CN101902734A - Implementation method of end-to-end self-synchronized voice encryption transmission in digital trunking communication system - Google Patents

Abstract

Translated fromChinese

一种数字集群通信系统端到端自同步话音加密传输实现方法，其特征是它包括以下步骤：首先，在需要进行加密通信的终端设置保密机，同时将保密机也作为一个通信终端；其次，由通信发起方保密机以用户信令的方式向接收方保密机进行密钥分发；第三，使所有通信涉及的接收终端所对应的集群基站均进行密钥存储，用于迟入的移动台获取本次呼叫密钥，使迟入的移动台在在系统控制下加入已经进行密话通话的组呼组；第四，由保密机进行话音加密并将加密话音序列的序号内嵌于声码话数据帧中，将密话及其按帧编号的序号一并传送，接收方保密机进行密话解密即可完成保密通信。本发明既适用于点对点的集群密话单呼呼叫，又适用于点对多点的集群密话组呼呼叫，也适合于移动台脱网直通密话呼叫，具有简单可靠，保密性好的优点。

A method for realizing end-to-end self-synchronous voice encryption transmission in a digital trunking communication system is characterized in that it includes the following steps: first, a security machine is set at a terminal that needs to carry out encrypted communication, and the security machine is also used as a communication terminal; secondly, The secret machine of the communication initiator distributes the key to the secret machine of the receiving party in the form of user signaling; thirdly, all the cluster base stations corresponding to the receiving terminals involved in the communication carry out key storage for late-entry mobile stations Obtain the call key for this call, so that the late-entry mobile station joins the group call group that has already conducted encrypted conversations under the control of the system; fourth, the encryption machine performs voice encryption and embeds the serial number of the encrypted voice sequence in the voice code In the voice data frame, the encrypted voice and its sequence number according to the frame number are transmitted together, and the receiver's security machine can decrypt the encrypted voice to complete the secure communication. The present invention is not only suitable for point-to-point trunking encrypted single call, but also for point-to-multipoint trunking encrypted group call, and is also suitable for off-network direct encrypted voice calls of mobile stations, and has the advantages of simplicity, reliability and good confidentiality .

Description

Translated fromChinese

数字集群通信系统端到端自同步话音加密传输实现方法Implementation method of end-to-end self-synchronized voice encryption transmission in digital trunking communication system

技术领域technical field

本发明涉及一种数字集群通信技术，尤其是一种数字集群通信系统的保密通信方法，具体地说是一种数字集群通信系统端到端自同步话音加密传输实现方法。The invention relates to a digital trunking communication technology, in particular to a secure communication method of a digital trunking communication system, specifically a method for realizing end-to-end self-synchronous voice encrypted transmission of a digital trunking communication system.

背景技术Background technique

众所周知，数字集群通信系统是一种专用移动通信系统，其主要用户为公共安全、国防、政府部门、大型企事业单位、交通运输等。这些用户对于集群通信所提供的话音服务具有一些特殊要求，话音保密通信就是其中最为重要的一项。As we all know, the digital trunking communication system is a dedicated mobile communication system, and its main users are public security, national defense, government departments, large enterprises and institutions, and transportation. These users have some special requirements for the voice service provided by trunking communication, among which the voice security communication is the most important one.

在话音保密通信中，有两种方式：空中接口加密和端到端加密。In voice secure communication, there are two ways: air interface encryption and end-to-end encryption.

空中接口加密是对移动台到基站之间的空中接口无线信道上传送的数字话音进行加密的方式，在集群核心网上传送的是非加密的明话话音数据。The air interface encryption is a way to encrypt the digital voice transmitted on the air interface wireless channel between the mobile station and the base station, and the unencrypted clear voice data is transmitted on the cluster core network.

端到端加密是通过集群系统通信的终端之间进行的数字话音加密，加密终端包括：移动台、有线电话接口、有线中继接口等。端到端加密时，集群核心网上传送的是加密的密话话音数据。End-to-end encryption is digital voice encryption between terminals communicating through the trunking system. Encrypted terminals include: mobile stations, wired telephone interfaces, wired relay interfaces, etc. During end-to-end encryption, encrypted encrypted voice data is transmitted on the core network of the cluster.

无论是端到端话音加密还是空中接口加密，都需要使用保密机，保密机的作用是加密和解密。所谓加密是将明话数字话音数据转换成密话数字话音数据，所谓解密是将密话话音数据转换成明话数字话音数据。Whether it is end-to-end voice encryption or air interface encryption, a confidential machine is required, and the function of the confidential machine is to encrypt and decrypt. The so-called encryption is to convert the plain language digital voice data into the encrypted voice digital voice data, and the so-called decryption is to convert the encrypted voice data into the plain voice digital voice data.

两种加密方式的不同之处在于：The difference between the two encryption methods is:

（1）在进行端到端加密时，保密机放置于移动终端和移动核心网有线接口上。而空中接口加密时，保密机放置于移动终端和基站信道机上。由于基站信道机分布于各个无线覆盖点，难于管理和控制，而核心网的有线接口则易于管理和维护，因为这些接口常常安置于核心网机房内。(1) When performing end-to-end encryption, the encryption machine is placed on the wired interface between the mobile terminal and the mobile core network. When the air interface is encrypted, the security machine is placed on the mobile terminal and the base station channel machine. Because the base station channel machines are distributed in various wireless coverage points, it is difficult to manage and control, while the wired interface of the core network is easy to manage and maintain, because these interfaces are often placed in the core network computer room.

（2）如果采用空中接口加密方案，集群核心网上传送的是明话，由于核心网承载于IP网络上，而IP网络又是一个公共网络，话音信息已被窃听和截取。采用端到端加密时，话音在IP网络传送时是密话，能够有效防止窃听。(2) If the air interface encryption scheme is adopted, the transmission on the core network of the cluster is clear voice. Since the core network is carried on the IP network, and the IP network is a public network, the voice information has been eavesdropped and intercepted. When using end-to-end encryption, the voice is encrypted when transmitted on the IP network, which can effectively prevent eavesdropping.

（3）端到端加密具有较低的成本。因为，如果用户不放心在核心网上进行明话传输，则对于明话进行再次加密，这样将增加核心网保密设备的成本。而采用端到端加密时则不需要增加保密设备，可以减少保密设备的投资。(3) End-to-end encryption has a lower cost. Because, if the user does not feel at ease to carry out the plaintext transmission on the core network, then encrypt the plaintext again, which will increase the cost of the security equipment of the core network. When end-to-end encryption is used, no additional security equipment is required, which can reduce the investment in security equipment.

现有数字集群通信系统的无线传输信道，在处理话音通信时，常常将无线信道时隙承载话音数据的部分称为净荷（pay load），净荷之中用户终端放置的到底是明话还是密话，均由用户终端自己决定，用户可以在承载时隙的“净荷类型”字段中指示是加密还是非加密数据。In the wireless transmission channel of the existing digital trunking communication system, when processing voice communication, the part of the time slot of the wireless channel that carries voice data is often called the payload (payload). Whether the user terminal is placed in the payload is clear voice or Encryption is determined by the user terminal itself, and the user can indicate whether it is encrypted or non-encrypted data in the "payload type" field of the bearer slot.

