| SIP is an IP-based protocol to control multi-media communications, and it is one of core protocols. The security mechanisms of SIP communications come most from the existing security protocols in Internet, but they all have the defectiveness and shortage. TLS doesn't support UDP; IPSec VPN only supports the security of end-by-edge with the traditional static encryption, and is lack of role-based access control; SIPS URI comes under the limitation of TLS; HTTP digest authentication only supports unilateralism; S/MIME runs short of PKI.Dynamic Encryption has been designed aimed at problems above. It enhanced the authentication, confidentiality and integrality through four improvements, and has been used in the design of safe SIP clients and servers. First, security classification and its negotiation mechanism provide optional and treatable security service: security level is distinguished by gathering different technology, and is confirmed by negotiated between the participants with their different beliefs and choices. Second, the combination of coarse granular RBAC and role-certificate based PKI ensures higher level authentication; Implementation of SCEP, LDAP and OCSP makes the dynamically managing role-certificate. Third, renewing AES key has been added into the session communication. This policy is based on two-way communication and is related with the last key, hardware feather and plaintext. The real-time window ensures the participants'synchronization. At last, some random bytes could be inserted into cipher, which accomplishes dynamically scrambling; and the position of inserting is calculated with the feather of cipher and key.The testing of improved PKI indicates the success and effect of dynamically management of role certificate. The contrast on encrypting performance between Dynamic Encryption and IPSec VPN shows the high efficiency and feasibility of the former in SIP communication. |
PDF Full Text Request