VOIP call encryption method and terminal

[0050] In order to have a clearer understanding of the technical features, purposes and effects of the present invention, the specific implementation manners of the present invention will now be described with reference to the accompanying drawings.

[0051] see figure 1 , figure 1 The flowchart of an embodiment of the VOIP encrypted call method provided by the present invention, as figure 1 shown, including the following steps:

[0052] Step S10, generating a trusted execution environment (Trusted Execution Environment, TEE).

[0053] In the embodiment of the present invention, the TEE may be generated on a VOIP encrypted call terminal, and the VOIP encrypted call terminal may be a smart phone. The TEE is a functional unit that integrates software and hardware inside the VOIP encrypted call terminal. Compared with the Rich Execution Environment (REE), the TEE can realize unified management and unified allocation of hardware resources, and the Different applications can be isolated from each other. The REE can run commonly used applications.

[0054] Step S20, dynamically generate a key through a trusted application (Trust Application, TA) in the trusted execution environment TEE.

[0055] In the embodiment of the present invention, the TA is an application running on the TEE, and only programs that have passed Certificate Authority (CA) can invoke the TA. The key is dynamically generated by TA in the TEE. Since the TEE environment is relatively safe, the security of the process of dynamically generating the key is relatively high, and the key is dynamically generated, and the keys generated at different times are different. A key is generated for each call, and the ever-changing key can improve the security of using the key to encrypt audio data.

[0056] Step S30, encrypting the audio data based on the key and the encryption algorithm to obtain encrypted audio data.

[0057] In the embodiment of the present invention, the encryption algorithm includes a symmetric encryption algorithm. For example, the symmetric encryption algorithm may be a wireless local area network standard packet data algorithm SM4. The audio data is the audio data after the user's voice is converted into an analog electrical signal by a microphone, and then processed by signal acquisition, analog-to-digital conversion, filtering, noise reduction, and echo processing. For example, if the encryption algorithm is SM4, the audio data is encrypted based on the key and the SM4 algorithm to obtain audio encrypted data.

[0058] Step S40, sending the audio encryption data and key to the receiving end through the network protocol IP channel.

[0059]In the embodiment of the present invention, the receiving end may be a mobile terminal, for example, the mobile terminal is a smart phone. After receiving the encrypted audio data and the key, the receiving end can decrypt the encrypted audio data based on the key and encryption algorithm to obtain corresponding audio data, and then allow the user at the receiving end to listen to the corresponding audio Data, because the audio encryption data is encrypted, even if others intercept the audio encryption data, they cannot decrypt the audio encryption data, which improves the security of the transmission process.

[0060] Step S50, after the receiving end receives the encrypted audio data, the key is deleted.

[0061] In this embodiment, it is possible to judge whether the receiving end has received the audio encryption data by receiving the confirmation message fed back by the receiving end, and delete the key after receiving the audio data at the receiving end, which can reduce the risk of the key being monitored. risk and improve the security of the key.

[0062] The VOIP encrypted call method provided in the embodiment of the present invention, through the TA in the TEE to generate a key, ensure that the security in the process of generating the key is relatively high, and transmit the audio encryption data and the key to the receiving end on the IP path, which can Ensure the security of audio data transmission, and ensure that the receiving end can decrypt the audio encrypted data according to the key to obtain audio data. In this way, the security during the call can be greatly improved and the risk of the call being monitored can be reduced.

[0063] see figure 2 , figure 2 It is a flow chart of another embodiment of the VOIP encrypted call method provided by the present invention. figure 2 for in figure 1 Based on the improved flowchart, figure 2 and figure 1 The difference is that steps S60-S70 are added, figure 2 Steps S10-S50 shown with figure 1 The steps S10-S50 shown in are the same, and will not be repeated here, and the steps S60-S70 will be described in detail below.

[0064] Step S60, collecting the sound source emitted by the user and forming an analog electrical signal.

[0065] Specifically, the sound source emitted by the user can be collected through a microphone or other sound pickup devices, and the collected sound source can be converted into a corresponding analog electrical signal. The speech is converted into the corresponding analog electrical signal.

[0066] Step S70, performing modulation and demodulation processing on the analog electrical signal to form audio data.

[0067] In this embodiment, step S70 may include the following steps: performing sampling and analog-to-digital conversion processing on the analog electrical signal to obtain a digital signal, and performing filtering, noise reduction and echo cancellation processing on the digital signal to obtain audio data.

