CN114827093A - Communication method, device, system and storage medium - Google Patents

Abstract

Embodiments of the present application provide a communication method, device, system, and storage medium. In the embodiment of the present application, the encryption/decryption unit is used to undertake the work of the encryption/decryption service, so that the encryption/decryption service can be separated from the forwarding device, which ensures that the encryption/decryption service in the encrypted communication process will not be affected by the forwarding device. The impact of restart; the forwarding device undertakes the forwarding service work, and records the session state information of the running session in the storage unit during the forwarding process. Based on this, after the forwarding device restarts, the session state information in the storage unit can be used as the basis, Session recovery is performed, so as to realize automatic recovery of sessions and recovery of encryption/decryption services after restarting. Accordingly, in the embodiment of the present application, the restart of the forwarding device will no longer cause session interruption, and the user is basically unaware of the restart of the forwarding device, thereby effectively improving user experience.

Description

A communication method, device, system and storage medium

technical field

The present application relates to the field of communication technologies, and in particular, to a communication method, device, system, and storage medium.

Background technique

In the RTC real-time audio and video communication process, the SFU (Selective forwarding Unit, selective forwarding unit) is responsible for the encryption/decryption and forwarding processing of audio and video media streams, and is the central node of the audio and video communication system.

SFU needs to be restarted in many cases such as crash, upgrade or expansion. The SFU restart will cause the encryption/decryption in RTC to fail and the session to be interrupted. The user must re-establish the session, which brings inconvenience to the user, especially when the SFU load is higher than the order of magnitude of the user, the loss caused by the restart is even greater. .

SUMMARY OF THE INVENTION

Various aspects of the present application provide a communication method, device, system, and storage medium for implementing a hot restart of an encrypted communication service.

An embodiment of the present application provides a communication system, including a forwarding device, an encryption/decryption unit, and a storage unit, and the forwarding device is communicatively connected to the encryption/decryption unit and the storage unit;

the forwarding device, configured to record the session state information of the target session in the storage unit in the process of encrypting and forwarding the target session, as a basis for restoring the target session after the forwarding device restarts; Initiating an encryption/decryption service request to the encryption/decryption unit for the target session;

The encryption/decryption unit is configured to perform encryption/decryption processing on the target session according to the encryption/decryption service request, so as to support the forwarding device to encrypt and forward the target session;

The storage unit is used for storing session state information of the target session.

The embodiment of the present application also provides a communication method, which is applicable to a forwarding device in a communication system, including:

In the process of encrypting and forwarding the target session, recording session state information of the target session in a storage unit in the communication system, as a basis for restoring the target session after the forwarding device restarts;

An encryption/decryption service request is initiated to the encryption/decryption unit for the target session, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request to support all The forwarding device encrypts and forwards the target session.

The embodiment of the present application also provides a communication method, which is applicable to an encryption/decryption device in a communication system, including:

Receive a communication handshake message for the target media stream initiated by the communication end of the target session forwarded by the forwarding device in the communication system;

According to the communication handshake message, perform communication negotiation with the communication terminal corresponding to the target session to obtain a communication key;

Encrypting/decrypting the target media stream based on the communication key;

Returning the encrypted/decrypted media stream to the forwarding device for the forwarding device to encrypt and forward the target session.

Embodiments of the present application also provide a forwarding device, including a memory, a processor, and a communication component;

the memory for storing one or more computer instructions;

The processor is coupled to the memory and the communication component for executing the one or more computer instructions for:

In the process of encrypting and forwarding the target session, the session state information of the target session is recorded in a storage unit in the communication system through the communication component, as a method for restoring the target session after the forwarding device restarts. in accordance with;

An encryption/decryption service request is initiated to the encryption/decryption unit for the target session, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request to support all The forwarding device encrypts and forwards the target session.

Embodiments of the present application also provide an encryption/decryption device, including a memory, a processor, and a communication component;

the memory for storing one or more computer instructions;

The processor is coupled to the memory and the communication component for executing the one or more computer instructions for:

Receive a communication handshake message for the target media stream initiated by the communication end of the target session forwarded by the forwarding device in the communication system;

According to the communication handshake message, perform communication negotiation with the communication terminal corresponding to the target session to obtain a communication key;

Encrypting/decrypting the target media stream based on the communication key;

Returning the encrypted/decrypted media stream to the forwarding device for the forwarding device to encrypt and forward the target session.

Embodiments of the present application further provide a computer-readable storage medium storing computer instructions, which, when executed by one or more processors, cause the one or more processors to execute the foregoing communication method.

In the embodiment of the present application, the encryption/decryption unit is used to undertake the work of the encryption/decryption service, so that the encryption/decryption service can be separated from the forwarding device, which ensures that the encryption/decryption service in the encrypted communication process will not be affected by the forwarding device. The impact of restart; the forwarding device undertakes the forwarding service work, and records the session state information of the running session in the storage unit during the forwarding process. Based on this, after the forwarding device restarts, the session state information in the storage unit can be used as the basis, Session recovery is performed, so as to realize automatic recovery of sessions and recovery of encryption/decryption services after restarting. Accordingly, in the embodiment of the present application, the restart of the forwarding device will no longer cause session interruption, and the user is basically unaware of the restart of the forwarding device, thereby effectively improving user experience.

Description of drawings

The drawings described herein are used to provide further understanding of the present application and constitute a part of the present application. The schematic embodiments and descriptions of the present application are used to explain the present application and do not constitute an improper limitation of the present application. In the attached image:

FIG. 1 is a schematic structural diagram of a communication system provided by an exemplary embodiment of the present application;

2 is a schematic diagram of a logic diagram of an automatic recovery solution after a forwarding device restarts provided by an exemplary embodiment of the present application;

FIG. 3 is a schematic structural diagram of another communication system provided by an exemplary embodiment of the present application;

FIG. 4 is a schematic logical diagram of an encryption/decryption scheme provided by an exemplary embodiment of the present application;

FIG. 5 is a schematic flowchart of a communication method provided by another exemplary embodiment of the present application;

6 is a schematic flowchart of another communication method provided by another exemplary embodiment of the present application;

FIG. 7 is a schematic structural diagram of a forwarding device according to another exemplary embodiment of the present application;

FIG. 8 is a schematic structural diagram of an encryption/decryption device according to another exemplary embodiment of the present application.

Detailed ways

In order to make the objectives, technical solutions and advantages of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the specific embodiments of the present application and the corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.