数字集群网络并不关心用户终端传送的是明话还是密话。数字集群通信系统是将“净荷”从一个源终端传送至目的终端。或者说，数字集群通信系统提供的是一个端到端的数字“透明”连接。The digital trunking network does not care whether the user terminal transmits clear words or encrypted words. A digital trunking communication system transmits a "payload" from a source terminal to a destination terminal. In other words, what the digital trunking communication system provides is an end-to-end digital "transparent" connection.

现代数字移动通信系统几乎无一例外的使用数字声码化技术传送压缩的话音信息，典型的话音压缩算法有：用于3G公用陆地移动网络PLMN的AMR话音编码，编码速率为4.75kbits/s－12.2kbits/s。用于TETRA数字集群ACELP话音编码，编码速率为4.567kbits/s。以及DMR数字集群使用的AMBE或其他类型的编码，编码速率为2.4kbits/s。Almost without exception, modern digital mobile communication systems use digital vocoding technology to transmit compressed voice information. Typical voice compression algorithms include: AMR voice coding for 3G public land mobile network PLMN, with a coding rate of 4.75kbits/s- 12.2kbits/s. For TETRA digital trunking ACELP speech coding, the coding rate is 4.567kbits/s. and AMBE or other types of coding used by DMR digital trunking at a coding rate of 2.4kbits/s.

上述声码化话音编码具有共同的特点：话音被分割为一定的时间段进行编码，每段编码的话音数据具有相同的比特数。The above vocoded speech coding has a common feature: the speech is divided into certain time segments for encoding, and the encoded speech data of each segment has the same number of bits.

假定一个编码后的话音数据速率为S bit/s，每段话音编码的时间为Ts，一个话音分组P包含的数据比特为：Assume that the voice data rate after a code is S bit/s, the time of each voice coding is Ts, and the data bits included in a voice packet P are:

P＝S×Ts                                      （1）P＝S×Ts （1）

在无线信道上进行数据传送是以帧F为传输单位的，一帧包含K个话音分组。The frame F is the transmission unit for data transmission on the wireless channel, and one frame includes K voice packets.

F＝K×P                                         （2）F＝K×P （2）

＝K×S×Ts=K×S×Ts

本发明所涉及的话音编码速率S＝2.4kbit/s，话音编码时间Ts＝20ms。根据公式（1），则一个话音分组包含的数据比特为：The speech encoding rate S=2.4kbit/s involved in the present invention, and the speech encoding time Ts=20ms. According to formula (1), the data bits contained in a voice packet are:

P＝S×Ts＝2.4×10³×20×10^-3＝48 （bits）P＝S×Ts＝2.4×10³ ×20×10^-3 ＝48 (bits)

在无线信道上进行传输时，一帧包含3个话音分组，根据公式（2），When transmitting on a wireless channel, a frame contains 3 voice packets, according to formula (2),

F＝K×P＝3×48＝144 （bits）F＝K×P＝3×48＝144 (bits)

移动台到基站的空中接口无线信道的承载能力，是为满足编码话音数据传送而设计的。对于话音的传送来讲，采用了每60ms装载144比特的传送方式。The carrying capacity of the wireless channel of the air interface from the mobile station to the base station is designed to meet the transmission of coded voice data. For the transmission of the voice, the transmission mode of loading 144 bits per 60ms is adopted.

在进行加密话音传输时，需要解决下述三个问题：When encrypting voice transmission, the following three problems need to be solved:

（1）空中接口如何承载加密话音(1) How does the air interface carry encrypted voice

当通信双方需要进行话音加密传输时，由于话音加密会使加密后的一帧数据超过空中接口无线信道上的帧长144比特，从而导致产生加密话音无法在原有无线信道上承载传送的问题。When the communication parties need to carry out voice encrypted transmission, because the voice encryption will cause the encrypted frame of data to exceed the frame length of 144 bits on the wireless channel of the air interface, resulting in the problem that the encrypted voice cannot be carried and transmitted on the original wireless channel.

（2）如何向移动台分发密钥(2) How to distribute keys to mobile stations

当两个移动台进行集群单呼，或者多个移动台进行集群组呼时，需要向所有参与保密通信的终端保密机发送一种称为“密钥”的短数据，用于保密机进行加密和解密使用。When two mobile stations make a trunking single call, or multiple mobile stations make a trunking group call, it is necessary to send a short data called "key" to all terminal security machines participating in secure communication for the security machine to perform Encryption and decryption are used.

（3）如何使发送与接收的保密机保持数据同步(3) How to keep the sending and receiving confidential machines in sync

被加密的数据是一帧一帧的从发送方传送至接收方，接收方保密机在解密时，需要维持和发送方保密机的帧顺序一致，才能进行正确的解密操作。The encrypted data is transmitted from the sender to the receiver frame by frame. When decrypting, the recipient's encryption machine needs to maintain the same frame sequence as the sender's encryption machine to perform the correct decryption operation.

在现有数字集群通信系统中，增加话音加密功能存在如下限制：In the existing digital trunking communication system, adding the voice encryption function has the following limitations:

（1）移动台使用了带宽受限的无线信道，这个信道保证了端到端的透明连接，但用户传送话音数据的净荷尺寸和发送间隔不能改变，如果用户采用原有声码话音编码速率，则加密后的数据速率就不能改变，否则，无线信道将无法承载。(1) The mobile station uses a wireless channel with limited bandwidth. This channel guarantees an end-to-end transparent connection, but the payload size and transmission interval of the voice data transmitted by the user cannot be changed. If the user uses the original voice coding rate, then The encrypted data rate cannot be changed, otherwise, the wireless channel will not be able to bear the burden.

（2）由于数字集群通信系统，没有考虑为移动台分发密钥，缺少空中接口信令用于协助移动台保密机每次通话时得到密钥，为移动台保密机之间建立密钥信令成为必须解决的问题。(2) Due to the digital trunking communication system, the key distribution for the mobile station is not considered, and the air interface signaling is lacking to assist the mobile station security machine to obtain the key every time it talks, and establish key signaling between the mobile station security machines become a problem that must be solved.

（3）在集群组呼的情况下，当一个新开机移动台迟入时，现有系统没有考虑如何向其分发密钥，导致迟入移动台无法进行保密话音通信。(3) In the case of a trunking group call, when a newly started mobile station is late, the existing system does not consider how to distribute the key to it, resulting in the late mobile station being unable to perform secure voice communication.

（4）现有系统没有考虑为正在进行保密通信的移动台提供密话同步方法。(4) The existing system does not consider providing a secret conversation synchronization method for the mobile station that is conducting secret communication.

发明内容Contents of the invention

本发明的目的是针对目前数字集群通信系统中空中接口加密基站保密机难于管理且核心网通话易泄密而端到端加密受传输带宽限制而难于承载密话同步的问题，发明一种数字集群通信系统端到端自同步话音加密传输实现方法。The purpose of the present invention is to invent a digital trunking communication system for the current digital trunking communication system in which the air interface encryption base station security machine is difficult to manage and the core network conversation is easy to leak and the end-to-end encryption is limited by the transmission bandwidth and it is difficult to carry encrypted calls. The realization method of system end-to-end self-synchronization voice encrypted transmission.

