice call - Google Patents

A kind of data processing method of voice call Download PDF

Info

Publication number
CN103974242B
CN103974242B CN201410208608.3A CN201410208608A CN103974242B CN 103974242 B CN103974242 B CN 103974242B CN 201410208608 A CN201410208608 A CN 201410208608A CN 103974242 B CN103974242 B CN 103974242B
Authority
CN
China
Prior art keywords
call
authorization code
user
key
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410208608.3A
Other languages
Chinese (zh)
Other versions
CN103974242A (en
Inventor
李东声
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tendyron Technology Co Ltd
Original Assignee
Tendyron Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tendyron Technology Co Ltd filed Critical Tendyron Technology Co Ltd
Priority to CN201410208608.3A priority Critical patent/CN103974242B/en
Publication of CN103974242A publication Critical patent/CN103974242A/en
Priority to HK15100284.8A priority patent/HK1200000A1/en
Application granted granted Critical
Publication of CN103974242B publication Critical patent/CN103974242B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Telephonic Communication Services (AREA)
  • Telephone Function (AREA)

Abstract

The present invention provides a kind of data processing method of voice call, including:First safety chip of the first safety means generates the first negotiation information, and sends the first negotiation information to the first call terminal;And first safety chip receive the first call terminal send the second negotiation information;First safety chip is calculated the first negotiation information and the second negotiation information, obtains the first call key;First safety means export the first authorization code, and prompt to read aloud the first authorization code;The user that first safety chip obtains the first call terminal reads aloud result to the first authorization code, obtains the first acoustic information;The first acoustic information is encrypted using the first call key for first safety chip, obtains the first encryption data, and send the first encryption data;After the first confirmation instruction is obtained, the first safety chip starts carries out encryption and decryption operation using voice call of the first call key to the user of the first call terminal.