Currently, the restart of the forwarding device will cause the session to be interrupted, which brings inconvenience to the user. In order to improve these problems, in some embodiments of the present application, the encryption/decryption unit is used to undertake the work of the encryption/decryption service, so that the encryption/decryption service can be separated from the forwarding device, which ensures the encryption/decryption in the encrypted communication process. The service will not be affected by the restart of the forwarding device; the forwarding device undertakes the work of the forwarding service, and records the session state information of the running session in the storage unit during the forwarding process. Based on this, after the forwarding device restarts, the Based on the session state information, the session is restored, so that the session can be automatically restored and the encryption/decryption service can be restored after restarting. Accordingly, in the embodiment of the present application, the restart of the forwarding device will no longer cause session interruption, and the user is basically unaware of the restart of the forwarding device, thereby effectively improving user experience.

The technical solutions provided by the embodiments of the present application will be described in detail below with reference to the accompanying drawings.

FIG. 1 is a schematic structural diagram of a communication system provided by an exemplary embodiment of the present application. As shown in FIG. 1 , the system includes: a forwarding device 10 , an encryption/decryption unit 20 and a storage unit 30 , and the forwarding device 10 is connected in communication with the encryption/decryption unit 20 and the storage unit 30 .

In terms of physical implementation, the forwarding device 10 may be a conventional server, a cloud server, a cloud host, a virtual center and other server devices, wherein the server device mainly includes a processor, a hard disk, a memory, a system bus, etc., which is similar to a general computer architecture . For example, in an RTC scenario, the forwarding device 10 may be an SFU (Selective forwarding Unit, selective forwarding unit). The storage unit 30 may be a distributed storage system, for example, redis (Remote Dictionary Server, remote dictionary service). Of course, this embodiment is not limited to this, and this embodiment does not limit the physical implementation forms of the forwarding device 10 and the storage unit 30 .

The communication system provided in this embodiment can be used in various encrypted communication scenarios, for example, RTC (Real-time communication. Real-time audio and video communication) scenarios, live broadcast scenarios, etc., where RTC scenarios may include but are not limited to online conferences, Scenarios such as online education and video calls, and live broadcast scenarios may include, but are not limited to, video surveillance, live video and other scenarios. This embodiment does not limit the application scenario.

In the encrypted communication scenario, the session is encrypted to protect the privacy of the communicator. The session is used to distinguish different communication terminals, and a single session corresponds to one communication terminal. When the communication end initiates a forwarding request to the forwarding device 10 for the first time, the forwarding device 10 may issue a session ID to it. When the communication end subsequently initiates a forwarding request to the forwarding device 10, the forwarding device 10 will confirm whether there is an existing connection with the communication end. If the corresponding session ID exists, it is considered that these forwarding requests belong to the same session. If it does not exist (for example, the communication end does not initiate a forwarding request after a long interval, the forwarding device 10 will delete the session ID sent for the communication end), A new session ID will be created for the communicating end. In this embodiment, the forwarding device 10 may provide forwarding services for different sessions (ie, different communication ends). In the above-mentioned RTC scenario, the session is usually bidirectional, and the communication end can initiate a push request or a pull request to the forwarding device 10 . In the above-mentioned live broadcast scenario, the session is usually one-way, and the communication end usually only initiates a streaming request to the forwarding device 10. Of course, this embodiment does not limit this, and the session can be configured as one-way or two-way according to actual needs. .

Based on this, in this embodiment, the forwarding device 10 may create a target session, and is responsible for encrypting and forwarding the target session. Under normal operation of the communication system, the forwarding device 10 may record the session state information of the target session in the storage unit 30 during the encrypted forwarding of the target session, as a basis for restoring the target session after the forwarding device 10 restarts. Preferably, the forwarding device 10 may select the storage unit 30 that is closest (for example, in the same area or in the same computer room) to record the session state information, so as to improve the speed of session recovery. Correspondingly, the storage unit 30 can be used to store the session state information of the target session.

In this embodiment, the forwarding device 10 may store the session state information in the form of key-value. To this end, the forwarding device 10 may configure a session key value session key for the target session, and record session state information under the session key. The session state information may be used to describe the attributes and configuration information of the session, and the session state information may include but not limited to signaling state records, connection state records, encryption/decryption state records, media description information records or subscription information records. Several types of exemplary session state information are described below:

Signaling status record, used to record the result of signaling interaction;

The connection status record is used to record the last selected transmission path. For example, the ICE (interactive connectivity establishment) status can be recorded, mainly recording the last selected candidate address pair candidate pair;

Encryption/decryption state record, for recording the interaction information with the encryption/decryption unit 20, including but not limited to the identification of the encryption/decryption task corresponding to the recording session, the task address identification used in the encryption/decryption unit 20, etc.;

The media description information record mainly records the negotiation result of the media description information, such as the negotiation result of the SDP (Session Description Protocol, session description protocol);

The subscription information record is used to record the subscription relationship between the communication terminals.

It should be noted that the above several types of session state information are only exemplary. In this embodiment, the forwarding device 10 may also record other types of information that can be used to support session recovery in the storage unit 30, and this embodiment is not limited to In addition, the recorded contents in the above-mentioned several types of exemplary session state information are only exemplary, and this embodiment is not limited thereto.

From the perspective of the target session, the forwarding device 10 can create a session key and session state information for the target session when the target session is created, and delete the session key and session state information corresponding to the target session in the storage unit 30 when the target session ends. Session state information. Similarly, from an overall perspective, the forwarding device 10 may create a session key value and session state information for the new session in the storage unit 30 when a new session occurs, and store the session key value and session state information in the storage unit 30 when an end session occurs. Delete the session key value and session state information corresponding to the end session. In practical applications, various session states may change in real time. In this embodiment, the forwarding device 10 may update the corresponding new session state information to the storage unit 30 when it is determined that the new session state is successfully executed. Correspondingly, the session state information stored in the storage unit 30 changes dynamically, so that the latest and most accurate session state information can be recorded in the storage unit 30 .

Accordingly, in this embodiment, the storage unit 30 can accurately and comprehensively record the session state information of the running session on the forwarding device 10 , so as to provide an accurate and comprehensive basis for session recovery after the forwarding device 10 is restarted.

In addition, in this embodiment, the forwarding device 10 may also record the time information of the latest startup in the storage unit 30 . The time information can be used as a basis for judging whether there is a cyclic restart in the subsequent restart process.

In this embodiment, the forwarding device 10 may also initiate an encryption/decryption service request to the encryption/decryption unit 20 for the target session. For the encryption/decryption unit 20, the encryption/decryption process can be performed on the target session according to the encryption/decryption service request, so as to support the forwarding device 10 to encrypt and forward the target session. The encryption/decryption process performed by the encryption/decryption unit 20 will be described in detail later. Based on this, the forwarding device 10 no longer performs the encryption/decryption processing operation. Therefore, the impact of the restart of the forwarding device 10 on the encryption/decryption service can be avoided, and the encryption/decryption service can be automatically resumed after the restart of the forwarding device 10 is supported by Cocoa.