本发明的技术方案是：Technical scheme of the present invention is:

一种数字集群通信系统端到端自同步话音加密传输实现方法，其特征是它包括以下步骤：A kind of digital trunking communication system end-to-end self-synchronous voice encrypted transmission realization method is characterized in that it comprises the following steps:

首先，在需要进行加密通信的终端设置保密机，同时将保密机也作为一个通信终端，采用保密机终端到保密机终端的话音加密传输；First, set up a security machine at the terminal that needs to carry out encrypted communication, and at the same time use the security machine as a communication terminal, and use the voice encrypted transmission from the security machine terminal to the security machine terminal;

其次，在数字集群通信网完成移动终端呼叫接续以后，由通信发起方保密机以用户信令的方式向接收方保密机进行密钥分发，从而使数字集群核心网不需要信令介入，进而无需修改和增减核心网信令；Secondly, after the digital trunking communication network completes the call connection of the mobile terminal, the secret machine of the communication initiator distributes the key to the secret machine of the receiving party in the form of user signaling, so that the digital trunking core network does not need signaling intervention, and thus no Modification and increase or decrease of core network signaling;

第三，通信发起方保密机以用户信令的方式向接收方保密机进行密钥分发的同时，所有通信涉及的接收终端所对应的集群基站均进行密钥存储，用于迟入的移动台获取本次呼叫密钥，使迟入的移动台立即加入已经进行密话通话的组呼组；Third, while the encryption machine of the communication initiator distributes the key to the encryption machine of the receiver in the form of user signaling, all the cluster base stations corresponding to the receiving terminals involved in the communication store the keys for late-entry mobile stations. Obtain the key of this call, so that the mobile station that is late can immediately join the group call group that has already conducted the encrypted conversation;

第四，由保密机进行话音加密并将加密话音序列的序号内嵌于声码话数据帧中，将密话及其按帧编号的序号一并传送，接收方保密机进行密话解密即可完成保密通信。Fourth, the encryption machine performs voice encryption and embeds the serial number of the encrypted voice sequence into the vocoder data frame, and transmits the encrypted voice and its frame-numbered serial number together, and the receiver's security machine decrypts the encrypted voice. Complete confidential correspondence.

所述的保密机话音加密时将声码器编码速率从2.4kbits/s下调至2.15kbits/s，每20ms话音分组产生43比特；保密机在处理机系统的控制下，对连续三个分组总计129比特的话音帧进行加密，加密以后由保密机产生帧序列号15比特，总计144比特交还给处理机系统，如果是移动台，处理机系统则将密话帧交给基带单元，基带单元完成信道编码后送到射频单元再通过空中接口发往基站，由基站通过IP网络发往其他基站或有线接口；如果是有线接口，处理机系统则将密话帧封装成IP分组并通过IP网络发往其他基站或有线接口。During the voice encryption of the security machine, the vocoder encoding rate is lowered from 2.4kbits/s to 2.15kbits/s, and every 20ms voice grouping produces 43 bits; The 129-bit voice frame is encrypted. After encryption, the encryption machine generates a frame sequence number of 15 bits, and a total of 144 bits are returned to the processor system. If it is a mobile station, the processor system will hand over the encrypted voice frame to the baseband unit, and the baseband unit completes After channel coding, it is sent to the radio frequency unit and then sent to the base station through the air interface, and the base station sends it to other base stations or wired interfaces through the IP network; if it is a wired interface, the processor system encapsulates the encrypted frame into an IP packet and sends it through the IP network to other base stations or wired interfaces.

本发明的有益效果：Beneficial effects of the present invention:

本发明在不改变数字集群核心网体系结构的前提下，仅对基站接入系统以的控制方式进行修改，通过增加终端保密机的方式，为移动用户提供端到端的数字话音加密功能，既适用于点对点的集群密话单呼呼叫，又适用于点对多点的集群密话组呼呼叫也适合于移动台脱网直通密话呼叫。On the premise of not changing the system structure of the digital trunking core network, the present invention only modifies the control mode of the base station access system, and provides end-to-end digital voice encryption function for mobile users by adding a terminal security machine, which is applicable to both It is suitable for point-to-point trunking encrypted single call, point-to-multipoint trunking encrypted group call, and mobile station off-net direct encrypted call.

数字集群单呼和组呼，由发起方终端保密机以用户信令的方式向接收方保密机传送密钥，数字集群核心网不需要信令介入，使核心网不需增加对加密话音传送的控制信令，象处理普通明话呼叫一样，核心网无需关心用户采用明话或密话通信。For digital trunking individual calls and group calls, the initiator terminal security machine transmits the key to the receiver security machine in the form of user signaling. The digital trunking core network does not need signaling intervention, so that the core network does not need to increase the transmission of encrypted voice. Control signaling is the same as handling ordinary plain language calls, and the core network does not need to care whether users use clear or encrypted communication.

数字集群基站进行本次呼叫的密钥存储，用于迟入的移动台获取组呼密钥，使其加入已经进行密话通话的组呼组，进行密话组呼通信。The digital trunking base station stores the key of this call, and is used for the mobile station that is late to obtain the group call key, so that it can join the group call group that has already conducted encrypted conversations, and conduct encrypted group call communications.

加密话音序列的序号内嵌于声码话数据帧中，数字集群系统原来为明话所提供的传输通路，无需进行任何承载能力的修改，就可以将密话及其按帧编号的序号一并传送，有效提高了密话通信的同步性能。使接收方保密机进行密话解密方便可靠。The serial number of the encrypted voice sequence is embedded in the data frame of the vocoded voice. The transmission path originally provided by the digital trunking system for the plain voice can integrate the encrypted voice and its serial number according to the frame number without any modification of the carrying capacity. Transmission, which effectively improves the synchronization performance of encrypted communication. It is convenient and reliable for the receiver's confidential machine to decrypt the encrypted speech.

加密话音序列的序号内嵌于声码话数据帧中，在移动台越区切换时，数字集群系统无需对加密话音进行额外的针对密话同步的处理，保持了和原有明话越区切换的相同处理流程。The serial number of the encrypted voice sequence is embedded in the data frame of the vocoded voice. When the mobile station is handed over, the digital trunking system does not need to perform additional processing on the encrypted voice for the synchronization of the encrypted voice, which maintains the same as the original clear voice handover. Same process.

处于脱网直通的移动台可以直接实现密话单呼和密话组呼呼叫。The mobile station in the off-network direct connection can directly realize the secret voice single call and secret voice group call.

附图说明Description of drawings

图1是本发明的集群移动终端内嵌保密机结构。Fig. 1 is the structure of the security machine embedded in the trunking mobile terminal of the present invention.

图2是本发明的集群移动终端之间保密话音通信结构。Fig. 2 is the secure voice communication structure between cluster mobile terminals of the present invention.

图3是本发明的有线接口内嵌保密机结构。Fig. 3 is the structure of the wired interface embedded security machine of the present invention.