[0068] It is supplemented that, in the embodiment of the present invention, the step S30 encrypts the audio data based on the key and the encryption algorithm, and the step of obtaining the audio encrypted data may also include: reusing the key with an asymmetric algorithm Encrypt to get the encrypted key.

[0069] In this way, the key is re-encrypted with an asymmetric encryption algorithm to obtain the encrypted key, which can improve the security of the key in the process of transmission and storage, and send the encrypted key to the receiving end, improving the transmission rate to the receiving end. The security of the key reduces the risk of the key being leaked.

[0070] It is further supplemented that the embodiment of the present invention may further include the following steps: receiving the encrypted audio data and the encrypted key sent by the sending end;

[0071] Decrypting the encrypted key to obtain a key, and decrypting the audio encrypted data based on the key and the encryption algorithm to obtain audio data.

[0072] In the embodiment of the present invention, the sending end may be a mobile terminal, for example, the mobile terminal may be a smart phone. The encrypted audio data is decrypted based on the key and the encryption algorithm, and after the audio data is obtained, the audio data can be played through a device such as a speaker, so that the user can understand the specific content of the audio data.

[0073] In this way, by transmitting encrypted audio data, the risk of audio data leakage during audio data transmission is reduced, and the security during audio data transmission is improved.

[0074] It is further supplemented that, in the embodiment of the present invention, the step S40 sending the audio encryption data and key to the receiving end through the network protocol IP channel may include the following steps:

[0075] Send the encrypted audio data to the trusted application TA through the trusted data channel;

[0076] The encrypted audio data is sent to the opposite end through the IP channel through the trusted application TA.

[0077] In the embodiment of the present invention, the trusted data channel includes the trusted data channel includes an integrated circuit built-in audio bus (Inter-IC Sound, I2S) interface. For example, the encrypted audio data can be sent to the trusted application TA via the I2S interface. The trusted application TA is a communication application running on the TEE, and the trusted application TA sends the encrypted audio data to the opposite end through the IP channel, which can improve the security of audio data transmission to the opposite end.

[0078] The above embodiments can also be applied to figure 1 In the corresponding embodiment, the same effect is achieved, and details are not repeated here to avoid repetition.

[0079] The VOIP encrypted call method provided in the embodiment of the present invention, through the TA in the TEE to generate a key, ensure that the security in the process of generating the key is relatively high, and transmit the audio encryption data and the key to the receiving end on the IP path, which can Ensure the security of audio data transmission, and ensure that the receiving end can decrypt the audio encrypted data according to the key to obtain the audio data. After receiving the audio encrypted data and the encrypted key sent by the sending end, the encrypted key Decrypt to obtain the key, decrypt the audio encrypted data based on the key and the encryption algorithm, and can obtain the specific content of the audio encrypted data at the sending end, thereby realizing communication with the sending end. And the security in the process of sending audio data, and at the same time, it can facilitate the user's communication.

[0080] The present invention further provides a VOIP encrypted call terminal. see image 3 , image 3 The structural diagram of an embodiment of the VOIP encryption call terminal provided by the present invention, as image 3 As shown, the VOIP encryption call terminal 100 includes a trusted execution environment generation module 101, a key generation module 102, an encryption module 103, a sending module 104 and a key destruction module 105, and the trusted execution environment generation module 101 and the key generation The module 102 is connected, the key generation module 102 is connected with the encryption module 103, the encryption module 103 is connected with the sending module 104, and the sending module 104 is connected with the key destruction module 105, wherein:

[0081] The trusted execution environment generation module 101 is used to generate the trusted execution environment TEE; the key generation module 102 is used to dynamically generate the key through the trusted application TA in the trusted execution environment TEE; the encryption module 103 is used to generate the key based on the Described key and encryption algorithm encrypt audio data, obtain audio encrypted data; Send module 104, be used for sending described audio encrypted data and key to receiving end through network protocol IP channel; Key destruction module 105, be used for in The receiving end deletes the key after receiving the encrypted audio data.

[0082] In the embodiment of the present invention, the trusted execution environment generating module 101 of the VOIP encrypted call terminal 100 generates the TEE, and the VOIP encrypted call terminal 100 may be a smart phone. The TEE is a functional unit that integrates software and hardware inside the VOIP encrypted call terminal 100. Compared with the Rich Execution Environment (REE), the TEE can realize unified management and unified allocation of hardware resources, and Different applications can be isolated from each other. The REE can run commonly used applications.