It should be noted that, in this embodiment, the forwarding device 10, the encryption/decryption unit 20, and the storage unit 30 included in the communication system are not limited to the numbers shown in FIG. 1, and, according to communication requirements, the forwarding device 10. The deployment positions of the encryption/decryption unit 20 and the storage unit 30 may be distributed in multiple areas, multiple computer rooms, etc., which are not limited in this embodiment.

In this embodiment, the encryption/decryption unit 20 is used to undertake the work of the encryption/decryption service, so that the encryption/decryption service can be separated from the forwarding device 10, which ensures that the encryption/decryption service in the encrypted communication process will not be affected by the forwarding device. 10. The impact of restarting; the forwarding device 10 undertakes the forwarding service work, and records the session state information of the running session in the storage unit 30 during the forwarding process. Based on this, after the forwarding device 10 restarts, it can store the session in the unit 30. Based on the state information, the session is restored, so that it can automatically restore the session and restore the encryption/decryption service after restarting. Accordingly, in this embodiment of the present application, the restart of the forwarding device 10 will no longer cause session interruption, and the user is basically unaware of the restart of the forwarding device 10, thereby effectively improving user experience.

In the above or the following embodiments, the forwarding device 10 may be restarted in the event of a crash, upgrade, or capacity expansion. FIG. 2 is a schematic diagram of a schematic diagram of an automatic recovery solution after restarting a forwarding device according to an exemplary embodiment of the present application. Referring to FIG. 2 , for the forwarding device 10, after restarting, the session state information corresponding to at least one session can be read from the storage unit 30; the at least one session can be restored according to the session state information corresponding to the at least one session.

Generally, a single session can include at least one media stream in the generation cycle, and the media stream can be divided into push stream, pull stream, etc., where the push stream may refer to the media stream provided by the communication end to the forwarding device 10, and the pull stream It can refer to the push stream provided by other communication end subscribed by the communication end. For example, if the communication end A subscribes to the communication end B and the communication end C in the target session, the communication end A can provide the media stream collected by itself to the forwarding device 10 as a push stream, and the forwarding device 10 can send the communication end B and the communication end. The media stream provided by the communication end C is used as the pull stream subscribed by the communication end A, and the pull stream subscribed by the communication end A is provided to the communication end A. Based on this, in this embodiment, the forwarding device 10 may first restore the session including the push stream, and then restore the session including the pull stream, so as to ensure that the session including the pull stream can find the required push stream. Referring to FIG. 2 , the forwarding device 10 may first parse the session state information including the push stream, and restore the session including the push stream, and then parse the session state information including the pull stream, and restore the session including the pull stream. The forwarding device 10 can also judge whether the local machine has a session including the corresponding push stream for the session including the pull stream. If so, the subscription relationship between the push stream and the pull stream can be restored. If not, it can be established with other forwarding devices. 10, and pull up the corresponding push stream from other forwarding devices 10.

In this embodiment, the forwarding device 10 can restore the instance corresponding to the at least one session and set corresponding attributes according to the session state information corresponding to the at least one session read from the storage unit 30; and according to the read session state information and configuration parameters. Adapted to the aforementioned session state information, the recovery operations performed by the forwarding device 10 on a single session include but are not limited to: signaling state recovery, connection status recovery, encryption/decryption status recovery, media description status recovery, subscription status recovery, or level recovery. recovery, etc.

The following will take encryption/decryption state restoration and cascade restoration operations as examples to describe the session restoration process.

During the encryption/decryption state recovery process, the forwarding device 10 may determine the identifier of the encryption/decryption task corresponding to at least one session and the used task address identifier in the encryption/decryption unit 20 according to the encryption/decryption state record; The identifier of the encryption/decryption task corresponding to the at least one session and the identifier of the task address used in the encryption/decryption unit 20 are used to restore the encryption/decryption task corresponding to the at least one session. Wherein, if the encryption/decryption unit 20 includes multiple encryption/decryption devices 22, the aforementioned task address identifier used in the encryption/decryption unit 20 may be the task address identifier of the used encryption/decryption device 22. There are several encryption/decryption tasks running on the encryption/decryption device 22, and the task address occupied by each encryption/decryption task is different, and the task address identifier may be a port identifier or the like. In this way, the forwarding device 10 can parse out the encryption/decryption task identifier corresponding to at least one session from the encryption/decryption state record, so as to find the port identifier of the encryption/decryption device 22 that performs the encryption/decryption task. Based on this, the forwarding device 10 The port mapping relationship between itself and the encryption/decryption device 22 under each encryption/decryption task can be re-established, thereby restoring each encryption/decryption task, that is, restoring the encryption/decryption service.

During the cascading restoration process, the forwarding device 10 may use the restored session including the pull stream as a new session, and perform the cascading operation according to the standard cascading process, thereby restoring the cascading between the forwarding devices 10 . The cascading restoration can effectively solve the capacity and coverage requirements of the forwarding device 10, and support the forwarding device 10 to pull the session including the corresponding push stream from other forwarding devices 10 for the restored session including the pull stream.

In addition, as mentioned above, the forwarding device 10 can record the time information of the last startup in the storage unit 30. Based on this, referring to FIG. 2, the forwarding device 10 can read the latest startup time after connecting to the storage unit 30. time information, and determine whether the interval between the latest restart and the current interval exceeds a preset threshold, such as 30s in FIG. 2 , if it exceeds, the subsequent automatic recovery operation can be performed; and if it does not exceed, it can be determined that the forwarding device 10 is in Cyclic restart state. If it is determined that the forwarding device 10 is in a cyclic restart state, the forwarding device 10 can clear the session state information stored in the storage unit 30 and no longer perform session recovery, so as to avoid affecting the normal forwarding service performed by the forwarding device 10. Of course, in this case, The recovery may also be suspended, and after the cause of the cyclic restart is investigated, the storage unit 30 is reconnected to perform session recovery without clearing the session state information in the storage unit 30, which is not limited in this embodiment.

After the above-mentioned restoration process is performed, the forwarding device 10 can enter the normal forwarding working state. During the whole restoration process, the session in operation before the restart is completely restored, and various attributes and configuration parameters are basically unchanged. Therefore, The user is unaware of the recovery process, and the problem of session interruption that needs to be restarted will no longer occur. In this way, the present embodiment can realize the automatic recovery function after the forwarding device 10 is restarted, which can not only realize the restarting recovery after the forwarding device 10 crashes, but also provide preconditions for the functions of the forwarding device 10 such as hot upgrade, hot migration, and real-time expansion. , which ensures the rock-solid forwarding performance of the forwarding device 10 .