图4是本发明的密话呼叫和组呼迟入时的密钥分发。Fig. 4 is the key distribution when the secret call and group call of the present invention are late.

图5是本发明的移动台话音加密流程。Fig. 5 is the voice encryption flow of the mobile station of the present invention.

图6是本发明的移动台话音解密流程。Fig. 6 is the voice decryption flow of the mobile station of the present invention.

具体实施方式Detailed ways

下面结合附图和实施例对本发明作进一步的说明。The present invention will be further described below in conjunction with the accompanying drawings and embodiments.

如图1-6所示。As shown in Figure 1-6.

一种数字集群通信系统端到端自同步话音加密传输实现方法，它包括以下步骤：A method for realizing end-to-end self-synchronous voice encryption transmission of a digital trunking communication system, comprising the following steps:

（1）设置保密机。采用端到端的话音加密方法，需要加密的终端增加保密机功能模块。这些终端包括：移动台，有线电话接口，有线中继接口，有线调度台接口等。除移动台以外，其他接口可以统称为有线接口，在有线接口上原来就需要进行声码和PCM编码的转换，保密机的设置方法与移动台类似。不同的是，有线接口可能包含多个双工话路，而一个移动台只有一个双工或半双工话路。所以有线接口保密机是一个多路保密机。(1) Set up a security machine. The end-to-end voice encryption method is adopted, and a security machine function module is added to the terminal that needs to be encrypted. These terminals include: mobile station, wired telephone interface, wired relay interface, wired dispatcher interface, etc. In addition to the mobile station, other interfaces can be collectively referred to as wired interfaces. Originally, voice code and PCM code conversion needs to be performed on the wired interface. The setting method of the security machine is similar to that of the mobile station. The difference is that a wired interface may contain multiple duplex sessions, while a mobile station has only one duplex or half-duplex session. So the wired interface security machine is a multi-channel security machine.

移动台设置保密机的方法如图1所示。有线接口设置保密机的方法如图3所示。The method of setting up the security machine in the mobile station is shown in Fig. 1 . Figure 3 shows the method of setting up the security machine through the wired interface.

数字集群核心网上的各类有线接口，一端连接在IP网络上，另一端连接各类有线终端话机或数字中继链路。与移动台保密机接口类似，有线接口上的保密机和PCM与声码转换模块均作为外设和一个处理机系统相连，连接接口分别为A和B。处理机系统介入话音加密与解密的工作原理与移动终端类似。One end of various wired interfaces on the digital trunking core network is connected to the IP network, and the other end is connected to various wired terminal phones or digital trunk links. Similar to the security machine interface of the mobile station, the security machine and PCM on the wired interface are connected with a processor system as peripherals, and the connection interfaces are A and B respectively. The working principle of the processor system intervening in voice encryption and decryption is similar to that of a mobile terminal.

（2）保密机密钥分发。分发密钥的保密机为呼叫发起方保密机，呼叫发起方既可以是一个移动终端、也可以是一个来自于有线接口的呼叫。呼叫既可以点对点单呼，也可以点对多点组呼。(2) Secret machine key distribution. The encryption machine that distributes the key is the call originator encryption machine, and the call originator can be either a mobile terminal or a call from a wired interface. The call can be either a point-to-point single call or a point-to-multipoint group call.

无论是集群单呼还是集群组呼，发起呼叫的信令阶段并不涉及密钥分发，与普通的集群呼叫一样，呼叫连接建立是在移动终端通过基站再通过IP网络与集群核心网交互信令，或者一个有线接口通过IP网络与集群核心网交互信令。基站与核心网信令通道如图2所示，有线接口与集群核心网信令通道如图3所示。Regardless of whether it is a trunking single call or a trunking group call, the signaling phase of initiating a call does not involve key distribution. Like ordinary trunking calls, the call connection is established when the mobile terminal communicates with the trunking core network through the base station and then through the IP network. Order, or a wired interface exchanges signaling with the core network of the cluster through the IP network. The signaling channel between the base station and the core network is shown in Figure 2, and the signaling channel between the wired interface and the cluster core network is shown in Figure 3.

当集群核心网通过信令，为一次呼叫分配了基站至基站，或者基站至有线接口的媒体传送通路以后，在进入话音通话之前，密钥分发在基站之间或基站与有线接口之间进行。密钥分发通道不是承载在至核心网的信令通道上，而是承载在媒体通道上，在参与呼叫的两方或多方基站或有线接口之间进行。After the cluster core network allocates a base station-to-base station or a base-to-wired interface media transmission path for a call through signaling, key distribution is performed between base stations or between base stations and wired interfaces before entering a voice call. The key distribution channel is not carried on the signaling channel to the core network, but carried on the media channel between two or more base stations or wired interfaces participating in the call.

密钥分发是由发方保密机密钥分发实体向所有呼叫参与方保密机话音加解密实体的单向传送。密钥传递关系如图4所示。Key distribution is a one-way transmission from the key distribution entity of the secret machine of the originating party to the voice encryption and decryption entity of the secret machine of all call participants. The key transfer relationship is shown in Figure 4.

由于发方保密机内有两个实体：密钥分发和话音加解密实体，发方保密机密钥分发在自己内部进行，所有其他参与方的保密机话音加解密实体均需获得发方保密机密钥分发实体传送来的密钥，用于本次通话选取加解密随机序列。Since there are two entities in the sender's secret machine: the key distribution entity and the voice encryption and decryption entity, the key distribution of the sender's secret machine is carried out within itself, and the voice encryption and decryption entities of all other participating parties' secret machines need to obtain the sender's secret machine The key sent by the key distribution entity is used to select a random sequence for encryption and decryption in this call.

（3）移动台迟入时的密钥分发。所有通话参与方基站均需存储本次组呼或单呼的密钥，用于包容呼叫和组呼迟入。向新加入的移动台保密机分发密钥。(3) Key distribution when the mobile station is late. All call participant base stations need to store the key of this group call or single call, which is used to accommodate calls and group call late entry. Distribute keys to newly added mobile station security machines.

在图4中，呼叫发起移动台A位于基站1，组呼被叫移动台B和被叫移动台C分别位于基站2和基站3。当移动台A保密机密钥分发实体向移动台B和移动台C保密机分发密钥时，基站1、基站2和基站3也需存储本次密钥。In FIG. 4 , the call originating mobile station A is located at base station 1, and the group call called mobile station B and called mobile station C are located at base station 2 andbase station 3, respectively. When the mobile station A secret machine key distribution entity distributes keys to the mobile station B and mobile station C secret machines, base station 1, base station 2 andbase station 3 also need to store the current key.

移动台D为组呼迟入移动台，位于基站3，当移动台D申请迟入时，基站3负责迟入接纳并向移动台D分发密钥。Mobile station D is a late entry mobile station for a group call, located inbase station 3. When mobile station D applies for late entry,base station 3 is responsible for late entry acceptance and distribution of keys to mobile station D.