Description

Data processing method for voice call
Technical Field
The invention relates to the technical field of electronics, in particular to a data processing method for voice communication.
Background
In the prior art, the voice call between users has the possibility of being monitored, so that the current voice call has a safety risk. Aiming at the safety risk, the mode adopted in the prior art is to encrypt voice through a call key stored in a TF card on a mobile phone, so as to realize the protection of voice call. However, in practical applications, if a call terminal is installed with malicious software, a hacker can steal a call key in a TF card by means of the malicious software, and further crack encrypted voice information, which causes a risk of voice data leakage of the call terminal, and therefore how to safely perform voice encryption operation is an urgent technical problem to be solved; in addition, in the prior art, there is a possibility that a voice call is intercepted, so that it is also an urgent technical problem to reduce the possibility that a voice call is intercepted.
Disclosure of Invention
The present invention provides a data processing method for voice communication, and mainly aims to solve one of the above technical problems.
The invention provides a data processing method of voice call, which comprises the following steps: a first security chip of first security equipment generates first negotiation information and sends the first negotiation information to a first call terminal through a first communication interface of the first security equipment, and the first security equipment is connected with the first call terminal and is independent of the first call terminal; the first security chip receives second negotiation information sent by the first call terminal through the first communication interface, wherein the second negotiation information is generated by second security equipment of the second call terminal; the first security chip calculates the first negotiation information and the second negotiation information to obtain a first call key, and the first call key is used for encrypting and decrypting voice calls of a user of the first call terminal; the first security device outputs a first authorization code and prompts reading of the first authorization code, wherein the first authorization code is generated by the first security chip according to the first call key; the first security chip obtains a reading result of a user of the first communication terminal on the first authorization code to obtain first sound information; the first security chip encrypts the first sound information by using the first call key to obtain first encrypted data, and sends the first encrypted data through the first communication interface; after the first confirmation instruction is obtained, the first security chip starts the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key.
In addition, after obtaining the first confirmation instruction, the first security chip starts the operation of encrypting and decrypting the voice call of the user of the first call terminal by using the first call key, including: A. after receiving a second confirmation instruction sent by a second call terminal, the first security chip obtains a first confirmation instruction according to the second confirmation instruction, and starts encryption and decryption operations on voice calls of a user of the first call terminal by using a first call key; the second confirmation instruction is an instruction for confirming the played first decryption data according to a second authorization code generated by the second security device and is generated by the second security device; wherein the first decrypted data is obtained by decrypting the first encrypted data by the second secure device; or B, after the first security chip receives the second encrypted data through the first communication interface, decrypting the second encrypted data by using the first communication key to obtain second decrypted data; the first safety device plays the second decrypted data and prompts confirmation of whether the authorization code in the second decrypted data is consistent with the first authorization code or not and confirmation of whether the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of a user of the second communication terminal or not; the first security chip obtains a first confirmation instruction and starts the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key; the second encrypted data comprises a reading result of the user of the second communication terminal to the authorization code, which is obtained by the second safety device; the first confirmation instruction is an instruction for confirming that the authorization code in the second decrypted data is consistent with the first authorization code, and the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal.
The invention provides a data processing method of voice call, which comprises the following steps: a first security chip of first security equipment generates first negotiation information and sends the first negotiation information to a first call terminal through a first communication interface of the first security equipment, and the first security equipment is connected with the first call terminal and is independent of the first call terminal; the first security chip receives second negotiation information sent by the first call terminal through the first communication interface, wherein the second negotiation information is generated by second security equipment of the second call terminal; the first security chip calculates the first negotiation information and the second negotiation information to obtain a first call key, and the first call key is used for encrypting and decrypting voice calls of a user of the first call terminal; after the first conversation key is obtained, the first security chip starts the encryption and decryption operation of the voice conversation of the user of the first conversation terminal by using the first conversation key; after the first security chip starts the operation of encrypting and decrypting the voice call of the user of the first call terminal by using the first call key, the method further comprises the following steps: the first safety equipment receives an authentication triggering instruction for a user of the second communication terminal; after receiving an authentication trigger instruction for a user of a second communication terminal, first security equipment outputs a first authorization code and prompts reading of the first authorization code, wherein the first authorization code is generated by a first security chip according to a first communication key; the first security chip obtains a reading result of a user of the first communication terminal on the first authorization code to obtain first sound information; the first security chip encrypts the first sound information by using the first call key to obtain first encrypted data, and sends the first encrypted data through the first communication interface; and after the first confirmation instruction is obtained, the first security chip continuously performs encryption and decryption operations on the voice call of the user of the first call terminal by using the first call key.
In addition, after obtaining the first confirmation instruction, the first security chip continues to perform encryption and decryption operations on the voice call of the user of the first call terminal by using the first call key, including: A. after receiving a second confirmation instruction sent by a second call terminal, the first security chip obtains a first confirmation instruction according to the second confirmation instruction, and continues to perform encryption and decryption operations on voice call of a user of the first call terminal by using a first call key; the second confirmation instruction is an instruction for confirming the played first decryption data according to a second authorization code generated by the second security device and is generated by the second security device; wherein the first decrypted data is obtained by decrypting the first encrypted data by the second secure device; or B, after the first security chip receives the second encrypted data through the first communication interface, decrypting the second encrypted data by using the first communication key to obtain second decrypted data; the first safety device plays the second decrypted data and prompts confirmation of whether the authorization code in the second decrypted data is consistent with the first authorization code or not and confirmation of whether the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of a user of the second communication terminal or not; the first security chip obtains a first confirmation instruction, and continues to perform encryption and decryption operations on voice calls of users of the first call terminal by using the first call key; the second encrypted data comprises a reading result of the user of the second communication terminal to the authorization code, which is obtained by the second safety device; the first confirmation instruction is an instruction for confirming that the authorization code in the second decrypted data is consistent with the first authorization code, and the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal.
Further, the first security device outputs a first authorization code, including: A. the first security device converts the first authorization code into sound information to obtain the sound information of the first authorization code, and plays the sound information of the first authorization code; or B, the first security device displays the first authorization code.
In addition, the method further comprises: and if the first security chip detects that the voice call of the user of the first call terminal is ended, the first security chip deletes the first call key.
In addition, the obtaining, by the first security chip, a reading result of the first authorization code by the user of the first communication terminal, and the obtaining of the first sound information includes: A. the method comprises the steps that a first security chip obtains a reading result of a user of a first call terminal on a first authorization code, wherein the reading result is collected by a voice collecting unit of first security equipment, and first sound information is obtained; or B, the first security chip receives a reading result of the first authorization code, collected by the first call terminal, of the user of the first call terminal through the first communication interface, and first sound information is obtained.
In addition, the length of the first authorization code is smaller than that of the first call key.
In addition, the first authorization code is used to uniquely identify the first session key.
The invention provides a data processing method of voice call, which comprises the following steps: a second security chip of a second security device receives first negotiation information sent by a second communication terminal through a second communication interface of the second security device, wherein the first negotiation information is generated by first security devices of the first communication terminal which performs voice communication with the second communication terminal, and the second security device is connected with the second communication terminal and is independent of the second communication terminal; the second security chip generates second negotiation information and sends the second negotiation information to the second communication terminal through the second communication interface; the second security chip calculates the first negotiation information and the second negotiation information to obtain a second communication key, and the second communication key is used for encrypting and decrypting voice communication of a user of the second communication terminal; the second security device outputs a second authorization code, wherein the second authorization code is generated by the second security chip according to the second communication key; after the second security chip receives the first encrypted data through the second communication interface, the second security chip decrypts the first encrypted data by using the second communication key to obtain first decrypted data; the second safety equipment plays the first decrypted data; the first encrypted data comprises a reading result of the authorization code obtained by the first safety equipment; after outputting the second authorization code and playing the first decrypted data, the second security device prompts to confirm the played first decrypted data according to the second authorization code; and after the second security chip obtains the second confirmation instruction, the second security chip starts the encryption and decryption operation of the voice call of the user of the second call terminal by using the second call key.
The invention provides a data processing method of voice call, which comprises the following steps: a second security chip of a second security device receives first negotiation information sent by a second communication terminal through a second communication interface of the second security device, wherein the first negotiation information is generated by first security devices of the first communication terminal which performs voice communication with the second communication terminal, and the second security device is connected with the second communication terminal and is independent of the second communication terminal; the second security chip generates second negotiation information and sends the second negotiation information to the second communication terminal through the second communication interface; the second security chip calculates the first negotiation information and the second negotiation information to obtain a second communication key, and the second communication key is used for encrypting and decrypting voice communication of a user of the second communication terminal; after the second communication key is obtained, the second security chip starts the encryption and decryption operation of the voice communication of the user of the second communication terminal by using the second communication key; after the second security chip starts the operation of encrypting and decrypting the voice call of the user of the second communication terminal by using the second communication key, the method further comprises the following steps: the second safety equipment receives an authentication trigger instruction for a user of the first call terminal; the second security device outputs a second authorization code after receiving an authentication trigger instruction for the user of the first call terminal, wherein the second authorization code is generated by the second security chip according to the second call key; after the second security chip receives the first encrypted data through the second communication interface, the second security chip decrypts the first encrypted data by using the second communication key to obtain first decrypted data; the second safety equipment plays the first decrypted data; the first encrypted data comprises a reading result of the authorization code obtained by the first safety equipment; after outputting the second authorization code and playing the first decrypted data, the second security device prompts to confirm the played first decrypted data according to the second authorization code; and after the second security chip obtains the second confirmation instruction, the second communication key is utilized to continue to carry out encryption and decryption operations on the voice communication of the user of the second communication terminal.
In addition, the prompting, by the second security device, of the confirmation of the played-out first decrypted data according to a second authorization code includes: the second security device prompts confirmation of whether the authorization code in the first decrypted data is consistent with the second authorization code and confirmation of whether the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal; the second confirmation instruction obtained by the second security chip is an instruction for confirming that the authorization code in the first decrypted data is consistent with the second authorization code, and the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal.
In addition, the second security device outputs a second authorization code, including: A. the second security device converts the second authorization code into sound information to obtain the sound information of the second authorization code, and plays the sound information of the second authorization code; or B, the second security device displays the second authorization code.
In addition, the method further comprises: after the second security device outputs the second authorization code, prompting to read the second authorization code; the second security chip obtains a reading result of a user of the second communication terminal on the second authorization code to obtain second sound information; and the second security chip encrypts the second sound information by using the second communication key to obtain second encrypted data, and sends the second encrypted data through the second communication interface.
In addition, the method further comprises: and if the second security chip detects that the voice call of the user of the second call terminal is ended, the second security chip deletes the second call key.
In addition, the second security chip obtains a reading result of the user of the second communication terminal on the second authorization code, and obtaining the second sound information includes: A. the second security chip obtains a reading result of the user of the second communication terminal on the second authorization code, which is acquired by the voice acquisition unit of the second security device, so as to obtain second voice information; or B, the second security chip receives a reading result of the second authorization code, acquired by the second communication terminal, of the user of the second communication terminal through the second communication interface, and second sound information is obtained.
In addition, the length of the second authorization code is less than the length of the second communication key.
In addition, the second authorization code is used to uniquely identify the second communication key.
Compared with the mode that the call key is generated on the TF card in the prior art, the method provided by the embodiment of the invention reduces the possibility of being attacked by malicious software on the call terminal in the voice encryption process by generating the call key on the safety equipment independent of the call terminal; the voice encryption device is generated by a security chip in the security device, and based on the high security of the security chip, the possibility that a call key is stolen is reduced, and the security of voice encryption is ensured; in addition, when voice encryption is performed, the session key is used for encryption in the security chip, so that the session key is called in a secure environment, and the secure use of the session key is ensured.
In addition, in the voice encryption conversation process, the second safety equipment prompts that the played first decryption data is confirmed according to the second authorization code by playing the first decryption data from the first conversation terminal, so that the confirmation of the identity information of the first conversation terminal is realized, a user can determine whether the conversation is monitored by a person, the success rate of recognizing the monitoring of a third person in the voice conversation is improved, the possibility that the voice conversation is monitored is reduced, and when the user determines that the third person monitors the voice conversation, the user can take a monitoring-prevention safety measure in time to prevent information leakage, and the safety of data transmission in the voice conversation is improved.
Furthermore, the first decryption data from the first communication terminal is played on the second safety device, so that the attack of malicious software on the second communication terminal is reduced, and the voice communication safety is ensured.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is a flowchart illustrating a voice data processing method according to an embodiment of the present invention;
fig. 2 is a flowchart of a method for implementing data processing in a voice call by a first security device according to the present invention;
fig. 3 is a flowchart of another method for implementing data processing in a voice call by a first security device according to the present invention;
fig. 4 is a flowchart of a method for processing data in a voice call by a second security device according to the present invention;
fig. 5 is a flowchart of another method for processing data in a voice call by a second security device according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
Embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart illustrating a data processing method for voice call according to an embodiment of the present invention. The embodiment of the method shown in fig. 1 comprises:
step 01, the first security device and the second security device respectively generate negotiation information and send:
step 011, a first security chip of a first security device generates first negotiation information, and sends the first negotiation information to a first call terminal through a first communication interface of the first security device, wherein the first negotiation information includes parameter information for generating a first call key, the first call key is used for encrypting and decrypting a voice call of a user of the first call terminal, and the first security device is connected with the first call terminal and is independent of the first call terminal;
the first safety device can be wearable devices such as smart glasses, smart watches and earphone devices, or can be integrated in the wearable devices; of course, the first security device may also be an intelligent Key device capable of communicating with the call terminal, such as an intelligent Key device USB Key with a USB interface, an intelligent Key device supporting an audio interface, an intelligent Key device with a bluetooth communication function, or integrated in an intelligent Key device capable of communicating with the call terminal. That is, the first security device is a separate device from the first telephony terminal and is not integrated with the first telephony terminal.