In the above or the following embodiments, the encryption/decryption unit 20 can provide encryption/decryption services for the target session. It should be noted that in the case of normal operation of the forwarding device 10 and the restart of the forwarding device 10, the encryption/decryption unit 20 can provide encryption/decryption services. Therefore, in this embodiment, it is not necessary to distinguish between encryption/decryption In which case the unit 20 provides encryption/decryption services.

In this embodiment, the encryption/decryption unit 20 may provide encryption/decryption services in units of media streams. Correspondingly, the forwarding device 10 may initiate an encryption/decryption service request to the encryption/decryption unit 20 in response to a forwarding request for the target media stream in the target session initiated by the communication end of the target session; the encryption/decryption unit 20 may Encrypt/decrypt the target media stream to support the forwarding device 10 to forward the target media stream.

FIG. 3 is a schematic structural diagram of another communication system provided by an exemplary embodiment of the present application. Referring to FIG. 3 , the encryption/decryption unit 20 may include a control device 21 and at least one encryption/decryption device 22 . In terms of physical implementation, both the control device 21 and the encryption/decryption device 22 may be server devices such as conventional servers, cloud servers, cloud hosts, and virtual centers. Of course, terminal devices such as computers may also be used, which are not limited in this embodiment.

Based on this, the forwarding device 10 can send the forwarding request for the target media stream to the control device 21 in the encryption/decryption unit 20; the control device 21 can respond to the encryption/decryption service request for the target media stream from at least one encryption/decryption service request The decryption device 22 determines the target encryption/decryption device 22 for providing the encryption/decryption service, and provides the description information of the target encryption/decryption device 22 to the forwarding device 10; the target encryption/decryption device 22 can be used for the target media stream. Perform encryption/decryption processing.

In this embodiment, the control device 21 may schedule at least one encryption/decryption device 22 . The control device 21 can use the storage unit 30 to manage the device state information of the at least one encryption/decryption device 22 ; correspondingly, the at least one encryption/decryption device 22 can record its own device state information in the storage unit 30 . Based on this, the control device 21 can read the device state information of the at least one encryption/decryption device 22 from the storage unit 30 when receiving the forwarding request for the target media stream; according to the device state information of the at least one encryption/decryption device 22 , selecting an encryption/decryption device 22 satisfying a preset condition from at least one encryption/decryption device 22 as a target encryption/decryption device 22 .

The device status information may include, but is not limited to, load information or deployment location information. The aforementioned preset conditions may be in an idle state and/or the closest distance to the forwarding device 10, and the like. For example, when the control device 21 schedules the encryption/decryption device 22, it can try to ensure that the encryption/decryption device 22 in the same computer room provides services for the forwarding device 10, which can effectively improve the speed of the encryption/decryption service and reduce the number of the forwarding device 10 and the encryption device. /The problem of packet loss during the interaction of the decryption device 22.

In this embodiment, the forwarding request may include media description information, and the media description information is used to describe the attributes of the media stream and the session. For example, the media description information may describe the encoding format used by the media stream, the transmission protocol used by the session forwarding, etc., For both the communication end and the forwarding device 10 to know the interaction capability of the other party, this embodiment is not limited to this. For example, in the RTC scenario, the media description information can adopt SDP. In this embodiment, the forwarding device 10 can obtain the identity authentication information of the target encryption/decryption device 22; add the identity authentication information to the media description information to obtain response information; and return the response information to the communication end corresponding to the target session for The communication end authenticates the target encryption/decryption device 22 . Corresponding to the foregoing, the forwarding device 10 may record the media description information to which the identity authentication information is added in the storage unit 30 as a kind of session state information. The identity authentication information may be a digest of an identity certificate, for example, a digest of a certificate issued by a CA. The authentication process can be integrated in the process of signaling interaction between the forwarding device 10 and the communication end corresponding to the target session, and the media description information can be used as one of the pieces of information in the signaling interaction. After the authentication is passed, the communication end corresponding to the target session can be triggered to perform subsequent handshake negotiation and media stream transmission.

On the basis of determining the target encryption/decryption device 22, the communication end corresponding to the target session can also perform handshake with the forwarding device 10 and initiate a communication handshake message, and the forwarding device 10 can then send the communication handshake message initiated by the communication end corresponding to the target session to the communication handshake message. Forwarded to the target encryption/decryption device 22 . The target encryption/decryption device 22 can receive the communication handshake message initiated by the communication end of the target session forwarded by the forwarding device 10; according to the communication handshake message, perform communication negotiation with the communication end corresponding to the target session to obtain a communication key; based on the communication key , encrypt/decrypt the target media stream. That is, the forwarding device 10, as an intermediate medium, supports the communication end corresponding to the target session and the target encryption/decryption device 22 to conduct handshake negotiation for the target media stream, so as to obtain a communication secret for encrypting/decrypting the target media stream. key.

In this embodiment, the forwarding request for the target media stream may be a push stream request or a pull stream request. The encryption/decryption processes triggered by the push stream request and the pull stream request are slightly different as follows:

If the forwarding request for the target media stream in the target session is a streaming request, the forwarding device 10 can receive the encrypted target media stream sent by the communication terminal corresponding to the target session; provide the encrypted target media stream to the target encryption/decryption equipment 22. For the target encryption/decryption device 22, the encrypted target media stream can be decrypted according to the corresponding communication key of the target media stream to obtain the target media stream; the target media stream is sent back through the secure transmission path. Forwarding device 10 .

If the forwarding request for the target media stream in the target session is a pull request, the forwarding device 10 may send the target media stream to the target encryption/decryption device 22 through a secure transmission path. The target encryption/decryption device 22 can encrypt the target media stream according to the corresponding communication key of the target media stream to obtain the encrypted target media stream; send the encrypted target media stream to the forwarding device 10 for The forwarding device 10 forwards the encrypted target media stream to the communication end of the target session.

In practical applications, a secure transmission path, such as an intranet path, can be established between the forwarding device 10 and the target encryption/decryption device 22, so that data can be transmitted between the forwarding device 10 and the target encryption/decryption device 22 in the format of private information. , to ensure the security of the transmitted data.

FIG. 4 is a logical schematic diagram of an encryption/decryption scheme provided by an exemplary embodiment of the present application. Referring to FIG. 4 , the encryption scheme in the process of the communication end A pushing the stream and the communication end B pulling the stream are respectively shown. The decryption scheme in the process.

During the push process of communication terminal A:

1. The communication terminal A sends a push request to carry the SDP to the SFU.

2. The SFU requests an idle encryption/decryption device from the control device, and obtains a digest of the certificate of the target encryption/decryption device.

3. The SFU fills the digest of the certificate into the SDP of the response and returns it to the communication terminal A.