（4）保密机话音加密。在进行保密话音通信时，各呼叫参与方终端，无论是移动台或者是有线接口，均将声码器编码速率从2.4kbits/s，下调至2.15kbits/s。每20ms话音分组产生43比特（明话时为48比特）。各保密机在处理机系统的控制下，对连续三个分组总计129比特的话音帧进行加密，加密以后由保密机产生帧序列号15比特，总计144比特交还给处理机系统，如果是移动台，处理机系统则将密话帧交给基带单元，基带单元完成信道编码后送到射频单元再通过空中接口发往基站，由基站通过IP网络发往其他基站或有线接口。如果是有线接口，处理机系统则将密话帧封装成IP分组并通过IP网络发往其他基站或有线接口。移动台话音加密流程如图5所示。(4) Voice encryption of the confidential machine. When conducting secure voice communication, each call participant terminal, whether it is a mobile station or a wired interface, lowers the coding rate of the vocoder from 2.4kbits/s to 2.15kbits/s. Every 20ms voice grouping produces 43 bits (48 bits in plain language). Under the control of the processor system, each security machine encrypts voice frames with a total of 129 bits in three consecutive groups. After encryption, the security machine generates a frame sequence number of 15 bits, and returns a total of 144 bits to the processor system. If it is a mobile station , the processor system sends the encrypted frame to the baseband unit, and the baseband unit completes the channel coding and sends it to the radio frequency unit and then sends it to the base station through the air interface, and the base station sends it to other base stations or wired interfaces through the IP network. If it is a wired interface, the processor system encapsulates the encrypted frame into an IP packet and sends it to other base stations or wired interfaces through the IP network. The voice encryption process of the mobile station is shown in Figure 5.

（5）保密机话音解密。在移动台接收方向，基带接收处理部分实现加密话音帧的信道分离，通过接口A交给处理机系统，处理机系统收到一个长度为144比特的话音加密帧，这个帧包含了一个15比特的序号和129比特的加密话音数据。处理机系统通过接口B交给保密机解密，保密机根据序号确定解密随机序列的位置，进行逐比特解密，解密以后形成129比特的还原话音帧，再通过接口B交给处理机系统，处理机系统从话音帧中分离出话音分组，每个分组长度为43比特，再将话音分组通过接口A交给基带单元，进行话音声码解码。移动台话音解密流程如图6所示。(5) Voice decryption of the confidential machine. In the receiving direction of the mobile station, the baseband receiving and processing part realizes the channel separation of the encrypted voice frame, and sends it to the processor system through the interface A, and the processor system receives a voice encrypted frame with a length of 144 bits, which contains a 15-bit serial number and 129-bit encrypted voice data. The processor system passes the interface B to the encryption machine for decryption, and the encryption machine determines the location of the decrypted random sequence according to the serial number, and performs bit-by-bit decryption. After decryption, a 129-bit restored voice frame is formed, and then is delivered to the processor system through interface B, and the processor The system separates voice packets from the voice frame, each packet length is 43 bits, and then sends the voice packets to the baseband unit through interface A for voice code decoding. The voice decryption process of the mobile station is shown in Figure 6.

（6）移动台越区切换。在一次通话期间，无论是单呼还是组呼，一个移动台从一个基站转换到另一个基站，且一次通话不间断的这种服务称为越区切换。密话通话时的越区切换和明话时的越区切换，对于集群通信网来讲，没有任何区别，集群通信网不需要针对密话而修改越区切换流程。因为在密话通话时，每个加密话音帧，都由保密机自己打上了序号标签，这个序号标签与集群系统的TDMA时隙不存在对应关系，即使移动台在两个时间不同步的基站之间越区切换时，收方保密机也能够毫无察觉的进行话音解密。(6) Mobile station handover. During a conversation, whether it is a single call or a group call, a mobile station switches from one base station to another, and the service that the conversation is uninterrupted is called handover. For the trunking communication network, there is no difference between the handover during the encrypted call and the handover during the clear call, and the trunking communication network does not need to modify the handover process for the encrypted call. Because during encrypted conversations, each encrypted voice frame is marked with a serial number label by the security machine itself. This serial number label does not correspond to the TDMA time slot of the trunking system. Even if the mobile station is between two base stations that are not synchronized When switching between areas, the receiving party's confidential machine can also perform voice decryption without realizing it.

详述如下：The details are as follows:

本发明所涉及的保密机内部的加密算法及其实现方法可以与现有的数字集群通信系统相同或相类似，对于本发明而言，保密机被看作是一个通信终端，保密机之间的通信还必须包含以下三部分信息内容：The encryption algorithm inside the security machine involved in the present invention and its implementation method can be the same as or similar to the existing digital trunking communication system. For the present invention, the security machine is regarded as a communication terminal, and the communication between the security machines Communications must also contain the following three parts of the message:

（1） 作为集群系统用户信令的终端保密机之间的密钥消息传送。(1) As the key message transmission between the terminal security machines of the trunking system user signaling.

（2） 作为终端之间业务的加密话音传送。(2) As encrypted voice transmission between terminals.

（3） 作为终端接入信令的迟入移动台密钥分发。(3) Distribution of late-entry mobile station keys as terminal access signaling.

一个具有话音加密功能的移动终端可以表达成图1所示的结构。在这个结构中，保密机和移动台基带单元都作为终端处理机系统的外设使用，接受处理机系统的管理并通过处理机系统进行信息交互。A mobile terminal with voice encryption function can be expressed as the structure shown in Figure 1. In this structure, both the security machine and the baseband unit of the mobile station are used as peripherals of the terminal processor system, accept the management of the processor system and exchange information through the processor system.

处理机系统与基带单元的接口A实现下述三个功能：The interface A between the processor system and the baseband unit realizes the following three functions:

（1） 处理机系统和话音编解码器之间传递非加密的数字话音。(1) Pass non-encrypted digital voice between the processor system and the voice codec.

（2） 处理机系统和基带处理和无线信道编解码器之间传送加密/非加密的数字话音。(2) Transmit encrypted/non-encrypted digital voice between the processor system and the baseband processing and wireless channel codec.

（3） 处理机系统和基带处理和无线信道编解码器之间传送作为用户信令的密钥消息。(3) The key message used as user signaling is transmitted between the processor system and the baseband processing and wireless channel codec.

处理机系统与保密机的接口B实现下述四个功能：The interface B between the processor system and the security machine realizes the following four functions:

（1） 处理机系统将来自于话音编码器的明话话音数据传递给保密机进行加密处理，保密机将解密的话音数据传递给处理机系统。用于处理机系统交给话音解码器进行解码。(1) The processor system transmits the plain voice data from the voice coder to the security machine for encryption processing, and the security machine transmits the decrypted voice data to the processor system. It is used for the processor system to hand over to the voice decoder for decoding.

（2） 处理机系统将来自于基带处理和无线信道编解码器的无线接收的加密话音数据传递给保密机进行解密，保密机将加密的数字话音传递给处理机系统，用于无线发射的密话传送。(2) The processor system transmits the encrypted voice data received wirelessly from the baseband processing and wireless channel codec to the security machine for decryption, and the security machine transmits the encrypted digital voice to the processor system for wireless transmission of encryption teleportation.

（3） 处理机系统向保密机传送无线接收所获得的密钥消息，保密机向处理机系统传递无线发射方向的密钥消息。(3) The processor system transmits the key message obtained by wireless reception to the security machine, and the security machine transmits the key message of the wireless transmission direction to the processor system.