The first communication interface may be a wireless connection interface or a wired connection interface. If the first communication interface is a wireless connection interface, a wireless communication module, which can be a Wi-Fi module, a Wi-FiDirect module, an NFC module, a Bluetooth module or an infrared module, is arranged in the first safety device, for example, the first safety device is a Bluetooth headset; if the first communication interface is a wired connection interface, the first safety device may have a data transmission line, and an interface of the data transmission line may be an audio interface or a USB interface, for example, the first safety device is a line control earphone. Of course, the first safety device may also have two functions of wireless connection and wired connection, that is, the first safety device has a wireless communication module inside and a data transmission line outside.
If the first safety equipment is internally provided with the wireless communication module, the first safety equipment can be connected with the first call terminal through wireless connection; if the first communication interface is a wired connection interface, the first safety device can be connected with the first call terminal through wired connection.
The first communication terminal is a terminal with voice communication capability, and may be a traditional communication device, such as a fixed phone and a mobile phone, or a terminal with a network telephone function, such as a PC, a notebook computer, a tablet computer, and the like.
Compared with the prior art in which the first session terminal performs key negotiation, the first negotiation information is generated by the first security chip in the first security device, and the negotiation is completed by the first security device independent of the first session terminal, so that the possibility that the key negotiation operation is attacked by malicious software in the first session terminal is reduced, and the generation of the first negotiation information by the first security chip in the first security device is safer and more reliable.
After generating the first negotiation information, the first security chip sends the first negotiation information to the first call terminal through the first communication interface, and the first call terminal sends the first negotiation information to the second call terminal through the communication network.
Step 012, a second security chip of the second security device generates second negotiation information, and sends the second negotiation information to the second communication terminal through a second communication interface of the second security device, where the second negotiation information includes parameter information used to generate a second communication key, the second communication key is used to encrypt and decrypt a voice call of a user of the second communication terminal, and the second security device is connected to the second communication terminal and is independent of the second communication terminal;
and after generating second negotiation information, the second security chip sends the second negotiation information to the second communication terminal through the second communication interface, and the second communication terminal sends the second negotiation information to the first communication terminal through the communication network.
The second safety device can be wearable devices such as smart glasses, smart watches and earphone devices, or can be integrated in the wearable devices; of course, the second security device may also be an intelligent Key device capable of communicating with the call terminal, such as an intelligent Key device USB Key with a USB interface, an intelligent Key device supporting an audio interface, an intelligent Key device with a bluetooth communication function, or an intelligent Key device integrated with the call terminal. I.e. the second security device is a separate device from the second telephony terminal and is not integrated in the second telephony terminal.
The second communication interface may be a wireless connection interface or a wired connection interface. If the second communication interface is a wireless connection interface, a wireless communication module, which can be a Wi-Fi module, a Wi-FiDirect module, an NFC module, a Bluetooth module or an infrared module, is arranged in the second safety device, for example, the second safety device is a Bluetooth headset; if the second communication interface is a wired connection interface, the second safety device may have a data transmission line, and an interface of the data transmission line may be an audio interface or a USB interface, for example, the second safety device is a line control earphone. Of course, the second safety device may also have two functions of wireless connection and wired connection, that is, the second safety device has a wireless communication module therein and is externally connected with a data transmission line.
If the second safety equipment is internally provided with a wireless communication module, the second safety equipment can be connected with a second communication terminal through wireless connection; if the second communication interface is a wired connection interface, the second security device may be connected to the second communication terminal through a wired connection.
The second communication terminal is a terminal with voice communication capability, and may be a traditional communication device, such as a fixed phone and a mobile phone, or a terminal with a network telephone function, such as a PC, a notebook computer, a tablet computer, and the like.
Compared with the prior art in which the second security chip in the second security device performs key negotiation, the second security device independent of the second communication terminal is used to complete the negotiation, so that the possibility that the key negotiation operation is attacked by malicious software in the second communication terminal is reduced, and the second negotiation information generated by the second security chip in the second security device is safer and more reliable.
Step 011 and step 012 have no obvious sequence, and can be executed simultaneously or sequentially.
Step 02: the first security chip and the second security chip both receive negotiation information and generate a call key:
step 021, the first security chip receives second negotiation information sent by the first call terminal through the first communication interface, and calculates the first negotiation information and the second negotiation information to obtain a first call key;
and the second negotiation information is sent to the first safety chip by the first communication interface after the first conversation terminal receives the second negotiation information sent by the second conversation terminal.
022, the second security chip receives first negotiation information sent by the second communication terminal through the second communication interface, and calculates the first negotiation information and the second negotiation information to obtain a second communication key;
and the first negotiation information is sent to the second security chip by the second communication interface after the second communication terminal receives the first negotiation information sent by the first communication terminal.
The operation of sending the first negotiation information in step 011 and the operation of receiving the second negotiation information in step 021 have no obvious precedence relationship in the execution sequence, and can be executed simultaneously or sequentially according to the sequence. Similarly, the operation of sending the second negotiation information in step 012 and the operation of receiving the first negotiation information in step 022 have no obvious precedence relationship in the execution sequence, and may be executed simultaneously or sequentially according to the sequence.
The specific content of the parameter information in the first negotiation information and the second negotiation information may be set by referring to a key negotiation algorithm in the prior art, for example, a key negotiation algorithm ztrp.
The calculation of the first session key and the second session key may be obtained by referring to the calculation manner of the key agreement algorithm in the prior art, for example, ZRTP. The first session key can be stored in the first security chip to ensure the storage security of the first session key; similarly, the second communication key may be stored in the second security chip to ensure the storage security of the second communication key.
And on the premise that the first communication terminal and the second communication terminal do not have the third person monitoring function, the first communication key and the second communication key are the same. On the contrary, when the third person monitors the first call terminal and the second call terminal, the first call key used by the user of the first call terminal is different from the second call key used by the user of the second call terminal. The first and second session keys are different because: the first conversation key is obtained by the negotiation between the first conversation terminal and the conversation terminal of the third person, and the second conversation key is obtained by the negotiation between the second conversation terminal and the conversation terminal of the third person and is not obtained by the direct negotiation between the first conversation terminal and the second conversation terminal.
Step 021 and step 022 have no obvious sequence, and can be executed simultaneously or sequentially according to the sequence.
Step 03: the first security device and the second security device both output authorization codes and send:
step 031, the first security device outputs a first authorization code, wherein the first authorization code is generated by the first security chip according to the first session key, and prompts reading of the first authorization code; the first security chip obtains a reading result of a user of the first communication terminal on the first authorization code to obtain first sound information; the first security chip encrypts the first sound information by using the first call key to obtain first encrypted data, and sends the first encrypted data through the first communication interface;
after the first security chip sends the first encrypted data through the first communication interface, the first communication terminal receives the first encrypted data through the first communication interface and sends the first encrypted data to the second communication terminal through the communication network.
Step 032, the second security device outputs a second authorization code, where the second authorization code is generated by the second security chip according to the second communication key; prompting to read the second authorization code; the second security chip obtains a reading result of a user of the second communication terminal on the second authorization code to obtain second sound information; and the second security chip encrypts the second sound information by using the second communication key to obtain second encrypted data, and sends the second encrypted data through the second communication interface.
After the second security chip sends the second encrypted data through the second communication interface, the second communication terminal receives the second encrypted data through the second communication interface and sends the second encrypted data to the first communication terminal through the communication network.
Here, the implementation of step 031 is taken as an example to explain:
for the first session key, after the first security chip in the first security device obtains the first session key, the first session key may be used to ensure the security of the voice session between the first security device and the second security device, which is equivalent to establishing a voice encryption channel between the first security device and the second security device based on the voice session in the prior art.
The voice encryption channel provided by the invention is a channel established between the first security device and the second security device, namely for the first security device, the voice encryption channel sequentially passes through the first security device, the first communication device, the second communication device and the second security device. Therefore, the voice encryption channel is established between the safety devices, so that the first communication terminal and the second communication terminal play a role in data transmission in the whole process from the establishment of the communication to the termination of the communication, the possibility of malicious software attack on the communication terminals is reduced, and the safety of data transmission is improved.
Wherein, first security equipment output first authorization code includes: A. the first security device converts the first authorization code into sound information to obtain the sound information of the first authorization code, and plays the sound information of the first authorization code; or B, the first security device displays the first authorization code.
Specifically, the output mode of the first authorization code may be played by a playing unit of the first security device, for example, a speaker or a loudspeaker, or displayed by a display unit of the first security device. Specifically, the method comprises the following steps:
in a first mode, the first security chip sends the digital signal of the first authorization code to the voice conversion unit of the first security device, the voice conversion unit converts the digital signal of the first authorization code into sound information to obtain sound information of the first authorization code, and sends the sound information of the first authorization code to the playing unit of the first security device, and the playing unit plays the sound information of the first authorization code.
In the first mode, the information of the first authorization code is converted to obtain the sound information of the first authorization code, and the purpose of outputting the first authorization code is achieved by playing the sound information of the first authorization code.
In a second mode, the first security chip sends the digital signal of the first authorization code to the display unit of the first security device, and the display unit displays the first authorization code.
In the second mode, the purpose of outputting the first authorization code is achieved by displaying the first authorization code.
The information for prompting to read the information of the first authorization code may be output together with the first authorization code, for example, "please read the authorization code XXX", where XXX represents the content of the first authorization code. The output mode can adopt a playing mode or a display mode.
Of course, the information for prompting to read aloud the information of the first authorization code may be output separately from the first authorization code, for example, the information of "please read aloud the authorization code" is output first, and then the information of "authorization code XXX" is output, or the information of "authorization code XXX" is output first, and then the information of "please read aloud the authorization code" is output. The output modes of the two pieces of information can be output in a playing mode or a display mode, and the output modes of the two pieces of information can be the same or different.
The first authorization code and the information for prompting to read the information of the first authorization code may also be output through the first communication terminal, for example, output in a display manner, or output in a play manner.
Compared with the mode of outputting the first authorization code and the information used for prompting to read the information of the first authorization code on the first call terminal, the mode of outputting the first authorization code and the information used for prompting to read the information of the first authorization code through the first safety device can reduce the possibility of malicious software attack on the first call terminal and improve the safety of data transmission.
When the first authorization code is prompted to be read, the read content is the first authorization code and is not the first call key, so that the possibility that a lawbreaker steals the first call key when a user reads the first call key is reduced; in addition, the first authorization code is generated according to the first call key and can uniquely identify the first call key, so that the two communication parties determine whether the call keys used by the two communication parties are consistent by comparing whether the contents of the authorization codes are consistent; because the number of bits of the first session key is longer, the first session key is processed into the first authorization code, so that the length of the first authorization code is shorter than that of the first session key, the content read by a user is reduced, and the user operation is facilitated.
The first security chip obtains a reading result of a user of the first communication terminal on the first authorization code to obtain the first sound information, and the following two ways can be adopted:
in the mode A, the first security chip receives a reading result of the first authorization code, collected by the first call terminal, of the user of the first call terminal through the first communication interface, and first sound information is obtained.
In the mode A, the existing microphone of the first communication terminal is used for collecting the reading results, the reading results are convenient to realize, the reading results can be obtained without modifying hardware of the first safety equipment, and the hardware cost of the first safety equipment is reduced.
And in the mode B, the first security chip acquires the reading result of the first authorization code, acquired by the voice acquisition unit of the first security device, of the user of the first communication terminal, so as to obtain the first sound information.
In the mode B, the voice collecting unit may be a microphone. When the reading result of the first authorization code is collected, the voice collecting unit on the first safety device is used for collecting the reading result, the possibility of malicious software attack on the first communication terminal can be reduced, and the safety of data collection is guaranteed. For example, when the first security device is a bluetooth headset, the reading result may be directly collected by using a microphone of the bluetooth headset.
The method includes the steps that sound of the user reading the first authorization code is collected to obtain first sound information, and actually two parts of information are collected, wherein one part is the content of the first authorization code output by the first safety device, and the other part is the sound characteristic of the user reading the first authorization code.
The sound characteristic in the first sound information is the sound characteristic of a user of the first call terminal when the user directly reads the first authorization code, and the content of the first authorization code in the first sound information is identified to be originated from the user of the first call terminal; the voice characteristics are not obtained by simulating the sound production effect of the user of the first call terminal by voice simulation software.
Because the sound characteristics simulated by the voice simulation software are different from the sound characteristics obtained when the user directly reads, when the two sound characteristics are played, the listener can identify whether the sound is the sound of the real user of the first communication terminal according to the personalized information such as tone, tone and the like carried by the two sound characteristics, so as to identify whether the sound information carrying the authorization code comes from the first communication terminal.
The implementation manner of processing the first sound information into the first encrypted data by the first security device is as follows:
the voice acquisition unit of the first safety device sends the first sound information to the voice conversion unit of the first safety device, the voice conversion unit processes the first sound information into a digital signal to obtain data to be verified, the data to be verified is sent to the first safety chip, the first safety chip encrypts the data to be verified by using the first call key to obtain first encrypted data, and the first encrypted data is sent through the first communication interface.
The voice conversion unit is used for converting the analog signal into a digital signal, so that the first sound information can be transmitted in a voice encryption channel. The voice acquisition unit and the voice conversion unit can be integrated in the first safety device, and can also be different physical units.
Of course, if the communication network between the first and second call terminals supports direct transmission of the analog signal, the operation of converting the analog signal into the digital signal need not be performed in the process of processing the first sound information into the first encrypted data.
In addition, the implementation manner of each step performed by the second security device in step 032 is similar to that of each step performed by the first security device in step 031, and is not described herein again.
And on the premise that the first call terminal and the second call terminal are not monitored by a third person, the first authorization code and the second authorization code are the same. On the contrary, when third person monitoring exists at the first call terminal and the second call terminal, the first call key used by the user of the first call terminal is different from the second call key used by the user of the second call terminal, so that the first authorization code generated according to the first call key is different from the second authorization code generated according to the second call key. The user can judge whether the third person monitors by comparing the content of the first authorization code with the content of the second authorization code.