4. The SFU applies for the encryption/decryption service to the target encryption/decryption device.

5. After receiving the corresponding SDP, the communication terminal A handshakes with the SFU. The SFU sends the handshake message to the target encryption/decryption device in a private message format, and the target encryption/decryption device actually conducts handshake negotiation with the communication terminal A.

6. After the handshake is completed, both the communication terminal A and the target encryption/decryption device generate the corresponding communication key.

7. The communication end A sends the encrypted media stream to the SFU, and the SFU encapsulates the encrypted media stream into a private format stream and sends it to the target encryption/decryption device. After decryption, the target encryption/decryption device sends it back to the SFU in a private format.

In the process of pulling the stream at the communication end B:

1. The communication end B sends a pull request carrying the SDP to the SFU, and the pull request carries the identifier of the communication end A subscribed by the communication end B.

2. The SFU requests an idle encryption/decryption device from the control device, and obtains a digest of the certificate of the target encryption/decryption device.

3. The SFU fills the digest of the certificate into the SDP of the response and returns it to the communication terminal A.

4. The SFU applies for the encryption/decryption service to the target encryption/decryption device.

5. After receiving the corresponding SDP, the communication terminal A handshakes with the SFU. The SFU sends the handshake message to the target encryption/decryption device in a private message format, and the target encryption/decryption device actually conducts handshake negotiation with the communication terminal A.

6. After the handshake is completed, both the communication terminal A and the target encryption/decryption device generate the corresponding communication key.

7. The SFU sends the media stream of the communication terminal A stored in the machine and decrypted by the target encryption/decryption device to the target encryption/decryption device in a private encapsulation manner. The target encryption/decryption device encrypts it and then encapsulates it in a private format and sends Back to the SFU, the SFU sends the encrypted stream to the communication end B, completing the function of the communication end B pulling the media stream of the communication end A.

It is worth noting that the encryption/decryption scheme shown in FIG. 4 is only exemplary, and the order of each link is not limited to this, and each link can also be increased or decreased as needed. The encryption/decryption scheme provided in this embodiment is not limited to this. Not limited to what is shown in FIG. 4 .

In the above or the following embodiments, there may be multiple forwarding devices in the communication system, and the communication system may further include a management device, the management device is used to manage multiple forwarding devices, and the management device is communicatively connected to the multiple forwarding devices. The deployment positions of the multiple forwarding devices may be the same or different.

Based on this, in this embodiment, if the address of the communication end of the target session changes, load balancing is performed on at least one forwarding device to determine the target forwarding device; the target forwarding device is used to read the session of the target session from the storage unit state information to migrate the target session to the target forwarding device.

For example, if the communication end of the target session is switched from the mobile network to the wireless network, its communication address will change. In this case, no matter which forwarding device the management device allocates the target session to, the allocated forwarding device can The session state information corresponding to the target session is read from the storage unit, so as to restore the target session, which can realize the hot migration of the target session. This can greatly improve the flexibility of the forwarding device in the communication system, and the user does not perceive during the hot migration process, which ensures the user experience.

FIG. 5 is a schematic flowchart of a communication method provided by another exemplary embodiment of the present application. The method may be executed by a forwarding apparatus, and the forwarding apparatus may be implemented as a combination of software and/or hardware, and the forwarding apparatus may be integrated in a forwarding device. middle. Referring to Figure 5, the method includes:

Step 500, in the process of encrypting and forwarding the target session, recording the session state information of the target session in a storage unit in the communication system, as a basis for restoring the target session after the forwarding device restarts;

Step 510, initiate an encryption/decryption service request to the encryption/decryption unit for the target session, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request, so as to support the forwarding device to encrypt and forward the target session. .

In an optional embodiment, the target session includes at least one media stream, and the step of initiating an encryption/decryption service request to the encryption/decryption unit for the target session includes:

In response to the forwarding request for the target media stream in the target session initiated by the communication end of the target session, an encryption/decryption service request is initiated to the encryption/decryption unit.

In an optional embodiment, the method further includes:

If the forwarding request for the target media stream in the target session is a streaming request, receive the encrypted target media stream sent by the communication terminal corresponding to the target session;

The encrypted target media stream is provided to the encryption/decryption unit for the encryption/decryption unit to decrypt the encrypted target media stream;

Receive the target media stream decrypted by the encryption/decryption unit.

In an optional embodiment, the method further includes:

If the forwarding request for the target media stream in the target session is a pull stream request, the target media stream is sent to the encryption/decryption unit through a secure transmission path, so that the encryption/decryption unit can encrypt the target media stream;

Receive the encrypted target media stream sent by the encryption/decryption unit;

Forward the encrypted target media stream to the communication end of the target session.

In an optional embodiment, the forwarding request for the target media stream in the target session includes media description information, and the method further includes:

Obtain the identity authentication information of the target encryption/decryption unit;

Add the identity authentication information to the media description information to obtain the response information;

The response information is returned to the communication end corresponding to the target session, so that the communication end can authenticate the target encryption/decryption unit.

In an optional embodiment, the method further includes:

Receive the communication handshake message with the encryption/decryption unit initiated by the communication end of the target session;

The communication handshake message is forwarded to the encryption/decryption unit for encryption/decryption. Danyang handshakes and negotiates the communication key with the communication end of the target session according to the communication handshake message, and encrypts/decrypts the target media stream according to the communication key.

In an optional embodiment, the session state information includes one or more of a signaling state record, a connection state record, an encryption/decryption state record, a media description information record, and a subscription information record.

In an optional embodiment, the method further includes:

After the restart, read session state information corresponding to at least one session from the storage unit;

The at least one session is restored according to session state information corresponding to each of the at least one session.

In an optional embodiment, the session state information includes an encryption/decryption state record, and the method further includes:

According to the encryption/decryption state record, determine the identifier of the encryption/decryption task corresponding to at least one session and the used task address identifier in the encryption/decryption unit;

The encryption/decryption task corresponding to the at least one session is restored according to the identification of the encryption/decryption task corresponding to the at least one session and the task address identification used in the encryption/decryption unit.

It is worth noting that, for the technical details in the above-mentioned embodiments of the communication method, reference may be made to the relevant description of the forwarding device in the foregoing system embodiments. loss of range.

FIG. 6 is a schematic flowchart of another communication method provided by another exemplary embodiment of the present application. The method may be executed by an encryption/decryption device, and the encryption/decryption device may be implemented as a combination of software and/or hardware. The decryption device can be integrated in the encryption/decryption device. Referring to Figure 6, the method includes:

Step 600: Receive a communication handshake message for the target media stream initiated by the communication end of the target session forwarded by the forwarding device in the communication system;

Step 601, according to the communication handshake message, carry out communication negotiation with the communication terminal corresponding to the target session to obtain a communication secret key;

Step 602, performing encryption/decryption processing on the target media stream based on the communication key;

Step 603: Return the encrypted/decrypted media stream to the forwarding device for the forwarding device to encrypt and forward the target session.