[0083] In the embodiment of the present invention, the TA is an application running on the TEE, and only a fixed certificate authority (CA) program can invoke the TA. The key is dynamically generated by the TA in the TEE. Since the TEE environment is relatively safe, the process of dynamically generating the key by the key generation module 102 has relatively high security, and the key is dynamically generated and generated at different times. The keys are different, and a key is generated for each call, and the constantly changing key can improve the security of using the key to encrypt audio data.

[0084] In the embodiment of the present invention, the encryption algorithm includes a symmetric encryption algorithm. For example, the symmetric encryption algorithm may be a wireless local area network standard packet data algorithm SM4. The audio data is the audio data after the user's voice is converted into an analog electrical signal by a microphone, and then processed by signal acquisition, analog-to-digital conversion, filtering, noise reduction, and echo processing. For example, if the encryption algorithm is SM4, the encryption module 103 encrypts the audio data based on the key and the SM4 algorithm to obtain encrypted audio data.

[0085] In the embodiment of the present invention, the receiving end may be a mobile terminal, for example, the mobile terminal is a smart phone. After receiving the encrypted audio data and the key, the receiving end can decrypt the encrypted audio data based on the key and encryption algorithm to obtain corresponding audio data, and then allow the user at the receiving end to listen to the corresponding audio Data, because the audio encryption data is encrypted, even if others intercept the audio encryption data, they cannot decrypt the audio encryption data, which improves the security of the transmission process.

[0086] In this embodiment, the key destruction module 105 can receive the confirmation message fed back by the receiving end, judge whether the receiving end has received the audio encryption data, and delete the key after receiving the audio data at the receiving end, which can reduce encryption. The risk of the key being intercepted improves the security of the key.

[0087] The VOIP encryption call terminal provided in the embodiment of the present invention generates a key through the TA in the TEE to ensure that the security in the process of generating the key is relatively high, and transmits the audio encryption data and the key to the receiving end on the IP path, which can Ensure the security of audio data transmission, and ensure that the receiving end can decrypt the audio encrypted data according to the key to obtain audio data. In this way, the security during the call can be greatly improved and the risk of the call being monitored can be reduced.

[0088] see Figure 4 , Figure 4 A structural diagram of another embodiment of the VOIP encrypted call terminal provided by the present invention. Figure 4 for in image 3 Based on the improved structure diagram, Figure 4 and image 3 The difference is that the sound source acquisition module 106 and the modulation and demodulation module 107 are added, Figure 4 The shown trusted execution environment generating module 101, key generating module 102, encryption module 103, sending module 104 and key destroying module 105 and image 3 The trusted execution environment generation module 101, key generation module 102, encryption module 103, sending module 104 and key destruction module 105 shown in are the same, and will not be repeated here. The sound source collection module 106 and the modulation and demodulation module 107 The modem module 107 is also connected to the encryption module 103, and the sound source collection module 106 and the modem module 107 will be described in detail below.

[0089]The sound source collection module 106 is used to collect the sound source from the user and form an analog electrical signal; the modulation and demodulation module 107 is used to perform modulation and demodulation processing on the analog electrical signal to form audio data.

[0090] Specifically, the sound source collection module 106 can collect the sound source emitted by the user through a microphone or other sound pickup devices, and convert the collected sound source into a corresponding analog electrical signal, for example, collect a segment of speech spoken by the user through a microphone, And the collected voice of the user is converted into a corresponding analog electrical signal.

[0091] In this embodiment, the modulation and demodulation module 107 is specifically used to perform sampling and analog-to-digital conversion processing on analog electrical signals to obtain digital signals, and perform filtering, noise reduction and echo cancellation processing on digital signals to obtain audio data.

[0092] see Figure 5 , Figure 5 A structural diagram of another embodiment of the VOIP encrypted call terminal provided by the present invention. Figure 5 for in Figure 4 Based on the improved structure diagram, Figure 5 and Figure 4 The difference is that a key encryption unit 1031 is added in the encryption module 103, Figure 5 The shown trusted execution environment generation module 101, key generation module 102, encryption module 103, sending module 104, key destruction module 105, sound source collection module 106 and modem module 107 and Figure 4 The trusted execution environment generation module 101, key generation module 102, encryption module 103, sending module 104, key destruction module 105, sound source collection module 106 and modulation and demodulation module 107 shown in are the same, and will not be repeated here , the key encryption unit 1031 will be described in detail below.

[0093] The key encryption unit 1031 is configured to re-encrypt the key with an asymmetric algorithm to obtain an encrypted key.