There is no obvious sequence between step 031 and step 032, which may be executed simultaneously or sequentially.
Step 04, the first security device and the second security device prompt to confirm the reading result of the authorization code:
step 041, after receiving the second encrypted data through the first communication interface, the first security chip decrypts the second encrypted data by using the first session key to obtain second decrypted data; the first safety equipment plays the second decryption data and prompts to confirm the played second decryption data;
wherein, the first security device prompts to confirm the played second decrypted data, including:
and the first safety device prompts to confirm whether the authorization code in the second decrypted data is consistent with the first authorization code or not, and confirms whether the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal or not.
And the second encrypted data is sent to the first security chip through the first communication interface after the first communication terminal receives the second encrypted data sent by the second communication terminal.
The following two ways are available for the first security chip to acquire the second encrypted data, including: the method comprises the steps that the voice is received before a user of a first communication terminal and a user of a second communication terminal carry out voice communication; or the receiving is carried out in the process of carrying out voice call between the user of the first call terminal and the user of the second call terminal.
Because there are two ways for the first secure chip to acquire the second encrypted data, the implementation ways for the first secure device to prompt whether the authorization code in the second decrypted data is consistent with the first authorization code, and whether the sound characteristic of the read-aloud authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal include the following three ways:
first, after receiving second encrypted data before a user of a first communication terminal and a user of a second communication terminal perform voice communication, a first security device prompts to confirm whether an authorization code in second decrypted data is consistent with a first authorization code or not and whether a sound characteristic of a reading authorization code in the second decrypted data is consistent with a sound characteristic of the user of the second communication terminal or not before the user of the first communication terminal and the user of the second communication terminal perform voice communication;
secondly, after receiving second encrypted data before the user of the first communication terminal and the user of the second communication terminal perform voice communication, the first security device prompts whether authorization codes in the second decrypted data are consistent with the first authorization codes or not and whether sound characteristics of reading authorization codes in the second decrypted data are consistent with sound characteristics of the user of the second communication terminal or not to confirm in the process of performing voice communication between the user of the first communication terminal and the user of the second communication terminal;
and thirdly, after receiving the second encrypted data in the process of carrying out voice communication between the user of the first communication terminal and the user of the second communication terminal, the first safety device prompts whether the authorization code in the second decrypted data is consistent with the first authorization code or not and whether the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal or not in the process of carrying out voice communication between the user of the first communication terminal and the user of the second communication terminal.
042, after receiving the first encrypted data through the second communication interface, the second security chip decrypts the first encrypted data by using the second communication key to obtain first decrypted data; the second safety equipment plays the first decrypted data; after the second security chip outputs the second authorization code and plays the first decrypted data, the second security device prompts to confirm the played first decrypted data;
the second security device prompts confirmation of the played first decrypted data, including:
the second security device prompts confirmation of whether the authorization code in the first decrypted data is consistent with the second authorization code and confirmation of whether the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal.
And the first encrypted data is sent to the second security chip through the second communication interface after the second communication terminal receives the first encrypted data sent by the first communication terminal.
The second encrypted data can be received before the user of the first communication terminal and the user of the second communication terminal carry out voice communication; or the receiving is carried out in the process of carrying out voice call between the user of the first call terminal and the user of the second call terminal.
Because there are two ways for the second security chip to acquire the first encrypted data, there are three ways for the second security device to prompt whether the authorization code in the first decrypted data is consistent with the second authorization code, and whether the sound characteristic of the read-aloud authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal:
firstly, after first encrypted data is received before a user of a first communication terminal and a user of a second communication terminal perform voice communication, a second safety device prompts whether an authorization code in first decrypted data is consistent with a second authorization code or not and whether the sound characteristic of a reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal or not to confirm before the user of the first communication terminal and the user of the second communication terminal perform voice communication;
secondly, after receiving the first encrypted data before the user of the first communication terminal and the user of the second communication terminal perform voice communication, the second security device prompts whether the authorization code in the first decrypted data is consistent with the second authorization code or not and whether the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal or not to confirm in the process of performing voice communication between the user of the first communication terminal and the user of the second communication terminal;
and thirdly, after the first encrypted data is received in the process of carrying out voice call between the user of the first call terminal and the user of the second call terminal, the second safety device prompts whether the authorization code in the first decrypted data is consistent with the second authorization code or not and whether the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first call terminal or not to confirm in the process of carrying out voice call between the user of the first call terminal and the user of the second call terminal.
Here, the implementation of step 041 is described as an example:
the first security chip can decrypt the second encrypted data by using the first session key, and the second decrypted data is obtained because the first session key and the second session key are the same when no third person monitors between the first session terminal and the second session terminal, so that the encrypted result encrypted by the second session key can be successfully decrypted by using the first session key.
However, although the first session key may be used to successfully decrypt the encrypted result encrypted by the second session key, it cannot be determined whether a third person monitors between the first session terminal and the second session terminal, because when the third person monitors between the first session terminal and the second session terminal, the first session key negotiated between the first session terminal and the third person session terminal is different from the second session key negotiated between the second session terminal and the third person session terminal. The third person can decrypt the data sent by the first communication terminal by using the first communication key, then encrypt the data by using the second communication key, and send the data to the second communication terminal, at this time, the second communication terminal can still successfully decrypt the received encrypted data by using the second communication key, but at this time, the third person monitors the data at the first communication terminal and the second communication terminal, so that whether the third person monitors the data cannot be judged according to whether the received encrypted data is successfully decrypted.
In order to solve the technical defect, the following introduces a concept of an authorization code, reads the authorization code, obtains a reading result, and sends the reading result to determine whether a third person monitors, where specific implementation details are described in step 05 below.
The first security device processes the second encrypted data into second decrypted data and plays the second decrypted data in the following manner:
if the second encrypted data is a digital signal, the first security chip decrypts the second encrypted data by using the first call key to obtain second decrypted data; the first safety chip sends second decryption data to a voice conversion unit of the first safety device, the voice conversion unit converts the second decryption data into sound information to obtain a conversion result of the second decryption data, the conversion result of the second decryption data is sent to a playing unit of the first safety device, and the playing unit plays the conversion result of the second decryption data;
if the second encrypted data is an analog signal, the first security chip decrypts the second encrypted data by using the first call key to obtain second decrypted data, and sends the second decrypted data to a playing unit of the first security device, and the playing unit plays the second decrypted data.
There is no obvious sequence between the operation of playing the second decrypted data in step 041 and the operation of outputting the first authorization code in step 031, and the operations may be executed simultaneously or sequentially according to the sequence.
The second decrypted data may also be played by a playing unit of the first communication terminal, such as a speaker and a loudspeaker.
Compared with the mode of playing the second decrypted data on the first call terminal, the mode of playing the second decrypted data through the first safety equipment can reduce the possibility of malicious software attack on the call terminal and improve the safety of data transmission.
The first security device displays or plays the prompt message to prompt whether the authorization code in the second decrypted data is consistent with the first authorization code or not, and whether the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal or not. For example, the display of the first security device displays the prompt message, and the playing unit of the first security device plays the prompt message. Of course, the first call terminal may also display the prompt message or play the prompt message.
Compared with the mode of displaying or playing the prompt message on the first call terminal, the mode of displaying or playing the prompt message through the first safety equipment can reduce the possibility of malicious software attack on the call terminal and improve the safety of data transmission.
In this embodiment, the second decrypted data is output to the user in a playing manner because the second decrypted data includes two parts of information, one part is specific content representing the authorization code generated by the second security device of the second communication terminal, and the other part is sound characteristic representing the user of the second communication terminal, the two parts of information can be directly obtained by the user of the first communication terminal by playing the second decrypted data, and further, the user of the first communication terminal can confirm the authenticity of the content carried in the second decrypted data by judging whether the authorization code in the second decrypted data is consistent with the first authorization code on one hand, and can confirm the legitimacy of the source of the second decrypted data by judging whether the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal on the other hand, that is, it is possible to judge whether or not the third person exists.
If the manner of playing the second decrypted data is replaced with the manner of displaying the second decrypted data, after the user of the first communication terminal receives the second decrypted data, the authenticity of the content carried in the second decrypted data can be confirmed only by judging whether the authorization code in the second decrypted data is consistent with the first authorization code, but the source validity of the second decrypted data cannot be confirmed, that is, whether a third person exists cannot be judged.
On the premise that third person monitoring does not exist in the first call terminal and the second call terminal, the first authorization code and the second authorization code are the same, the first authorization code can uniquely identify the first call key, and the second authorization code can uniquely identify the second call key.
In addition, the implementation manner of each step performed by the second secure device in step 042 is similar to that of each step performed by the first secure device in step 041, and is not described herein again.
Wherein, there is no obvious sequence between step 041 and step 042, and they may be executed simultaneously or sequentially according to the sequence.
Step 05: the first security chip and the second security chip both prompt the confirmation of the authorization code content and the sound characteristic in the received encrypted data:
step 051: the first security chip has the following two modes for encrypting and decrypting the voice call of the user of the first call terminal:
a: after prompting to confirm whether the authorization code in the second decrypted data is consistent with the first authorization code and whether the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal, if the first security chip receives a first confirmation instruction, the first security chip starts to perform encryption and decryption operations on the voice call of the user of the first communication terminal by using the first call key, wherein the first confirmation instruction is an instruction for confirming that the authorization code in the second decrypted data is consistent with the first authorization code and the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal;
the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key can be started when the voice call of the user of the first call terminal and the user of the second call terminal is started, and can also be started in the process of the voice call of the user of the first call terminal and the user of the second call terminal.
B: after the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key is started, if the first security chip receives a first confirmation instruction, the first security chip continues the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key, wherein the first confirmation instruction is an instruction for confirming that an authorization code in the second decrypted data is consistent with the first authorization code and sound characteristics of a reading authorization code in the second decrypted data are consistent with sound characteristics of the user of the second call terminal;
fig. 1 only shows the implementation of the mode a in step 051, and the implementation of the mode B is similar to the implementation of the mode a, except that the receiving timing of the first confirmation instruction is different, in the mode a, the first security chip receives before the encryption and decryption operation for the voice call is started, and in the mode B, the first security chip receives after the encryption and decryption operation for the voice call is started. Wherein, the first confirmation instruction can be obtained by the following steps:
first, the first security device receives a first confirmation instruction input by a user of the first call terminal, where the first confirmation instruction is an instruction input by the user of the first call terminal after confirming that the authorization code in the second decrypted data is consistent with the first authorization code, and the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second call terminal.
The user of the first call terminal can input an instruction on the first call terminal and can also input an instruction on the first safety device. The user of the first call terminal inputs an instruction on the first safety device, so that the attack of malicious software on the first call terminal is reduced, and the voice call safety is ensured.
Secondly, after receiving a second confirmation instruction sent by a second communication terminal, obtaining a first confirmation instruction according to the second confirmation instruction;
the second confirmation instruction is an instruction input by the user of the second call terminal after confirming that the received authorization code is consistent with the locally generated authorization code and the sound characteristic of the reading authorization code is consistent with the sound characteristic of the user of the first call terminal.
When the user of the first communication terminal trusts the user of the second communication terminal, if the user of the second communication terminal confirms that the authorization code received from the first communication terminal is consistent with the authorization code generated by the second security device and the sound characteristic of the read-alouthentication code is consistent with the sound characteristic of the user of the first communication terminal, the user of the first communication terminal can know that the authorization code in the second decrypted data is consistent with the first authorization code and the sound characteristic of the read-alouthentication code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal, that is, the first confirmation instruction is obtained.
Step 052: the second security chip has the following two modes for encrypting and decrypting the voice call of the user of the second communication terminal:
a: after prompting to confirm whether the authorization code in the first decrypted data is consistent with the second authorization code and whether the sound feature of the reading authorization code in the first decrypted data is consistent with the sound feature of the user of the first communication terminal, if the second security chip receives a second confirmation instruction, the second security chip starts to encrypt and decrypt the voice communication of the user of the second communication terminal by using the second communication key, wherein the encryption and decryption operation of the voice communication of the user of the second communication terminal by using the second communication key can be started when the user of the first communication terminal and the user of the second communication terminal start voice communication, and can also be started in the process of voice communication between the user of the first communication terminal and the user of the second communication terminal.
B: after the encryption and decryption operation of the voice call of the user of the second communication terminal by using the second communication key is started, if the second security chip receives a second confirmation instruction, the second security chip continues the encryption and decryption operation of the voice call of the user of the second communication terminal by using the second communication key, wherein the second confirmation instruction is an instruction for confirming that the authorization code in the first decrypted data is consistent with the second authorization code and the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal.
Fig. 1 only shows the implementation of the mode a in step 052, and the implementation of the mode B is similar to the implementation of the mode a, except that the receiving timing of the second confirmation instruction is different, in the mode a, the second secure chip is received before the encryption and decryption operation on the voice call is started, and in the mode B, the second secure chip is received after the encryption and decryption operation on the voice call is started.
Wherein the second confirmation instruction may be obtained by:
first, the second security device receives a second confirmation instruction input by the user of the second communication terminal, where the second confirmation instruction is an instruction input by the user of the second communication terminal after confirming that the authorization code in the first decrypted data is consistent with the second authorization code, and the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal.
The user of the second communication terminal can input an instruction on the second communication terminal and can also input an instruction on the second safety device. And the user of the second communication terminal inputs an instruction on the second safety equipment, so that the attack of malicious software on the second communication terminal is reduced, and the voice communication safety is ensured.
Secondly, after receiving a first confirmation instruction sent by the first call terminal, obtaining a second confirmation instruction according to the first confirmation instruction;
the first confirmation instruction is an instruction input by the user of the first communication terminal after confirming that the received authorization code is consistent with the locally generated authorization code and the sound characteristic of the reading authorization code is consistent with the sound characteristic of the user of the second communication terminal.