In an optional embodiment, the method further includes:

Record its own device status information in the storage unit in the communication system, so that the control device in the communication system determines from at least one encryption/decryption device managed by the control device when receiving the encryption/decryption request initiated by the forwarding device. The target encryption/decryption device used to respond to the encryption/decryption request;

If it is determined to be the target encryption/decryption device, the communication handshake message for the target media stream initiated by the communication end of the target session forwarded by the forwarding device in the communication system is received and subsequent operations are performed.

It is worth noting that, for the technical details in the above-mentioned embodiments of the communication method, reference may be made to the relevant descriptions of the encryption/decryption devices in the foregoing system embodiments. In order to save space, they are not repeated here, but this should not cause cost Claim for loss of protection.

It should be noted that, the execution subject of each step of the method provided in the above-mentioned embodiments may be the same device, or the method may also be executed by different devices. For example, the execution subject of steps 601 to 603 may be device A; for another example, the execution subject of steps 601 and 602 may be device A, and the execution subject of step 603 may be device B; and so on.

In addition, in some of the processes described in the above embodiments and the accompanying drawings, multiple operations appearing in a specific order are included, but it should be clearly understood that these operations may be performed out of the order in which they appear in this document or performed in parallel , the sequence numbers of the operations, such as 601, 602, etc., are only used to distinguish different operations, and the sequence numbers themselves do not represent any execution order. Additionally, these flows may include more or fewer operations, and these operations may be performed sequentially or in parallel.

FIG. 7 is a schematic structural diagram of a forwarding device according to another exemplary embodiment of the present application. As shown in FIG. 7 , the forwarding device includes: a memory 70 , a processor 71 and a communication component 72 .

Processor 71, coupled to memory 70 level communication component 72, for executing computer programs in memory 70 for:

In the process of encrypting and forwarding the target session, the session state information of the target session is recorded in the storage unit in the communication system through the communication component 72, as the basis for restoring the target session after the forwarding device restarts;

The communication component 72 initiates an encryption/decryption service request to the encryption/decryption unit for the target session, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request, so as to support the forwarding device to encrypt the target session Forward.

In an optional embodiment, the target session includes at least one media stream, and when the processor 71 initiates an encryption/decryption service request to the encryption/decryption unit for the target session, it is used for:

In response to the forwarding request for the target media stream in the target session initiated by the communication end of the target session, an encryption/decryption service request is initiated to the encryption/decryption unit.

In an optional embodiment, the processor 71 is further configured to:

If the forwarding request for the target media stream in the target session is a streaming request, receive the encrypted target media stream sent by the communication terminal corresponding to the target session;

The encrypted target media stream is provided to the encryption/decryption unit for the encryption/decryption unit to decrypt the encrypted target media stream;

Receive the target media stream decrypted by the encryption/decryption unit.

In an optional embodiment, the processor 71 is further configured to:

If the forwarding request for the target media stream in the target session is a pull stream request, the target media stream is sent to the encryption/decryption unit through a secure transmission path, so that the encryption/decryption unit can encrypt the target media stream;

Receive the encrypted target media stream sent by the encryption/decryption unit;

Forward the encrypted target media stream to the communication end of the target session.

In an optional embodiment, the forwarding request for the target media stream in the target session includes media description information, and the processor 71 is further configured to:

Obtain the identity authentication information of the target encryption/decryption unit;

Add the identity authentication information to the media description information to obtain the response information;

The response information is returned to the communication end corresponding to the target session, so that the communication end can authenticate the target encryption/decryption unit.

In an optional embodiment, the processor 71 is further configured to:

Receive the communication handshake message with the encryption/decryption unit initiated by the communication end of the target session;

The communication handshake message is forwarded to the encryption/decryption unit for encryption/decryption. Danyang handshakes and negotiates the communication key with the communication end of the target session according to the communication handshake message, and encrypts/decrypts the target media stream according to the communication key.

In an optional embodiment, the session state information includes one or more of a signaling state record, a connection state record, an encryption/decryption state record, a media description information record, and a subscription information record.

In an optional embodiment, the processor 71 is further configured to:

After the restart, read session state information corresponding to at least one session from the storage unit;

The at least one session is restored according to session state information corresponding to each of the at least one session.

In an optional embodiment, the session state information includes an encryption/decryption state record, and the processor 71 is further configured to:

According to the encryption/decryption state record, determine the identifier of the encryption/decryption task corresponding to at least one session and the used task address identifier in the encryption/decryption unit;

The encryption/decryption task corresponding to the at least one session is restored according to the identification of the encryption/decryption task corresponding to the at least one session and the task address identification used in the encryption/decryption unit.

Further, as shown in FIG. 7 , the computing device further includes: a power supply component 73 and other components. Only some components are schematically shown in FIG. 7 , which does not mean that the forwarding device only includes the components shown in FIG. 7 .

It is worth noting that, for the technical details in the above-mentioned embodiments of the forwarding device, reference may be made to the relevant descriptions in the foregoing system embodiments. In order to save space, details are not repeated here, but this should not cause any loss of the protection scope of the present application. .

Correspondingly, an embodiment of the present application further provides a computer-readable storage medium storing a computer program, and when the computer program is executed, each step that can be executed by the forwarding device in the foregoing method embodiment can be implemented.

FIG. 8 is a schematic structural diagram of an encryption/decryption device according to another exemplary embodiment of the present application. As shown in FIG. 8 , the encryption/decryption device includes: a memory 80 , a processor 81 and a communication component 82 .

Processor 81, coupled to memory 80 and communication component 82, for executing computer programs in memory 80 for:

Receive, through the communication component 82, a communication handshake message for the target media stream and initiated by the communication end of the target session forwarded by the forwarding device in the communication system;

According to the communication handshake message, carry out communication negotiation with the communication terminal corresponding to the target session to obtain the communication key;

Encrypt/decrypt the target media stream based on the communication key;

The encrypted/decrypted media stream is returned to the forwarding device through the communication component 82, so that the forwarding device can encrypt and forward the target session.

In an optional embodiment, the processor 81 is further configured to:

Record its own device status information in the storage unit in the communication system, so that the control device in the communication system determines from at least one encryption/decryption device managed by the control device when receiving the encryption/decryption request initiated by the forwarding device. The target encryption/decryption device used to respond to the encryption/decryption request;

If it is determined to be the target encryption/decryption device, the communication handshake message for the target media stream initiated by the communication end of the target session forwarded by the forwarding device in the communication system is received and subsequent operations are performed.