（4） 处理机系统控制保密机的相关信令，如开启、关闭、使能和其他控制信息，甚至包括保密机遥毁等。(4) The processor system controls the relevant signaling of the security machine, such as opening, closing, enabling and other control information, even including the remote destruction of the security machine.

在话音非加密传送时，来自于麦克风的模拟话音信号进入基带单元，基带单元首先进行模/数转换，形成线性PCM编码，然后进行声码转换，转换成每20ms，48比特的话音分组，通过接口A交给处理机系统。处理机系统将连续三个话音分组共计144比特形成一帧，再通过接口A交给基带单元进行无线信道编码，基带单元进行调制后，送往射频单元。When the voice is not encrypted, the analog voice signal from the microphone enters the baseband unit, and the baseband unit first performs analog/digital conversion to form a linear PCM code, and then performs vocode conversion to convert into 48-bit voice packets every 20ms. Interface A is handed over to the processor system. The processor system forms a frame of three consecutive voice packets with a total of 144 bits, and then sends it to the baseband unit through interface A for wireless channel coding. After the baseband unit performs modulation, it is sent to the radio frequency unit.

在话音加密传送时，麦克风将模拟话音送入基带单元，基带单元首先进行模/数转换，形成线性PCM编码，然后进行声码转换，转换成每20ms，48-k比特的话音分组，通过接口A交给处理机系统。处理机系统将连续三个话音分组共计144-3k的比特形成一帧，通过接口B交给保密机，保密机对144-3k长度的话音比特进行加密，加密以后再对加密的帧加上3k比特的序号，通过接口B交给处理机系统。处理机系统再通过接口A将与非加密话音帧等长的加密帧144比特交给基带单元进行无线信道编码，基带单元进行调制后，送往射频单元。When the voice is encrypted and transmitted, the microphone sends the analog voice to the baseband unit. The baseband unit first performs analog/digital conversion to form a linear PCM code, and then performs voice code conversion to convert it into 48-k-bit voice packets every 20ms. Through the interface A is handed over to the processor system. The processor system forms a frame with three consecutive voice packets totaling 144-3k bits, and sends it to the encryption machine through interface B. The encryption machine encrypts the voice bits of 144-3k length, and then adds 3k to the encrypted frame after encryption The serial number of the bit is given to the processor system through the interface B. The processor system then sends the 144-bit encrypted frame equal to the non-encrypted voice frame to the baseband unit for wireless channel coding through the interface A, and the baseband unit modulates it and sends it to the radio frequency unit.

在非加密话音接收时，移动台射频单元接收基站的无线信号进行频率变换至中频，并将中频信号交给基带单元，基带单元进行信号解调形成基带信号，再进行信道解码并提取话音帧，通过接口A转交给处理机系统，处理机系统将一帧之中的三个话音分组分别提取，再通过接口A交换给基带单元进行声码解码，解码以后形成线性PCM话音接收信号，经数/模转换，形成模拟话音在喇叭上播放。When receiving non-encrypted voice, the radio frequency unit of the mobile station receives the wireless signal of the base station and converts the frequency to the intermediate frequency, and sends the intermediate frequency signal to the baseband unit, which demodulates the signal to form a baseband signal, and then performs channel decoding and extracts the voice frame. It is transferred to the processor system through interface A, and the processor system extracts the three voice packets in one frame respectively, and then exchanges them to the baseband unit for vocode decoding through interface A, and after decoding, a linear PCM voice receiving signal is formed, which is passed through the number/ Mode conversion, forming analog voice to play on the speaker.

在加密话音接收时，移动台射频单元接收基站的无线信号进行频率变换至中频，并将中频信号交给基带单元，基带单元进行信号解调形成基带信号，再进行信道解码并提取加密话音帧，通过接口A转交给处理机系统，处理机系统通过接口B将话音帧转交给保密机，保密机进行解密，再通过接口B交换给处理机系统。处理机系统将解密的一帧之中的三个话音分组分别提取，再通过接口A交换给基带单元进行声码解码，解码以后形成线性PCM话音接收信号，经数/模转换，形成模拟话音在喇叭上播放。When receiving encrypted voice, the radio frequency unit of the mobile station receives the wireless signal of the base station and converts the frequency to an intermediate frequency, and sends the intermediate frequency signal to the baseband unit. The baseband unit demodulates the signal to form a baseband signal, and then performs channel decoding and extracts the encrypted voice frame. Transfer to the processor system through interface A, and the processor system transfers the voice frame to the security machine through interface B, and the security machine decrypts it, and then exchanges it to the processor system through interface B. The processor system extracts the three voice packets in a decrypted frame respectively, and then exchanges them to the baseband unit for vocode decoding through interface A. After decoding, a linear PCM voice receiving signal is formed. After digital/analog conversion, an analog voice is formed. Play on the speakers.

在加密话音和非加密话音的声码编码上，加密话音分组长度比非加密话音分组长度少k比特，连续三个话音分组会节约共计3k个比特，这些比特用于保密机为加密帧设置序号。因此，k取值越大，加密序号周期越长，但对于话音编码的声音还原质量影响越大。表1给出了取值k与加密周期的关系。In the vocoding of encrypted voice and non-encrypted voice, the encrypted voice packet length is k bits less than the non-encrypted voice packet length, and three consecutive voice packets will save a total of 3k bits, which are used by the security machine to set the sequence number for the encrypted frame . Therefore, the larger the value of k, the longer the period of the encryption sequence number, but the greater the impact on the sound restoration quality of speech coding. Table 1 shows the relationship between the value k and the encryption period.

表1 取值k与加密周期的关系Table 1 Relationship between value k and encryption period

取值kvalue k加密帧序号长度Encrypted frame sequence number length话音帧时间（ms）Voice frame time (ms)加密话音周期时间（S）Encrypted voice cycle time (S)112³＝82³ =860600.480.48222⁶＝642⁶ = 6460603.843.84332⁹＝5122⁹ =512606030.7230.72442¹²＝40962¹² = 40966060245.76 (4分钟)245.76 (4 minutes)552¹⁵＝327692¹⁵ =3276960601966.08   (32.7分钟)1966.08 (32.7 minutes)662¹⁸＝2621442¹⁸ = 262144606015728.64   (262分钟)15728.64 (262 minutes)772²¹＝20971522²¹ =20971526060125829.12    (34.9小时)125829.12 (34.9 hours)

通过表1可见，为保证加密话音周期时间较长，取值k应大于等于5，当k＝5时，可以保证半小时的密话周期。It can be seen from Table 1 that in order to ensure a longer encrypted speech cycle time, the value k should be greater than or equal to 5. When k=5, a half-hour encrypted speech cycle can be guaranteed.