When the user of the second communication terminal trusts the user of the first communication terminal, if the user of the first communication terminal confirms that the authorization code received from the second communication terminal is consistent with the authorization code generated by the first security device and the sound characteristic of the reading authorization code is consistent with the sound characteristic of the user of the second communication terminal, the user of the second communication terminal can know that the authorization code in the first decrypted data is consistent with the second authorization code and the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal, that is, the second confirmation instruction is obtained.
Here, the implementation of step 051 is taken as an example to explain:
unlike the prior art in which the first session terminal encrypts using the first session key, the main body of the encryption operation performed in the present invention is the first security chip. The first security chip encrypts the voice call, so that the possibility of malicious software attack on the first call terminal can be reduced, and the security of data transmission is improved.
And the first security chip encrypts the obtained voice information by using the first call key generated by the first security chip, so that the call security is improved. Specifically, the method comprises the following steps:
(1) the execution main body of the voice encryption is the first safety chip, and the first safety chip is arranged in the first safety device, so that the first safety device is independent of the first call terminal, and the possibility of being attacked by malicious software on the first call terminal in the voice encryption process is reduced; in addition, compared with the processor of the earphone in the prior art, the execution main body for encrypting the voice in the first safety device is the first safety chip, and the operation of encrypting and decrypting the voice is completed in the first safety chip, so that the encryption result and the decryption result are only output, and the chance of data decryption is avoided.
(2) The first communication key used by the voice encryption is generated by the first security chip, and the first security chip stores the first communication key in the first security chip, so that the possibility that the first communication key is stolen is reduced, and the security of the voice encryption is ensured; in addition, when voice encryption is performed, the first session key is used for encryption in the first security chip, so that the first session key is called in a secure environment, and the secure use of the first session key is ensured.
(3) The encrypted object is acquired by a voice acquisition unit of the first security device. The voice acquisition method and the voice acquisition system utilize the first safety equipment to carry out voice acquisition, and the first safety equipment is independent of the first call terminal, so that the possibility of being attacked by malicious software on the first call terminal in the voice acquisition process is reduced.
Therefore, when voice encryption is performed, the whole encryption operation is completed by the first safety device, interaction with external devices is not needed, and the security of the encryption operation is ensured.
Of course, the voice encrypted by the first security device may also be collected by the voice collecting unit of the first communication terminal, and the collected voice is obtained through the first communication interface. The voice collecting unit of the first communication terminal can be a microphone.
In addition, the implementation manner of each step performed by the second security device in step 052 is similar to that of each step performed by the first security device in step 051, and is not described herein again.
Step 051 and step 052 have no obvious sequence, and can be executed simultaneously or sequentially according to the sequence.
Since there is no obvious precedence order between step 051 and step 052, in practical application, the following different application scenarios may occur:
c1: when the first safety device confirms that the authorization code in the second decrypted data is consistent with the first authorization code and the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal, a first confirmation instruction is obtained, and the voice call of the user of the first communication terminal is started to be encrypted and decrypted according to the first confirmation instruction; when the second security device confirms that the authorization code in the first decrypted data is consistent with the second authorization code and the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal, a second confirmation instruction is obtained, and the voice communication of the user of the second communication terminal is started to be encrypted and decrypted according to the second confirmation instruction;
c2: when the second security device confirms that the authorization code in the first decrypted data is consistent with the second authorization code and the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal, a second confirmation instruction is obtained, the encryption and decryption operation of the voice communication of the user of the second communication terminal is started according to the second confirmation instruction, and the second confirmation instruction is sent to the first security device; after receiving the second confirmation instruction, the first safety equipment obtains a first confirmation instruction according to the second confirmation instruction, and starts encryption and decryption operations on the voice call of the user of the first call terminal according to the first confirmation instruction;
c3: after the first security device obtains the first call key, starting encryption and decryption operations on the voice call of the user of the first call terminal; after the voice call of the user of the first call terminal is started to be encrypted and decrypted, when the authorization code in the second decrypted data is prompted and confirmed to be consistent with the first authorization code, and the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second call terminal, a first confirmation instruction is obtained, and the voice call of the user of the first call terminal is continuously encrypted and decrypted according to the first confirmation instruction; when the second security device confirms that the authorization code in the first decrypted data is consistent with the second authorization code and the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal, a second confirmation instruction is obtained, and the voice communication of the user of the second communication terminal is started to be encrypted and decrypted according to the second confirmation instruction;
c4: when the second security device confirms that the authorization code in the first decrypted data is consistent with the second authorization code and the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal, a second confirmation instruction is obtained, the encryption and decryption operation of the voice communication of the user of the second communication terminal is started according to the second confirmation instruction, and the second confirmation instruction is sent to the first security device; after the first security device obtains the first call key, starting encryption and decryption operations on the voice call of the user of the first call terminal; after the encryption and decryption operation of the voice call of the user of the first call terminal is started, the first safety equipment obtains a first confirmation instruction according to a second confirmation instruction after receiving the second confirmation instruction, and continues to perform the encryption and decryption operation on the voice call of the user of the first call terminal according to the first confirmation instruction;
c5: when the first safety device confirms that the authorization code in the second decrypted data is consistent with the first authorization code and the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal, a first confirmation instruction is obtained, and the voice call of the user of the first communication terminal is started to be encrypted and decrypted according to the first confirmation instruction; after the second security device obtains the second communication key, starting encryption and decryption operations on the voice communication of the user of the second communication terminal; after the encryption and decryption operation of the voice call of the user of the second call terminal is started, when the authorization code in the first decryption data is confirmed to be consistent with the second authorization code, and the sound characteristic of the reading authorization code in the first decryption data is confirmed to be consistent with the sound characteristic of the user of the first call terminal, a second confirmation instruction is obtained, and the encryption and decryption operation of the voice call of the user of the second call terminal is continued according to the second confirmation instruction;
c6: after the second safety device starts the encryption and decryption operation on the voice call of the user of the second communication terminal, when the authorization code in the first decrypted data is confirmed to be consistent with the second authorization code and the sound characteristic of the reading authorization code in the first decrypted data is confirmed to be consistent with the sound characteristic of the user of the first communication terminal, a second confirmation instruction is obtained, the encryption and decryption operation on the voice call of the user of the second communication terminal is continued according to the second confirmation instruction, and the second confirmation instruction is sent to the first safety device; after receiving the second confirmation instruction, the first safety equipment obtains a first confirmation instruction according to the second confirmation instruction, and starts encryption and decryption operations on the voice call of the user of the first call terminal according to the first confirmation instruction;
c7: after the first security device obtains the first call key, starting encryption and decryption operations on the voice call of the user of the first call terminal; after the voice call of the user of the first call terminal is started to be encrypted and decrypted, when the authorization code in the second decrypted data is prompted and confirmed to be consistent with the first authorization code, and the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second call terminal, a first confirmation instruction is obtained, and the voice call of the user of the first call terminal is continuously encrypted and decrypted according to the first confirmation instruction; after the second security device starts the encryption and decryption operation on the voice call of the user of the second communication terminal, when the authorization code in the first decrypted data is confirmed to be consistent with the second authorization code and the sound characteristic of the reading authorization code in the first decrypted data is confirmed to be consistent with the sound characteristic of the user of the first communication terminal, a second confirmation instruction is obtained, and the encryption and decryption operation on the voice call of the user of the second communication terminal is continued according to the second confirmation instruction;
c8: after the second safety device starts the encryption and decryption operation on the voice call of the user of the second communication terminal, when the authorization code in the first decrypted data is confirmed to be consistent with the second authorization code and the sound characteristic of the reading authorization code in the first decrypted data is confirmed to be consistent with the sound characteristic of the user of the first communication terminal, a second confirmation instruction is obtained, the encryption and decryption operation on the voice call of the user of the second communication terminal is continued according to the second confirmation instruction, and the second confirmation instruction is sent to the first safety device; after the first security device obtains the first call key, starting encryption and decryption operations on the voice call of the user of the first call terminal; after the encryption and decryption operation of the voice call of the user of the first call terminal is started, the first safety device obtains a first confirmation instruction according to a second confirmation instruction after receiving the second confirmation instruction, and continues the encryption and decryption operation of the voice call of the user of the first call terminal according to the first confirmation instruction.
The technical feature described in step 05 is that the encryption and decryption operations of the voice call are executed after it is confirmed that both the content of the authorization code and the sound feature of the reading authorization code are consistent, and of course, this embodiment also provides a processing scheme when at least one of the content of the authorization code and the sound feature of the reading authorization code is inconsistent, which specifically includes:
the description will be given taking as an example the implementation of the first security device:
when the user of the first communication terminal determines that the authorization code in the second decrypted data is inconsistent with the first authorization code, and/or the sound characteristic of the reading authorization code in the second decrypted data is inconsistent with the sound characteristic of the user of the second communication terminal, the user of the first communication terminal may end the voice communication at the first communication terminal or the first security device.
Similarly, the implementation of the second security device is similar to that of the first security device, and is not described here again.
The method further comprises the following steps:
if the first security chip detects that the voice call of the user of the first call terminal is ended, the first security chip deletes the first call key; and/or the presence of a gas in the gas,
and if the second security chip detects that the voice call of the user of the second call terminal is ended, the second security chip deletes the second call key.
In the method, after the call is finished, the first security chip destroys the first call key used by the voice call, so that the possibility that the first call key is unreasonably utilized after being stolen can be reduced, the operation security of the first security chip is ensured, and the storage space of the first security chip is effectively utilized. Similarly, after the call is finished, the second security chip destroys the second call key used in the voice call, so that the possibility that the second call key is unreasonably utilized after being stolen can be reduced, the operation security of the second security chip is ensured, and the storage space of the second security chip is effectively utilized.
The following description takes a specific application scenario as an example:
the user A and the user B carry out normal conversation, when the third party does not monitor the conversation, the user A and the user B directly carry out conversation key negotiation to obtain a conversation key X, and the voice conversation between the user A and the user B also directly adopts the conversation key X to carry out encryption and decryption.
During the conversation between the user A and the user B, if a third user C monitors, the user A and the user B negotiate a conversation key with the third user C respectively, after the negotiation is finished, the conversation key obtained by the negotiation between the user C and the user A is M, and the conversation key obtained by the negotiation between the user C and the user B is N. In the process of sending the conversation voice from the user A to the user B, the user C intercepts the conversation voice A sent from the user A to the user B, the conversation voice A is decrypted by using the conversation key M to obtain a plaintext A, and the plaintext A is encrypted by using the conversation key N and then sent to the user B. In the same way, in the process of sending the conversation voice to the user A by the user B, the user C intercepts the conversation voice B sent to the user A by the user B, decrypts the conversation voice B by using the conversation key N to obtain a plaintext B, encrypts the plaintext B by using the conversation key M and sends the plaintext B to the user A. Since the user a can decrypt the ciphertext sent by the user C by using the call key M, the user a can obtain the voice of the user B. Because the user a and the user B can both obtain the voice of the opposite end of the call, the user a and the user B can perform the voice call, but actually, the users at the opposite end of the communication between the user a and the user B are both the user C, that is, the voice of the call between the user a and the user B is already monitored by the user C.
Correspondingly, when the method provided by this embodiment is used for voice call, if there is monitoring of the user C, the security device of the user a obtains an authorization code M by using the call key M negotiated with the user C of the opposite communication terminal, and reads the authorization code M aloud by the user a to obtain the sound file M, the sound file M includes the sound of the user a and the content of the authorization code M, after the user C decrypts the sound file M, the sound file M is encrypted by using the call key N and sent to the user B, when the user B hears the sound file M, the sound of the user a is heard, the source of the sound file M is determined to be the user a, but the security device of the user B also obtains an authorization code N by using the call key N negotiated with the user C of the opposite communication terminal, and the user B compares the heard authorization code M carried by the sound file M with the locally generated authorization code N, and finding that the authorization code m is different from the authorization code n, the third person monitoring in the call can be known.
Of course, the user C cracks the sound file m to obtain a sound file, and replaces the sound file with a sound file including the authorization code N (the authorization code generated by the session key N), but since the sound file is not read aloud by the user a and does not include the sound characteristics of the user a, the sound file is called a sound file m ', that is, the sound file m' includes the content of the authorization code N and the sound characteristics from the user a; after hearing the sound file m ', the user B finds that the authorization code in the sound file m ' is consistent with the output of the security device of the user B, but the sound feature in the sound file m ' is not the sound feature of the user a, so that the user B can determine that third person monitoring exists in the call.
Therefore, the sound file comprises the sound characteristic of the reading authorization code and the content of the authorization code, so that the user can judge whether a third person monitors in the call process according to the two information, and the call safety is ensured.
The following further describes a way of obtaining a session key and an authorization code based on ZRTP key negotiation, where the specific process is as follows:
firstly, generation of a call key:
f1: the first security device sends a Hello message to the second security device, wherein the Hello message comprises a version number of a ZRTP used by the first security device, a key negotiation type, a key algorithm and a session identification ID1 of a user of the first call terminal; wherein the key agreement types of the ZRTP protocol comprise a pre-sharing mode, a multimedia streaming mode and a Diffie-Hellman (DH) mode;
f2: the second safety equipment sends a response message of the Hello message to the first safety equipment;
f3: the second security device sends a Hello message to the first security device, wherein the Hello message comprises the version number of the ZRTP used by the second security device, the key negotiation type, the key algorithm and the session identification ID2 of the user of the second communication terminal; wherein the key agreement types of the ZRTP protocol comprise a pre-sharing mode, a multimedia streaming mode and a Diffie-Hellman (DH) mode;
f4: the first safety device sends a response message of the Hello message to the second safety device;
f5: after receiving the response message of the Hello message, the second security device sends the key negotiation type and the key algorithm both supported by the two parties to the first security device, where the selected key negotiation type is taken as a DH mode as an example;
f6, the first secure device sending locally generated first function information to the second secure device, where the first function information is a power function, where the power function may be g ^ x, where x ^ svr mod p, where svr denotes a secret value of the responder, mod is a rounding algorithm, and p is an integer;
f7, the second secure device sending locally generated second function information to the first secure device, where the second function information is also a power function, where the power function may be g ^ y, where y ^ svi mod p, where svi denotes a secret value of the initiator, mod is a rounding algorithm, and p is an integer;
wherein g ^ x is the first negotiation information mentioned above, and g ^ y is the second negotiation information mentioned above.
In this embodiment, the first security chip can obtain the first session key gxy according to gx and gy; and the second security chip can obtain a second communication key g x according to g x and g y.
F8, the first secure device sends a first verification message to the second secure device, where the first verification message is obtained by verifying the following information, and the first verification message includes: whether the first call key is disclosed locally or not, whether the first call key is destroyed after the call is performed locally or not, and the like; wherein the key used for verification is obtained according to the first session key, specifically, the first session key g ^ xy, the session ID1, the session ID2 and a string of characters are processed to obtain a key S0, wherein the string of characters is a string of characters which is publicly used for describing functions; processing the key S0 by using a key derivation algorithm in a ZRTP protocol to obtain a key for verification calculation; wherein, the key derivation algorithm can be an HMAC algorithm;