Further, as shown in FIG. 8 , the encryption/decryption device further includes: a power supply component 83 and other components. Only some components are schematically shown in FIG. 8 , which does not mean that the encryption/decryption device only includes the components shown in FIG. 8 .

It is worth noting that, for the technical details in the above-mentioned embodiments of the encryption/decryption device, reference may be made to the relevant descriptions in the foregoing system embodiments. In order to save space, they will not be repeated here, but this should not limit the protection scope of the present application. Loss.

Correspondingly, the embodiments of the present application further provide a computer-readable storage medium storing a computer program, and when the computer program is executed, each step that can be executed by the encryption/decryption device in the above method embodiments can be implemented.

The memories in FIGS. 7 and 8 described above are used to store computer programs and may be configured to store various other data to support operations on the computing platform. Examples of such data include instructions for any application or method operating on the computing platform, contact data, phonebook data, messages, pictures, videos, etc. Memory can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as Static Random Access Memory (SRAM), Electrically Erasable Programmable Read Only Memory (EEPROM), Erasable Programmable Read Only Memory (EPROM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Magnetic Memory, Flash Memory, Magnetic or Optical Disk.

The above-mentioned communication components in FIGS. 7 and 8 are configured to facilitate wired or wireless communication between the device where the communication component is located and other devices. The device where the communication component is located can access a wireless network based on a communication standard, such as WiFi, a mobile communication network such as 2G, 3G, 4G/LTE, and 5G, or a combination thereof. In one exemplary embodiment, the communication component receives broadcast signals or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication assembly further includes a near field communication (NFC) module to facilitate short-range communication. For example, the NFC module may be implemented based on radio frequency identification (RFID) technology, infrared data association (IrDA) technology, ultra-wideband (UWB) technology, Bluetooth (BT) technology and other technologies.

The power supply assemblies in Figures 7 and 8 above provide power for various components of the equipment in which the power supply assemblies are located. A power supply assembly may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power to the equipment in which the power supply assembly is located.

As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.

The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block in the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to the processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing device to produce a machine such that the instructions executed by the processor of the computer or other programmable data processing device produce Means for implementing the functions specified in a flow or flow of a flowchart and/or a block or blocks of a block diagram.

These computer program instructions may also be stored in a computer readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer readable memory result in an article of manufacture comprising instruction means, the instructions The apparatus implements the functions specified in the flow or flow of the flowcharts and/or the block or blocks of the block diagrams.

These computer program instructions can also be loaded on a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in the flow or blocks of the flowcharts and/or the block or blocks of the block diagrams.

In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.

Memory may include non-persistent memory in computer readable media, random access memory (RAM) and/or non-volatile memory in the form of, for example, read only memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.

Computer-readable media includes both persistent and non-permanent, removable and non-removable media, and storage of information may be implemented by any method or technology. Information may be computer readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read only memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Flash Memory or other memory technology, Compact Disc Read Only Memory (CD-ROM), Digital Versatile Disc (DVD) or other optical storage, Magnetic tape cassettes, magnetic tape magnetic disk storage or other magnetic storage devices or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, computer-readable media does not include transitory computer-readable media, such as modulated data signals and carrier waves.

It should also be noted that the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device comprising a series of elements includes not only those elements, but also Other elements not expressly listed, or which are inherent to such a process, method, article of manufacture, or apparatus are also included. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in the process, method, article of manufacture, or device that includes the element.

The above descriptions are merely examples of the present application, and are not intended to limit the present application. Various modifications and variations of this application are possible for those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of this application shall be included within the protection scope of this application.

Claims (26)

1. A communication system comprising a forwarding device, an encryption/decryption unit, and a storage unit, the forwarding device being communicatively coupled to the encryption/decryption unit and the storage unit;

the forwarding device is configured to record session state information of a target session in the storage unit in a process of performing encryption forwarding on the target session, where the session state information is used as a basis for recovering the target session after the forwarding device is restarted; initiating an encryption/decryption service request to the encryption/decryption unit for the target session;

the encryption/decryption unit is used for carrying out encryption/decryption processing on the target session according to the encryption/decryption service request so as to support the forwarding equipment to carry out encryption forwarding on the target session;

the storage unit is used for storing the session state information of the target session.

2. The system of claim 1, wherein the target session comprises at least one media stream, and wherein the forwarding device, when initiating a cryptographic service request to the cryptographic unit for the target session, is configured to:

and in response to a forwarding request initiated by a communication terminal of the target session and aiming at a target media stream in the target session, initiating an encryption/decryption service request to the encryption/decryption unit.

3. The system of claim 2, wherein the encryption/decryption unit comprises a control device and at least one encryption/decryption device;

the control device is used for responding to the encryption/decryption service request aiming at the target media stream, determining a target encryption/decryption device for providing the encryption/decryption service from the at least one encryption/decryption device, and providing the description information of the target encryption/decryption device to the forwarding device;

and the target encryption/decryption device is used for carrying out encryption/decryption processing on the target media stream.

4. The system of claim 3, wherein the forwarding device is further configured to:

if the forwarding request for the target media stream in the target session is a stream pushing request, receiving an encrypted target media stream sent by a communication terminal corresponding to the target session;

providing the encrypted target media stream to the target encryption/decryption device;

when the target encryption/decryption device performs encryption/decryption processing on the target media stream, the target encryption/decryption device is configured to:

decrypting the encrypted target media stream to obtain the target media stream;

and sending the target media stream back to the forwarding equipment through a secure transmission path.

5. The system of claim 3, wherein the forwarding device is further configured to:

if the forwarding request aiming at the target media stream in the target session is a stream pulling request, sending the target media stream to the target encryption/decryption equipment through a safe transmission path;

when the target encryption/decryption device performs encryption/decryption processing on the target media stream, the target encryption/decryption device is configured to:

encrypting the target media stream to obtain an encrypted target media stream;

and sending the encrypted target media stream to the forwarding equipment so that the forwarding equipment forwards the encrypted target media stream to a communication terminal of the target session.

6. The system of claim 3, wherein the target encryption/decryption device, when root-encrypting/decrypting the target media stream, is configured to:

receiving a communication handshake message initiated by a communication terminal of the target session forwarded by the forwarding device;

according to the communication handshake message, carrying out communication negotiation with a communication end corresponding to the target session to obtain a communication secret key;

and performing encryption/decryption processing on the target media stream based on the communication secret key.

7. The system of claim 3, wherein the forwarding request for the target media stream in the target session includes media description information, and the forwarding device is further configured to:

acquiring identity authentication information of the target encryption/decryption equipment;

adding the identity authentication information to the media description information to obtain response information;

and returning the response information to the communication terminal corresponding to the target session so that the communication terminal can perform identity authentication on the target encryption/decryption equipment.