需要指出的是：取值k和保密机加密算法无关，加密算法可以形成任意长周期的加密序列，取值k则可以看成加密算法所形成的加密序列的一个截短窗口，这个窗口的时间周期与k相关，超过这个周期，还是可以加密的，只是一个加密序列被一次通话重复使用了，根据话音的通话特性，半小时的时间周期比较合理，一次集群通话超过半小时的机率非常小，即使超过，超过的部分其实也处于密话状态。It should be pointed out that the value of k has nothing to do with the encryption algorithm of the confidential machine. The encryption algorithm can form an encryption sequence of any long period, and the value of k can be regarded as a truncated window of the encryption sequence formed by the encryption algorithm. The time of this window The period is related to k, beyond this period, it can still be encrypted, but an encrypted sequence is reused by a call. According to the characteristics of the voice call, the time period of half an hour is more reasonable, and the probability of a cluster call exceeding half an hour is very small. Even if it exceeds, the excess is actually in a secret state.

当取值k＝5时，话音声码编码速率S＝P /Ts＝（48-5）/（20×10^-3）＝2.15kbits/s。When the value k=5, the coding rate of the voice code S=P/Ts=(48-5)/(20×10^-3 )=2.15kbits/s.

当取值k＝6时，话音声码编码速率S＝P /Ts＝（48-6）/（20×10^-3）＝2.1kbits/s。When the value k=6, the voice code coding rate S=P/Ts=(48-6)/(20×10^-3 )=2.1kbits/s.

当取值k＝7时，话音声码编码速率S＝P /Ts＝（48-7）/（20×10^-3）＝2.05kbits/s。When the value k=7, the voice code coding rate S=P/Ts=(48-7)/(20×10^-3 )=2.05kbits/s.

一般情况下，话音保密机采用序列加密方法，执行话音加密操作，其基本原理是收发保密机使用一个相同的随机序列对话音数据码流进行逐比特的异或操作，被加密的话音是原始话音声码数据比特码流与保密机用于加密的随机数据码流进行逐比特异或而产生的加密码流，而接收方保密机则使用与发送方相同的随机序列对加密话音码流进行逐比特异或，从而解密还原出原始话音声码比特流。Generally speaking, the voice encryption machine adopts the sequence encryption method to perform the voice encryption operation. The basic principle is that the transceiver security machine uses the same random sequence to perform a bit-by-bit XOR operation on the voice data stream, and the encrypted voice is the original voice The encrypted code stream is generated by bit-by-bit XOR of the audio code data bit stream and the random data code stream used by the encryption machine, while the receiver's security machine uses the same random sequence as the sender to encrypt the encrypted voice code stream. Exclusive OR bit by bit, so as to decrypt and restore the original voice coded bit stream.

话音加密采用一次一密方式，所谓一次一密是指，每次集群通话保密机都使用一个新的加密随机序列，以防止被窃取方推倒出加密随机序列，而造成失密情况发生。Voice encryption adopts a one-time encryption method. The so-called one-time encryption means that each time the trunking conversation security machine uses a new encrypted random sequence to prevent the stolen party from pushing down the encrypted random sequence and causing a loss of confidentiality.

为了进行一次一密的保密机加密方式，保密机之间在每次密话通话开始前，都需要交互密钥，密钥对于通信系统而言，可以看成是一段短数据，通信系统需要为一次通话的两个或者多个参与方保密机传递这个短数据，密钥的发送方为保密机密钥分发实体，密钥的接收方是参与保密通信的各方保密机话音加密与解密实体。保密机使用密钥来决定选取一个这次通话的加密与解密的随机序列。In order to implement the one-time secret machine encryption method, the secret machine needs to exchange a key before each encrypted conversation starts. For the communication system, the key can be regarded as a short piece of data. The communication system needs to provide Two or more participants in a call pass this short data to the encryption machine. The sender of the key is the key distribution entity of the encryption machine, and the receiver of the key is the voice encryption and decryption entity of the encryption machine of all parties participating in the confidential communication. The encryptor uses the key to decide to choose a random sequence for encryption and decryption of the conversation.

对于数字集群通信系统而言，提供组呼业务功能是一个最基本的要求，集群组呼是一次通话时，多方用户参与的呼叫业务。如果组呼发起方，在发起组呼的时候，通过用户信令方式向参与组呼的其他用户传递了密钥，那么所有组呼成员保密机都持有一个相同密钥，大家可以进行密话通信。For the digital trunking communication system, it is the most basic requirement to provide the group call service function, and the trunking group call is a call service in which multiple users participate in a call. If the group call initiator transmits the key to other users participating in the group call through user signaling when initiating the group call, then all group call member confidential machines hold the same key, and everyone can conduct encrypted conversations communication.

组呼可能会出现这样一种情况：一个移动台在组呼开始以后开机，系统发现这个移动台是这个正在通话的组呼的一个用户时，就会通知这个移动台加入一个正在通话的组呼组。这种方式称为“组呼迟入”。集群系统必须做的一件事就是，为迟入的移动台提交这次通话的密钥。所以，密钥短数据不仅仅是集群系统作为用户信令而为保密机传递的数据，这个数据还需要在集群通信系统中进行“存储”，那些迟入移动台必须获得正确的密钥才能够进入密话通话状态。这种密钥的控制与传递方式，均由参与组呼的基站进行管理和传递，集群核心网应该不干涉移动用户的明话或密话通信信令的交互。这种设计方法，使集群核心网更加通用和简单，它不应因为用户的特殊需求而更改核心网协议。There may be such a situation in a group call: a mobile station is turned on after the group call starts, and when the system finds that the mobile station is a user of the group call that is in conversation, it will notify the mobile station to join a group call in progress Group. This method is called "group call late entry". One of the things that the trunking system must do is to present the key for the call to the mobile station that is late. Therefore, the key short data is not only the data that the trunking system transmits to the confidential machine as user signaling, this data also needs to be "stored" in the trunking communication system, and those late-entry mobile stations must obtain the correct key to be able to Enter the secret conversation state. The key control and transmission methods are all managed and transmitted by the base stations participating in the group call, and the cluster core network should not interfere with the interaction of mobile users' plain or encrypted communication signaling. This design method makes the cluster core network more general and simple, and it should not change the core network protocol because of the special needs of users.

通过数字集群通信系统进行加密传输与控制的结构如图2所示。The structure of encrypted transmission and control through the digital trunking communication system is shown in Figure 2.

在进行加密话音通信时，需要经过三个阶段建立、使用和拆除密话通信连接。When conducting encrypted voice communication, it needs to go through three stages of establishing, using and dismantling the encrypted voice communication connection.

第一阶段：媒体连接建立阶段。移动台通过空中接口向基站发起呼叫建立请求，基站通过IP网络将呼叫信令递交给同样承载在IP网络上的集群核心网对应实体，集群核心网实体与基站之间的交互信令信息为SIP消息。通过信令消息的交互，建立一条从发送方移动台所处的基站到接收方移动台所处的基站之间的承载在IP之上的媒体连接。The first stage: the media connection establishment stage. The mobile station initiates a call establishment request to the base station through the air interface, and the base station submits the call signaling to the corresponding entity of the cluster core network that is also carried on the IP network through the IP network. The interactive signaling information between the cluster core network entity and the base station is SIP information. Through the interaction of signaling messages, a media connection over IP is established between the base station where the mobile station of the sender is located and the base station where the mobile station of the receiver is located.