f9, after the second secure device checks the first check message, sending a second check message to the first secure device, where the second check message is obtained by checking the following information, and includes: whether the second communication key is disclosed locally or not, whether the second communication key is destroyed after communication locally or not and the like; wherein the key used for verification is obtained according to the second communication key, specifically, the second communication key g ^ xy, the session ID1, the session ID2 and a string of characters are processed to obtain a key S0, wherein the string of characters is a string of characters which is publicly used for describing functions; processing the key S0 by using a key derivation algorithm in a ZRTP protocol to obtain a key for verification calculation; wherein, the key derivation algorithm can be an HMAC algorithm;
f10, after the first secure device completes the verification of the second check message, the first secure device sends a confirmation message to the second secure device, and the key agreement is completed.
II, secondly: generation mode of authorization code:
here, the first security device is taken as an example to generate the first authorization code:
after obtaining the key S0, processing S0 by using a key derivation algorithm to obtain a segment of character string M;
obtaining a string of character strings M by taking the first 32 bits from the character strings M;
and coding the character string m, coding the character string m into a visual character, and taking the visual character as a first authorization code.
Compared with the mode that the call key is generated on the TF card in the prior art, the method provided by the embodiment of the invention reduces the possibility of being attacked by malicious software on the call terminal in the voice encryption process by generating the call key on the safety equipment independent of the call terminal; the voice encryption device is generated by a security chip in the security device, and based on the high security of the security chip, the possibility that a call key is stolen is reduced, and the security of voice encryption is ensured; in addition, when voice encryption is performed, the session key is used for encryption in the security chip, so that the session key is called in a secure environment, and the secure use of the session key is ensured.
In addition, in the voice encryption conversation process, the second safety equipment prompts that the played first decryption data is confirmed according to the second authorization code by playing the first decryption data from the first conversation terminal, so that the confirmation of the identity information of the first conversation terminal is realized, a user can determine whether the conversation is monitored by a person, the success rate of recognizing the monitoring of a third person in the voice conversation is improved, the possibility that the voice conversation is monitored is reduced, and when the user determines that the third person monitors the voice conversation, the user can take a monitoring-prevention safety measure in time to prevent information leakage, and the safety of data transmission in the voice conversation is improved.
Furthermore, the first decryption data from the first communication terminal is played on the second safety device, so that the attack of malicious software on the second communication terminal is reduced, and the voice communication safety is ensured.
The above is a description of a complete interaction flow between the first security device and the second security device, and the following describes operation flows respectively executed by the first security device and the second security device:
fig. 2 is a flowchart of a method for implementing data processing in a voice call by a first security device according to the present invention. The method shown in fig. 2 comprises:
step 21, a first security chip of the first security device generates first negotiation information, and sends the first negotiation information to the first call terminal through a first communication interface of the first security device, wherein the first negotiation information includes parameter information for generating a first call key, the first call key is used for encrypting and decrypting a voice call of a user of the first call terminal, and the first security device is connected with the first call terminal and is independent of the first call terminal;
step 22, the first security chip receives second negotiation information sent by the first call terminal through the first communication interface, wherein the second negotiation information includes parameter information for generating a first call key and is generated by a second security device of the second call terminal; the first security chip calculates the first negotiation information and the second negotiation information to obtain a first call key;
step 23, the first security device outputs a first authorization code, and prompts reading of the first authorization code, wherein the first authorization code is generated by the first security chip according to the first session key, and obtains a reading result of the user of the first session terminal on the first authorization code, so as to obtain first sound information;
step 24, the first security chip encrypts the first sound information by using the first call key to obtain first encrypted data, and sends the first encrypted data through the first communication interface;
and 25, after the first confirmation instruction is obtained, the first security chip starts the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key.
Fig. 3 is a flowchart of another method for implementing data processing in a voice call by a first security device according to the present invention. The method shown in fig. 3 comprises:
step 31, a first security chip of the first security device generates first negotiation information, and sends the first negotiation information to the first call terminal through a first communication interface of the first security device, wherein the first negotiation information includes parameter information for generating a first call key, the first call key is used for encrypting and decrypting a voice call of a user of the first call terminal, and the first security device is connected with the first call terminal and is independent of the first call terminal;
step 32, the first security chip receives second negotiation information sent by the first call terminal through the first communication interface, wherein the second negotiation information includes parameter information for generating a first call key and is generated by a second security device of the second call terminal; the first security chip calculates the first negotiation information and the second negotiation information to obtain a first call key;
step 33, the first security chip starts the voice call of the user of the first call terminal to be encrypted and decrypted by using the first call key;
after the first security chip starts the operation of encrypting and decrypting the voice call of the user of the first call terminal by using the first call key, the method further comprises the following steps:
step 34, the first security device receives an authentication trigger instruction for the user of the second communication terminal, outputs a first authorization code after receiving the authentication trigger instruction for the user of the second communication terminal, and prompts reading of the first authorization code, wherein the first authorization code is generated by the first security chip according to the first communication key; obtaining a reading result of a user of the first communication terminal on the first authorization code to obtain first sound information;
after the first security chip starts the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key, the first security device receives an authentication trigger instruction of the user of the second call terminal to trigger the authentication of the user of the second call terminal, wherein the authentication trigger instruction of the user of the second call terminal can have the following two acquisition modes, including:
the method comprises the steps that first safety equipment receives an authentication triggering instruction sent by a key on the first safety equipment and used for a user of a second communication terminal; or,
the first communication terminal receives an authentication triggering instruction sent by a key on the first communication terminal to a user of the second communication terminal, and sends the authentication triggering instruction to the first safety device through the first communication receiving and sending, and the first safety device receives the authentication triggering instruction to the user of the second communication terminal.
The user of the first communication terminal can generate an authentication triggering instruction for the user of the second communication terminal by pressing a key on the first safety device, or generate an authentication triggering instruction for the user of the second communication terminal by pressing a key on the first communication terminal.
The authentication triggering instruction of the user of the second communication terminal is generated by pressing the key on the first safety device, so that the possibility that the authentication triggering instruction of the user of the second communication terminal is attacked by malicious software on the first communication terminal can be reduced, and the safety of voice communication is ensured; the authentication triggering instruction for the user of the second communication terminal is generated by pressing the key on the first communication terminal, software or hardware does not need to be changed for the first safety equipment, and the realization is simple.
Step 35, the first security chip encrypts the first sound information by using the first session key to obtain first encrypted data, and sends the first encrypted data through the first communication interface;
and step 36, after the first confirmation instruction is obtained, the first security chip continues to perform encryption and decryption operations on the voice call of the user of the first call terminal by using the first call key.
The method embodiment shown in fig. 2 is different from the method embodiment shown in fig. 3 in that the first confirmation instruction is received at a different time, the first confirmation instruction is received by the first security chip before the encryption and decryption operations for the voice call are started in the method embodiment shown in fig. 2, and the first confirmation instruction is received by the first security chip after the encryption and decryption operations for the voice call are started in the method embodiment shown in fig. 3.
Compared with the mode that the call key is generated on the TF card in the prior art, the method provided by the embodiment of the invention reduces the possibility of being attacked by malicious software on the first call terminal in the voice encryption process by generating the first call key on the safety equipment independent of the first call terminal; the first security chip in the first security device generates the first security key, and based on the high security of the first security chip, the possibility that the first call key is stolen is reduced, and the security of voice encryption is ensured; in addition, when voice encryption is performed, the first session key is used for encryption in the first security chip, so that the first session key is called in a secure environment, and the secure use of the first session key is ensured.
In addition, the first safety equipment can enable the second communication terminal to verify the first encrypted data by sending the first encrypted data out, so that the identity information of the first communication terminal can be confirmed, a user of the second communication terminal can determine whether the call is monitored by a third person, the success rate of identifying the monitoring of the third person in the voice call is improved, the possibility of monitoring the voice call is reduced, and when the user determines that the call is monitored by the third person, the user can take a monitoring-prevention safety measure in time to prevent information leakage and improve the safety of data transmission in the voice call.
Fig. 4 is a flowchart of a method for processing data in a voice call by a second security device according to the present invention. The method shown in fig. 4 comprises:
step 41, a second security chip of the second security device receives first negotiation information sent by the second communication terminal through a second communication interface of the second security device, wherein the first negotiation information includes parameter information for generating a second communication key, and is generated by the first security device of the first communication terminal performing voice communication with the second communication terminal, the second communication key is used for performing encryption and decryption operations on the voice communication of a user of the second communication terminal, and the second security device is connected with the second communication terminal and is independent of the second communication terminal;
step 42, the second security chip generates second negotiation information, and sends the second negotiation information to the second communication terminal through the second communication interface, wherein the second negotiation information includes parameter information for generating a second communication key;
step 43, the second security chip calculates the first negotiation information and the second negotiation information to obtain a second communication key;
step 44, the second security device outputs a second authorization code, wherein the second authorization code is generated by the second security chip according to the second communication key;
step 45, after receiving the first encrypted data through the second communication interface, the second security chip decrypts the first encrypted data by using the second communication key to obtain first decrypted data; the second safety equipment plays the first decrypted data; the first encrypted data comprises a reading result of the authorization code obtained by the first safety equipment;
step 46, after the second security device outputs the second authorization code and plays the first decrypted data, prompting to confirm the played first decrypted data;
and step 47, after the second security chip obtains the second confirmation instruction, starting to encrypt and decrypt the voice call of the user of the second communication terminal by using the second communication key.
Fig. 5 is a flowchart of another method for processing data in a voice call by a second security device according to the present invention. The method shown in fig. 5 includes:
step 51, a second security chip of a second security device receives first negotiation information sent by a second communication terminal through a second communication interface of a first security device, wherein the first negotiation information includes parameter information for generating a second communication key, and is generated by the first security device of the first communication terminal performing voice communication with the second communication terminal, the second communication key is used for performing encryption and decryption operations on the voice communication of a user of the second communication terminal, and the second security device is connected with the second communication terminal and is independent of the second communication terminal;
step 52, the second security chip generates second negotiation information, and sends the second negotiation information to the second communication terminal through the second communication interface, wherein the second negotiation information includes parameter information for generating a second communication key;
step 53, the second security chip calculates the first negotiation information and the second negotiation information to obtain a second communication key;
step 54, the second security chip starts the encryption and decryption operation of the voice call of the user of the second call terminal by using the second call key;
after the second security chip starts the operation of encrypting and decrypting the voice call of the user of the second communication terminal by using the second communication key, the method further comprises the following steps:
step 55, the second security device receives an authentication trigger instruction for the user of the first communication terminal, and outputs a second authorization code after receiving the authentication trigger instruction for the user of the first communication terminal, wherein the second authorization code is generated by the second security chip according to the second communication key;
after the second security chip starts the encryption and decryption operation of the voice call of the user of the second call terminal by using the second call key, the second security device receives the authentication trigger instruction of the user of the first call terminal to trigger the authentication of the user of the first call terminal, wherein the authentication trigger instruction of the user of the first call terminal can be obtained in two ways, including:
the second safety equipment receives an authentication triggering instruction sent by a key on the second safety equipment and used for a user of the first call terminal; or,
the second communication terminal receives an authentication triggering instruction sent by a key on the second communication terminal to a user of the first communication terminal, and sends the authentication triggering instruction to the second safety equipment through the second communication receiving and sending, and the second safety equipment receives the authentication triggering instruction to the user of the first communication terminal.
The user of the second communication terminal can generate an authentication triggering instruction for the user of the first communication terminal by pressing a key on the second safety device, or generate an authentication triggering instruction for the user of the first communication terminal by pressing a key on the second communication terminal.
The authentication triggering instruction of the user of the first call terminal is generated by pressing a key on the second safety device, so that the possibility that the authentication triggering instruction of the user of the first call terminal is attacked by malicious software on the second call terminal can be reduced, and the safety of voice call is ensured; the authentication triggering instruction for the user of the first call terminal is generated by pressing the key on the second call terminal, and software or hardware change of the second safety equipment is not needed, so that the method is simple to implement.
Step 56, after receiving the first encrypted data through the second communication interface, the second security chip decrypts the first encrypted data by using the second communication key to obtain first decrypted data; the second safety equipment plays the first decrypted data; the first encrypted data comprises a reading result of the authorization code obtained by the first safety equipment;
step 57, after outputting the second authorization code and playing the first decrypted data, the second security device prompts to confirm the played first decrypted data;
and step 58, after the second security chip obtains the second confirmation instruction, continuing to perform encryption and decryption operations on the voice call of the user of the second call terminal by using the second call key.
The method embodiment shown in fig. 4 is different from the method embodiment shown in fig. 5 in that the receiving timing of the second confirmation instruction is different, the second secure chip in the method embodiment shown in fig. 4 is received before the encryption and decryption operation for the voice call is started, and the second secure chip in the method embodiment shown in fig. 5 is received after the encryption and decryption operation for the voice call is started.
Compared with the mode that the call key is generated on the TF card in the prior art, the method provided by the embodiment of the invention reduces the possibility of being attacked by malicious software on the call terminal in the voice encryption process by generating the call key on the safety equipment independent of the call terminal; the voice encryption device is generated by a security chip in the security device, and based on the high security of the security chip, the possibility that a call key is stolen is reduced, and the security of voice encryption is ensured; in addition, when voice encryption is performed, the session key is used for encryption in the security chip, so that the session key is called in a secure environment, and the secure use of the session key is ensured.
In addition, in the voice encryption conversation process, the second safety equipment prompts that the played first decryption data is confirmed according to the second authorization code by playing the first decryption data from the first conversation terminal, so that the confirmation of the identity information of the first conversation terminal is realized, a user can determine whether the conversation is monitored by a person, the success rate of recognizing the monitoring of a third person in the voice conversation is improved, the possibility that the voice conversation is monitored is reduced, and when the user determines that the third person monitors the voice conversation, the user can take a monitoring-prevention safety measure in time to prevent information leakage, and the safety of data transmission in the voice conversation is improved.
Furthermore, the first decryption data from the first communication terminal is played on the second safety device, so that the attack of malicious software on the second communication terminal is reduced, and the voice communication safety is ensured.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims (22)