8. The system of claim 3, wherein the storage unit is further configured to:

storing device state information of the at least one encryption/decryption device;

the control device, when determining a target encryption/decryption device for providing the encryption/decryption service from among the at least one encryption/decryption device, is configured to:

reading device state information of the at least one encryption/decryption device from the storage unit;

and selecting an encryption/decryption device which meets a preset condition from the at least one encryption/decryption device as the target encryption/decryption device according to the device state information of the at least one encryption/decryption device.

9. The system of claim 8, wherein the device status information comprises one or more of load information or deployment location information, and wherein the predetermined condition comprises being in an idle state and/or being closest in distance to the forwarding device.

10. The system of claim 1, wherein the session state information comprises one or more of a signaling state record, a connection state record, an encryption/decryption state record, a media description information record, and a subscription information record.

11. The system of claim 1, wherein the forwarding device is further configured to:

after the restart, reading session state information corresponding to at least one session from the storage unit;

and recovering the at least one session according to the session state information corresponding to the at least one session.

12. The system of claim 11, wherein the session state information includes an encryption/decryption state record, and wherein the forwarding device is further configured to:

according to the encryption/decryption state record, determining the identification of the encryption/decryption task corresponding to the at least one session and the identification of the task address used in the encryption/decryption unit;

and recovering the encryption/decryption tasks corresponding to the at least one session according to the identification of the encryption/decryption tasks corresponding to the at least one session and the identification of the used task address in the encryption/decryption unit.

13. The system according to claim 1, wherein the forwarding device is plural in number, the system further comprising a management device communicatively connected to the at least one forwarding device, the management device configured to:

if the address of the communication end of the target session changes, load balancing is carried out on the at least one forwarding device so as to determine a target forwarding device;

the target forwarding device is configured to read session state information of the target session from the storage unit, so as to migrate the target session to the target forwarding device.

14. A communication method, adapted to a forwarding device in a communication system, comprising:

in the process of encrypting and forwarding the target session, recording the session state information of the target session in a storage unit in the communication system as a basis for recovering the target session after the forwarding equipment is restarted;

and initiating an encryption/decryption service request to the encryption/decryption unit aiming at the target session, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request, and supports the forwarding device to perform encryption forwarding on the target session.

15. The method of claim 14, wherein the target session includes at least one media stream, and wherein initiating a request for a cryptographic service from the cryptographic unit for the target session comprises:

and in response to a forwarding request initiated by a communication terminal of the target session and aiming at a target media stream in the target session, initiating an encryption/decryption service request to the encryption/decryption unit.

16. The method of claim 15, further comprising:

if the forwarding request for the target media stream in the target session is a stream pushing request, receiving an encrypted target media stream sent by a communication terminal corresponding to the target session;

providing the encrypted target media stream to the encryption/decryption unit so that the encryption/decryption unit decrypts the encrypted target media stream;

and receiving the target media stream obtained by the decryption of the encryption/decryption unit.

17. The method of claim 15, further comprising:

if the forwarding request for the target media stream in the target session is a stream pulling request, sending the target media stream to the encryption/decryption unit through a secure transmission path, so that the encryption/decryption unit encrypts the target media stream;

receiving the encrypted target media stream sent by the encryption/decryption unit;

and forwarding the encrypted target media stream to a communication end of the target session.

18. The method of claim 15, wherein the forwarding request for the target media stream in the target session includes media description information, and the method further comprises:

acquiring identity authentication information of the target encryption/decryption unit;

adding the identity authentication information to the media description information to obtain response information;

and returning the response information to the communication end corresponding to the target session so that the communication end can carry out identity authentication on the target encryption/decryption unit.

19. The method of claim 15, further comprising:

receiving a communication handshake message initiated by a communication end of the target session and sent by the encryption/decryption unit;

and forwarding the communication handshake message to the encryption/decryption unit, so that the encryption/decryption danyang negotiates a communication key with a communication end handshake of the target session according to the communication handshake message, and performs encryption/decryption processing on the target media stream according to the communication key.

20. The method of claim 14, wherein the session state information comprises one or more of a signaling state record, a connection state record, an encryption/decryption state record, a media description information record, and a subscription information record.

21. The method of claim 14, further comprising:

after the restart, reading session state information corresponding to at least one session from the storage unit;

and recovering the at least one session according to the session state information corresponding to the at least one session.

22. The method of claim 21, wherein the conference state information includes an encryption/decryption state record, the method further comprising:

according to the encryption/decryption state record, determining the identification of the encryption/decryption task corresponding to the at least one session and the identification of the task address used in the encryption/decryption unit;

and recovering the encryption/decryption tasks corresponding to the at least one session according to the identification of the encryption/decryption tasks corresponding to the at least one session and the identification of the used task address in the encryption/decryption unit.

23. A communication method applied to an encryption/decryption device in a communication system, comprising:

receiving a communication handshake message aiming at a target media stream, which is initiated by a communication terminal of a target session and forwarded by forwarding equipment in the communication system;

according to the communication handshake message, carrying out communication negotiation with a communication end corresponding to the target session to obtain a communication secret key;

based on the communication secret key, the target media stream is encrypted/decrypted;

and returning the media stream subjected to encryption/decryption processing to the forwarding equipment so that the forwarding equipment can encrypt and forward the target session.

24. A forwarding device comprising a memory, a processor, and a communication component;

the memory is to store one or more computer instructions;

the processor, coupled with the memory and the communication component, to execute the one or more computer instructions to:

in the process of encrypting and forwarding the target session, recording the session state information of the target session in a storage unit in the communication system through the communication assembly, and taking the session state information as a basis for recovering the target session after the forwarding equipment is restarted;

and initiating an encryption/decryption service request to the encryption/decryption unit aiming at the target session, so that the encryption/decryption unit performs encryption/decryption processing on the target session according to the encryption/decryption service request, and supports the forwarding device to perform encryption forwarding on the target session.

25. An encryption/decryption device comprising a memory, a processor and a communication component;

the memory is to store one or more computer instructions;

the processor, coupled with the memory and the communication component, to execute the one or more computer instructions to:

receiving a communication handshake message aiming at a target media stream, which is initiated by a communication terminal of a target session and forwarded by forwarding equipment in the communication system;

according to the communication handshake message, carrying out communication negotiation with a communication end corresponding to the target session to obtain a communication secret key;

based on the communication secret key, the target media stream is encrypted/decrypted;

and returning the media stream subjected to encryption/decryption processing to the forwarding equipment so that the forwarding equipment can encrypt and forward the target session.

26. A computer-readable storage medium storing computer instructions, which when executed by one or more processors, cause the one or more processors to perform the communication method of any one of claims 14-23.

Images