第二阶段：媒体连接传送阶段。移动台通过空中接口和IP网络建立一条起端到端的数字连接以后，发方保密机使用用户信令，向接收方保密机发送密钥数据，然后开始发送加密话音数据，发送方保密机在加密数据之外，产生数据帧序号，接收端保密机通过接收密钥和接收带有序号的密话数据进行解密，还原成明话以后，在接收端进行声码转换，形成模拟话音，通过喇叭进行播放。密话通信也可以进行双工通信。The second stage: the media connection transmission stage. After the mobile station establishes an end-to-end digital connection through the air interface and the IP network, the sending party's secret machine uses user signaling to send key data to the receiving party's secret machine, and then starts to send encrypted voice data, and the sending party's secret machine is encrypting In addition to the data, the serial number of the data frame is generated, and the encryption machine at the receiving end decrypts the encrypted voice data with the serial number by receiving the key and receiving it. After it is restored to plain language, the voice code conversion is performed at the receiving end to form an analog voice, which is transmitted through the speaker. play. Encrypted communication can also carry out duplex communication.

第三阶段：媒体连接释放阶段。移动台通话完毕，通过空中接口发起释放请求，基站通过IP网络向集群核心网实体发送释放请求，核心网实体向双方基站发送拆线命令，双方基站拆除空中接口和IP网络的媒体连接，移动台返回空中接口信令信道，进入守候状态。The third stage: media connection release stage. After the mobile station finishes talking, it initiates a release request through the air interface. The base station sends a release request to the cluster core network entity through the IP network. The core network entity sends a disconnection command to both base stations. Return to the air interface signaling channel and enter the waiting state.

本发明未涉及部分如处理机系统、保密机、基带单元、射频单元、集群核心网、基站、IP网络等均与现有技术相同或可采用现有技术加以实现。The parts not involved in the present invention, such as processor system, security machine, baseband unit, radio frequency unit, cluster core network, base station, IP network, etc., are the same as the prior art or can be realized by using the prior art.

Claims (3)

Translated fromChinese

1.一种数字集群通信系统端到端自同步话音加密传输实现方法，其特征是它包括以下步骤：1. a kind of digital trunking communication system end-to-end self-synchronization voice encrypted transmission realization method, it is characterized in that it comprises the following steps:首先，在需要进行加密通信的终端设置保密机，同时将保密机也作为一个通信终端，采用保密机终端到保密机终端的话音加密传输；First, set up a security machine at the terminal that needs to carry out encrypted communication, and at the same time use the security machine as a communication terminal, and use the voice encrypted transmission from the security machine terminal to the security machine terminal;其次，在数字集群通信网完成移动终端呼叫接续以后，由通信发起方保密机以用户信令的方式向接收方保密机进行密钥分发，从而使数字集群核心网不需要信令介入，进而无需修改和增减核心网信令；Secondly, after the digital trunking communication network completes the call connection of the mobile terminal, the secret machine of the communication initiator distributes the key to the secret machine of the receiving party in the form of user signaling, so that the digital trunking core network does not need signaling intervention, and thus no Modification and increase or decrease of core network signaling;第三，通信发起方保密机以用户信令的方式向接收方保密机进行密钥分发的同时，所有通信涉及的接收终端所对应的集群基站均进行密钥存储，用于迟入的移动台获取本次呼叫密钥，使迟入的移动台立即加入已经进行密话通话的组呼组；Third, while the encryption machine of the communication initiator distributes the key to the encryption machine of the receiver in the form of user signaling, all the cluster base stations corresponding to the receiving terminals involved in the communication store the keys for late-entry mobile stations. Obtain the key of this call, so that the mobile station that is late can immediately join the group call group that has already conducted the encrypted conversation;第四，由保密机进行话音加密并将加密话音序列的序号内嵌于声码话数据帧中，将密话及其按帧编号的序号一并传送，接收方保密机进行密话解密即可完成保密通信。Fourth, the encryption machine performs voice encryption and embeds the serial number of the encrypted voice sequence into the data frame of the vocoded voice, transmits the encrypted voice and its frame-numbered serial number together, and the receiving party's security machine decrypts the encrypted voice. Complete confidential correspondence.2.根据权利要求1所述的数字集群通信系统端到端自同步话音加密传输实现方法，其特征是所述的保密机话音加密时将声码器编码速率从2.4kbits/s下调至2.15kbits/s，每20ms话音分组产生43比特；保密机在处理机系统的控制下，对连续三个分组总计129比特的话音帧进行加密，加密以后由保密机产生帧序列号15比特，总计144比特交还给处理机系统，如果是移动台，处理机系统则将密话帧交给基带单元，基带单元完成信道编码后送到射频单元再通过空中接口发往基站，由基站通过IP网络发往其他基站或有线接口；如果是有线接口，处理机系统则将密话帧封装成IP分组并通过IP网络发往其他基站或有线接口。2. digital trunking communication system end-to-end self-synchronous voice encryption transmission realization method according to claim 1, is characterized in that when described security machine voice encryption, the vocoder encoding rate is down-regulated from 2.4kbits/s to 2.15kbits /s, every 20ms voice packet generates 43 bits; under the control of the processor system, the security machine encrypts the voice frames of three consecutive groups with a total of 129 bits. After encryption, the security machine generates a frame sequence number of 15 bits, a total of 144 bits Hand it back to the processor system. If it is a mobile station, the processor system will hand over the encrypted frame to the baseband unit. After the baseband unit completes the channel coding, it will send it to the radio frequency unit and then send it to the base station through the air interface. The base station will send it to other frames through the IP network. Base station or wired interface; if it is a wired interface, the processor system encapsulates the encrypted frame into an IP packet and sends it to other base stations or wired interfaces through the IP network.3.根据权利要求1所述的数字集群通信系统端到端自同步话音加密传输实现方法，其特征是无论是集群单呼还是集群组呼，发起呼叫的信令阶段并不涉及密钥分发，与普通的集群呼叫一样，呼叫连接建立是在移动终端通过基站再通过IP网络与集群核心网交互信令，或者一个有线接口通过IP网络与集群核心网交互信令；当集群核心网通过信令，为一次呼叫分配了基站至基站，或者基站至有线接口的媒体传送通路以后，在进入话音通话之前，密钥分发在基站之间或基站与有线接口之间进行；密钥分发通道不是承载在至核心网的信令通道上，而是承载在媒体通道上，在参与呼叫的两方或多方基站或有线接口之间进行。3. The digital trunking communication system end-to-end self-synchronous voice encryption transmission realization method according to claim 1, wherein it is characterized in that no matter it is a trunking single call or a trunking group call, the signaling stage of initiating a call does not involve key distribution , same as the common trunking call, the call connection is established when the mobile terminal exchanges signaling with the trunking core network through the base station and then through the IP network, or a wired interface exchanges signaling with the trunking core network through the IP network; After assigning a base station to base station, or base station to wired interface media transmission path for a call, before entering a voice call, the key distribution is carried out between the base stations or between the base station and the wired interface; the key distribution channel is not carried on the Instead of being carried on the signaling channel to the core network, it is carried on the media channel between two or more base stations or wired interfaces participating in the call.

Images