1. A data processing method for voice call is characterized in that the method comprises the following steps:
a first security chip of first security equipment generates first negotiation information and sends the first negotiation information to a first call terminal through a first communication interface of the first security equipment, wherein the first security equipment is connected with the first call terminal and is independent of the first call terminal; the first security chip receives second negotiation information sent by the first call terminal through the first communication interface, wherein the second negotiation information is generated by second security equipment of a second call terminal;
the first security chip calculates the first negotiation information and the second negotiation information to obtain a first call key, and the first call key is used for encrypting and decrypting voice calls of users of the first call terminal;
the first security device outputs a first authorization code and prompts reading of the first authorization code, wherein the first authorization code is generated by the first security chip according to the first call key;
the first security chip obtains a reading result of the user of the first communication terminal on the first authorization code to obtain first sound information;
the first security chip encrypts the first sound information by using the first call key to obtain first encrypted data, and sends the first encrypted data through the first communication interface;
and after the first confirmation instruction is obtained, the first security chip starts the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key.
2. The method according to claim 1, wherein after obtaining the first confirmation instruction, the first security chip starts an encryption/decryption operation for the voice call of the user of the first call terminal by using the first call key, and the method includes:
after receiving a second confirmation instruction sent by the second call terminal, the first security chip obtains the first confirmation instruction according to the second confirmation instruction, and starts the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key; the second confirmation instruction is an instruction for confirming the played first decryption data according to a second authorization code generated by the second security device, and is generated by the second security device; wherein the first decrypted data is obtained by decrypting the first encrypted data by the second secure device.
3. The method according to claim 1, wherein after obtaining the first confirmation instruction, the first security chip starts an encryption/decryption operation for the voice call of the user of the first call terminal by using the first call key, and the method includes:
after receiving second encrypted data through the first communication interface, the first security chip decrypts the second encrypted data by using the first communication key to obtain second decrypted data; the first safety equipment plays the second decrypted data and prompts to confirm the played second decrypted data according to the first authorization code; the first security chip obtains a first confirmation instruction and starts the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key; the second encrypted data includes a reading result of the authorization code by the user of the second communication terminal, which is obtained by the second secure device.
4. A data processing method for voice call is characterized in that the method comprises the following steps:
a first security chip of first security equipment generates first negotiation information and sends the first negotiation information to a first call terminal through a first communication interface of the first security equipment, wherein the first security equipment is connected with the first call terminal and is independent of the first call terminal; the first security chip receives second negotiation information sent by the first call terminal through the first communication interface, wherein the second negotiation information is generated by second security equipment of a second call terminal;
the first security chip calculates the first negotiation information and the second negotiation information to obtain a first call key, and the first call key is used for encrypting and decrypting voice calls of users of the first call terminal;
after the first call key is obtained, the first security chip starts the encryption and decryption operation of the voice call of the user of the first call terminal by using the first call key;
after the first security chip starts the operation of encrypting and decrypting the voice call of the user of the first call terminal by using the first call key, the method further comprises the following steps:
the first safety equipment receives an authentication triggering instruction for a user of the second communication terminal;
after receiving the authentication trigger instruction for the user of the second communication terminal, the first security device outputs a first authorization code and prompts reading of the first authorization code, wherein the first authorization code is generated by the first security chip according to the first call key;
the first security chip obtains a reading result of the user of the first communication terminal on the first authorization code to obtain first sound information;
the first security chip encrypts the first sound information by using the first call key to obtain first encrypted data, and sends the first encrypted data through the first communication interface;
and after the first confirmation instruction is obtained, the first security chip utilizes the first call key to continue encryption and decryption operations on the voice call of the user of the first call terminal.
5. The method according to claim 4, wherein after obtaining the first confirmation instruction, the first security chip continues to perform encryption and decryption operations on the voice call of the user of the first call terminal by using the first call key, and the method includes:
after receiving a second confirmation instruction sent by the second communication terminal, the first security chip obtains the first confirmation instruction according to the second confirmation instruction, and continues to perform encryption and decryption operations on the voice call of the user of the first communication terminal by using the first call key; the second confirmation instruction is an instruction for confirming the played first decryption data according to a second authorization code generated by the second security device, and is generated by the second security device; the first decrypted data is obtained by decrypting the first encrypted data by the second secure device.
6. The method according to claim 4, wherein after obtaining the first confirmation instruction, the first security chip continues to perform encryption and decryption operations on the voice call of the user of the first call terminal by using the first call key, and the method includes:
after receiving second encrypted data through the first communication interface, the first security chip decrypts the second encrypted data by using the first call key to obtain second decrypted data; the first safety equipment plays the second decrypted data and prompts to confirm the played second decrypted data according to the first authorization code; the first security chip obtains a first confirmation instruction, and continues to perform encryption and decryption operations on voice calls of users of the first call terminal by using the first call key; the second encrypted data includes a reading result of the authorization code by the user of the second communication terminal, which is obtained by the second secure device.
7. The method according to claim 3 or 6,
the first security device prompting confirmation of the played second decrypted data according to the first authorization code, including:
the first security device prompts confirmation of whether the authorization code in the second decrypted data is consistent with the first authorization code or not and confirmation of whether the sound characteristic of the reading authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal or not;
the first confirmation instruction is an instruction for confirming that the authorization code in the second decrypted data is consistent with the first authorization code, and the sound characteristic of the speaking authorization code in the second decrypted data is consistent with the sound characteristic of the user of the second communication terminal.
8. The method of any of claims 1 to 6, wherein the first security device outputting a first authorization code comprises:
A. the first security device converts a first authorization code into sound information, obtains the sound information of the first authorization code, and plays the sound information of the first authorization code; or,
B. the first security device displays a first authorization code.
9. The method according to any one of claims 1 to 6, further comprising:
and if the first security chip detects that the voice call of the user of the first call terminal is ended, the first security chip deletes the first call key.
10. The method according to any one of claims 1 to 6, wherein the obtaining, by the first secure chip, the reading result of the first authorization code by the user of the first communication terminal, and obtaining the first sound information includes:
A. the first security chip obtains a reading result of the user of the first communication terminal on the first authorization code, which is acquired by a voice acquisition unit of the first security device, so as to obtain first sound information; or,
B. and the first security chip receives a reading result of the first authorization code, acquired by the first call terminal, from the user of the first call terminal through the first communication interface, so as to obtain first sound information.
11. The method according to any one of claims 1 to 6, wherein the length of the first authorization code is smaller than the length of the first session key.
12. A method as claimed in any one of claims 1 to 6, wherein the first authorisation code is used to uniquely identify the first session key.
13. A data processing method for voice call is characterized in that the method comprises the following steps:
a second security chip of a second security device receives first negotiation information sent by a second communication terminal through a second communication interface of the second security device, wherein the first negotiation information is generated by a first security device of a first communication terminal which performs voice communication with the second communication terminal, and the second security device is connected with the second communication terminal and is independent of the second communication terminal; the second security chip generates second negotiation information and sends the second negotiation information to the second communication terminal through the second communication interface;
the second security chip calculates the first negotiation information and the second negotiation information to obtain a second communication key, and the second communication key is used for encrypting and decrypting voice communication of a user of the second communication terminal;
the second security device outputs a second authorization code, wherein the second authorization code is generated by the second security chip according to the second communication key; after receiving the first encrypted data through the second communication interface, the second security chip decrypts the first encrypted data by using the second communication key to obtain first decrypted data; the second safety equipment plays the first decrypted data; the first encrypted data comprises a reading result of the authorization code obtained by the first security device;
after outputting the second authorization code and playing the first decrypted data, the second security device prompts to confirm the played first decrypted data according to the second authorization code;
and after the second security chip obtains a second confirmation instruction, starting the encryption and decryption operation of the voice call of the user of the second communication terminal by using the second communication key.
14. A data processing method for voice call is characterized in that the method comprises the following steps:
a second security chip of a second security device receives first negotiation information sent by a second communication terminal through a second communication interface of the second security device, wherein the first negotiation information is generated by a first security device of the first communication terminal which performs voice communication with the second communication terminal, and the second security device is connected with the second communication terminal and is independent of the second communication terminal; the second security chip generates second negotiation information and sends the second negotiation information to the second communication terminal through the second communication interface;
the second security chip calculates the first negotiation information and the second negotiation information to obtain a second communication key, and the second communication key is used for encrypting and decrypting voice communication of a user of the second communication terminal;
after the second communication key is obtained, the second security chip starts the encryption and decryption operation of the voice communication of the user of the second communication terminal by using the second communication key;
after the second security chip starts the operation of encrypting and decrypting the voice call of the user of the second communication terminal by using the second communication key, the method further comprises the following steps:
the second safety equipment receives an authentication trigger instruction for the user of the first call terminal;
the second security device outputs a second authorization code after receiving the authentication trigger instruction for the user of the first communication terminal, wherein the second authorization code is generated by the second security chip according to the second communication key; after receiving the first encrypted data through the second communication interface, the second security chip decrypts the first encrypted data by using the second communication key to obtain first decrypted data; the second safety equipment plays the first decrypted data; the first encrypted data comprises a reading result of the authorization code obtained by the first security device;
after outputting the second authorization code and playing the first decrypted data, the second security device prompts to confirm the played first decrypted data according to the second authorization code;
and after the second security chip obtains a second confirmation instruction, the second security chip utilizes the second communication key to continue to perform encryption and decryption operations on the voice communication of the user of the second communication terminal.
15. The method according to claim 13 or 14,
the second security device prompting confirmation of the played first decrypted data according to the second authorization code, including:
the second security device prompts confirmation of whether the authorization code in the first decrypted data is consistent with the second authorization code and confirmation of whether the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal;
the second confirmation instruction obtained by the second security chip is an instruction for confirming that the authorization code in the first decrypted data is consistent with the second authorization code, and the sound characteristic of the reading authorization code in the first decrypted data is consistent with the sound characteristic of the user of the first communication terminal.
16. The method of claim 13 or 14, wherein the second security device outputting a second authorization code comprises:
A. the second security device converts a second authorization code into sound information, obtains the sound information of the second authorization code, and plays the sound information of the second authorization code; or,
B. the second security device displays a second authorization code.
17. The method according to claim 13 or 14, characterized in that the method further comprises:
after the second security device outputs the second authorization code, prompting to read the second authorization code;
the second security chip obtains a reading result of the user of the second communication terminal on the second authorization code to obtain second sound information;
and the second security chip encrypts the second sound information by using the second communication key to obtain second encrypted data, and sends the second encrypted data through the second communication interface.
18. The method according to claim 13 or 14, characterized in that the method further comprises:
and if the second security chip detects that the voice call of the user of the second call terminal is ended, the second security chip deletes the second call key.
19. The method of claim 17, wherein the second secure chip obtaining the reading result of the second authorization code from the user of the second communication terminal, and obtaining second sound information comprises:
A. the second security chip obtains a reading result of the user of the second communication terminal on the second authorization code, which is acquired by a voice acquisition unit of the second security device, so as to obtain second voice information; or,
B. and the second security chip receives the reading result of the user of the second communication terminal on the second authorization code, which is acquired by the second communication terminal, through the second communication interface, so as to obtain second sound information.
20. The method of claim 18, wherein the second secure chip obtaining the reading result of the second authorization code from the user of the second communication terminal, and obtaining second sound information comprises:
A. the second security chip obtains a reading result of the user of the second communication terminal on the second authorization code, which is acquired by a voice acquisition unit of the second security device, so as to obtain second voice information; or,
B. and the second security chip receives the reading result of the user of the second communication terminal on the second authorization code, which is acquired by the second communication terminal, through the second communication interface, so as to obtain second sound information.
21. A method according to claim 13 or 14, wherein the length of the second authorisation code is less than the length of the second session key.
22. A method according to claim 13 or 14, wherein the second authorisation code is for uniquely identifying the second session key.
CN201410208608.3A 2014-05-16 2014-05-16 A kind of data processing method of voice call Active CN103974242B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201410208608.3A CN103974242B (en) 2014-05-16 2014-05-16 A kind of data processing method of voice call
HK15100284.8A HK1200000A1 (en) 2014-05-16 2015-01-12 Data processing method for voice communication