[0094] In this way, the key encryption unit 1031 re-encrypts the key with an asymmetric encryption algorithm to obtain the encrypted key, which can improve the security of the key during transmission and storage, and send the encrypted key to the receiving end , improve the security of sending the key to the receiving end, and reduce the risk of the key being leaked.

[0095] see Figure 6-8 , Image 6 A structural diagram of another embodiment of the VOIP encrypted call terminal provided by the present invention, Figure 7 A structural diagram of another embodiment of the VOIP encrypted call terminal provided by the present invention, Figure 8 A structural diagram of another embodiment of the VOIP encrypted call terminal provided by the present invention. Image 6 for in image 3 Based on the improved structure diagram, a receiving module 108 and a decryption module 109 are added, Figure 7 for in Figure 4 Based on the improved structure diagram, a receiving module 108 and a decryption module 109 are added, Figure 8 for in Figure 5 Based on the improved structure diagram, a receiving module 108 and a decryption module 109 are added. The receiving module 108 is connected to the decryption module 109. The receiving module 108 and the decryption module 109 will be described in detail below.

[0096] The receiving module 108 is used to receive the audio encrypted data and the encrypted key sent by the sending end; the decryption module 109 is used to decrypt the encrypted key to obtain the key, based on the key and the encrypted key. The algorithm decrypts the encrypted audio data to obtain audio data.

[0097] In the embodiment of the present invention, the sending end may be a mobile terminal, for example, the mobile terminal may be a smart phone. The decryption module 109 decrypts the audio encrypted data based on the key and the encryption algorithm, and after obtaining the audio data, the audio data can be played through devices such as speakers, so that users can understand the specific content of the audio data.

[0098] In this way, by transmitting encrypted audio data, the risk of audio data leakage during audio data transmission is reduced, and the security during audio data transmission is improved.

[0099] see Figure 9-11 , Figure 9 A structural diagram of another embodiment of the VOIP encrypted call terminal provided by the present invention, Figure 10 A structural diagram of another embodiment of the VOIP encrypted call terminal provided by the present invention, Figure 11 A structural diagram of another embodiment of the VOIP encrypted call terminal provided by the present invention. Figure 9 for in Image 6 Based on the improved structure diagram, a trusted transmission unit 1041 and a communication application unit 1042 are added to the sending module 104, Figure 10 for in Figure 7 Based on the improved structure diagram, a trusted transmission unit 1041 and a communication application unit 1042 are added to the sending module 104, Figure 11 for in Figure 8 Based on the improved structure diagram, a trusted transmission unit 1041 and a communication application unit 1042 are added to the sending module 104, and the trusted transmission unit 1041 is connected to the communication application unit 1042, and the trusted transmission unit 1041 and the communication application unit 1042 are faced below Describe in detail.

[0100] The trusted transmission unit 1041 is used to send the encrypted audio data to the trusted application TA through the trusted data channel; the communication application unit 1042 is used to send the encrypted audio data to the peer through the trusted application TA through the IP channel .

[0101] In the embodiment of the present invention, the trusted data channel includes the trusted data channel includes an integrated circuit built-in audio bus (Inter-IC Sound, I2S) interface. For example, the encrypted audio data can be sent to the trusted application TA via the I2S interface. The trusted application TA is a communication application running on the TEE, and the trusted application TA sends the encrypted audio data to the opposite end through the IP channel, which can improve the security of audio data transmission to the opposite end.

[0102] The VOIP encryption call terminal provided in the embodiment of the present invention generates a key through the TA in the TEE to ensure that the security in the process of generating the key is relatively high, and transmits the audio encryption data and the key to the receiving end on the IP path, which can Ensure the security of audio data transmission, and ensure that the receiving end can decrypt the audio encrypted data according to the key to obtain the audio data. After receiving the audio encrypted data and the encrypted key sent by the sending end, the encrypted key Decrypt to obtain the key, decrypt the audio encrypted data based on the key and the encryption algorithm, and can obtain the specific content of the audio encrypted data at the sending end, thereby realizing communication with the sending end. And the security in the process of sending audio data, and at the same time, it can facilitate the user's communication.

[0103] The above are only preferred embodiments of the present invention, and are not intended to limit the patent scope of the present invention. Any equivalent structure or equivalent process conversion made by using the description of the present invention and the contents of the accompanying drawings, or directly or indirectly used in other related technical fields , are all included in the scope of patent protection of the present invention in the same way.