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410208608.3A CN103974242B (en) 2014-05-16 2014-05-16 A kind of data processing method of voice call

Publications (2)

Publication Number Publication Date
CN103974242A CN103974242A (en) 2014-08-06
CN103974242B true CN103974242B (en) 2017-11-10

Family

ID=51243183

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410208608.3A Active CN103974242B (en) 2014-05-16 2014-05-16 A kind of data processing method of voice call

Country Status (2)

Country Link
CN (1) CN103974242B (en)
HK (1) HK1200000A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106130727A (en) * 2016-08-31 2016-11-16 深圳市金立通信设备有限公司 A kind of call cryptographic key negotiation method and system
CN107809759A (en) * 2016-09-09 2018-03-16 中兴通讯股份有限公司 A kind of data transmission method and device
CN106789000A (en) * 2016-12-13 2017-05-31 北京握奇智能科技有限公司 A kind of secret phone system and method based on TEE technologies and wearable device

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1183685A (en) * 1996-06-28 1998-06-03 株式会社东芝 Encryption decoding method. record reproduction device and record medium
CN101228770A (en) * 2005-07-27 2008-07-23 国际商业机器公司 System and method for securely sending documents to authorized recipients
CN101236581A (en) * 2007-02-01 2008-08-06 北京华大信安科技有限公司 Information safety apparatus and its processing method
CN101420303A (en) * 2008-12-12 2009-04-29 广州杰赛科技股份有限公司 Communication method for audio data and apparatus thereof
CN102098159A (en) * 2010-07-28 2011-06-15 胡旭光 Secret key device and method for mobile phone
CN202231733U (en) * 2011-09-06 2012-05-23 信雅达系统工程股份有限公司 Earphone shield with earphone function
CN102497465A (en) * 2011-10-26 2012-06-13 潘铁军 High-secrecy mobile information safety system and safety method for distributed secret keys
CN102592091A (en) * 2011-12-28 2012-07-18 潘铁军 Digital rights management system and security method based on distributed key
CN102609641A (en) * 2011-12-28 2012-07-25 潘铁军 DRM (digital rights management) system based on distributed keys
CN102647275A (en) * 2011-02-22 2012-08-22 深圳市文鼎创数据科技有限公司 KEY for mobile terminal
CN103457729A (en) * 2012-05-31 2013-12-18 阿里巴巴集团控股有限公司 Safety equipment, service terminal and encryption method

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1183685A (en) * 1996-06-28 1998-06-03 株式会社东芝 Encryption decoding method. record reproduction device and record medium
CN101228770A (en) * 2005-07-27 2008-07-23 国际商业机器公司 System and method for securely sending documents to authorized recipients
CN101236581A (en) * 2007-02-01 2008-08-06 北京华大信安科技有限公司 Information safety apparatus and its processing method
CN101420303A (en) * 2008-12-12 2009-04-29 广州杰赛科技股份有限公司 Communication method for audio data and apparatus thereof
CN102098159A (en) * 2010-07-28 2011-06-15 胡旭光 Secret key device and method for mobile phone
CN102647275A (en) * 2011-02-22 2012-08-22 深圳市文鼎创数据科技有限公司 KEY for mobile terminal
CN202231733U (en) * 2011-09-06 2012-05-23 信雅达系统工程股份有限公司 Earphone shield with earphone function
CN102497465A (en) * 2011-10-26 2012-06-13 潘铁军 High-secrecy mobile information safety system and safety method for distributed secret keys
CN102592091A (en) * 2011-12-28 2012-07-18 潘铁军 Digital rights management system and security method based on distributed key
CN102609641A (en) * 2011-12-28 2012-07-25 潘铁军 DRM (digital rights management) system based on distributed keys
CN103457729A (en) * 2012-05-31 2013-12-18 阿里巴巴集团控股有限公司 Safety equipment, service terminal and encryption method

Also Published As

Publication number Publication date
CN103974242A (en) 2014-08-06
HK1200000A1 (en) 2015-07-24

Similar Documents

Publication Publication Date Title
CN103973696B (en) A kind of data processing method of voice call
CN109462476B (en) Key agreement method, device, terminal and computer readable storage medium
US10038676B2 (en) Call encryption systems and methods
US20100227549A1 (en) Apparatus and Method for Pairing Bluetooth Devices by Acoustic Pin Transfer
Studer et al. Don't bump, shake on it: The exploitation of a popular accelerometer-based smart phone exchange and its secure replacement
KR101556654B1 (en) Method for processing video telecommunication and apparatus for the same
CN104065648B (en) A kind of data processing method of voice call
CN107277745A (en) Blue tooth voice contrast means and method
CN103974243B (en) A kind of data handling system of voice call
CN103974242B (en) A kind of data processing method of voice call
CN103986711B (en) A kind of data processing method of voice call
TW201539429A (en) A smart phone paired with a Bluetooth headset for voice data encryption and decryption
CN106856606A (en) Communication means, communication system and mobile terminal
CN104284328A (en) Method and device for encrypting mobile phone communication content
CN103986712B (en) A kind of data processing method of voice call
WO2021109668A1 (en) Security authentication method, apparatus, and electronic device
CN104080080B (en) A kind of data handling system of voice call
CN104038932B (en) A kind of safety equipment
CN104065649B (en) A kind of data processing method of voice call
CN104065650B (en) A kind of data handling system of voice call
KR20140139321A (en) Information security attachment apparatus for voice communications and information security method for voice communications thereby
CN104066081B (en) A kind of data handling system of voice call
CN112242977A (en) Data transmission method and data transmission system
CN104066080B (en) A kind of data processing method of voice call
CN104952467A (en) Mobile terminal and audio file playing method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 1200000

Country of ref document: HK

GR01 Patent grant
GR01 Patent grant
REG Reference to a national code

Ref country code: HK

Ref legal event code: GR

Ref document number: 1200000

Country of ref document: HK