HK1199990B

HK1199990B - Data processing method for voice communication

Info

Publication number: HK1199990B
Application number: HK15100310.6A
Authority: HK
Inventors: 李东声
Original assignee: 天地融科技股份有限公司
Filing date: 2015-01-12
Publication date: 2018-04-06

Abstract

The present invention provides a data processing method for voice calls,Including: the first security chip obtaining the digital certificate of the second security device;The first security chip verifies the digital certificate of the second security device,If the verification of the digital certificate of the second security device is successful,The first security device outputs and prompts to confirm the identification information of the digital certificate of the second security device;After receiving the first confirmation instruction,The first security chip starts encrypting and decrypting voice calls;The first secure chip encrypts the call key,Obtain the ciphertext of the call key,And at least sign the ciphertext of the call key,Obtain signature data,The first security device sends the ciphertext and signature data of the call key;The second security chip verifies the signature data,If the verification signature data passes,Then decrypt the ciphertext of the call key,Obtain the call key;After verifying the signature data,The second security chip performs encryption and decryption operations on voice calls.

Description

Data processing method for voice call

Technical Field

The invention relates to the technical field of electronics, in particular to a data processing method for voice communication.

Background

In the prior art, the voice call between users has the possibility of being monitored, so that the current voice call has a safety risk. Aiming at the security risk, the mode adopted in the prior art is to encrypt the voice through a call key stored in a TF card on the mobile phone, so as to realize the protection of the voice call. However, in practical application, if malicious software is installed in the call terminal, a hacker can steal the call key in the TF card by means of the malicious software, and further crack the encrypted voice information, which causes a risk of voice data leakage of the call terminal, so how to safely perform voice encryption operation is an urgent technical problem to be solved; in addition, in the prior art, there is a possibility that a voice call is intercepted, so that it is also an urgent technical problem to reduce the possibility that a voice call is intercepted.

Disclosure of Invention

The present invention provides a data processing method for voice communication, and mainly aims to solve one of the above technical problems.

The invention provides a data processing method of voice call, which comprises the following steps: a first security chip of first security equipment acquires a digital certificate of second security equipment, wherein the first security equipment is independent of a first call terminal, the first security equipment is connected with the first call terminal through a first communication interface, and the second security equipment is security equipment of a second call terminal which performs voice call with the first call terminal; after the first security chip acquires the digital certificate of the second security device, the first security chip verifies the digital certificate of the second security device by using the root certificate in the first security device, and if the digital certificate of the second security device is verified to pass, the first security device outputs the identification information of the digital certificate of the second security device and prompts to confirm the identification information of the digital certificate of the second security device; after the first confirmation instruction is obtained, the first security chip starts the encryption and decryption operation of the voice call of the first call terminal by using the call key generated by the first security chip; after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and at least signs the ciphertext of the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface; a second security chip of a second security device receives ciphertext and signature data of a call key sent by a second communication terminal through a second communication interface, wherein the second security device is independent of the second communication terminal; the second security chip acquires the digital certificate of the first security device, verifies the signature data by using the public key of the first security device, and decrypts the ciphertext of the call key by using the private key of the second security device to obtain the call key if the signature data passes the verification; and after the signature data passes the verification, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

The invention provides a data processing method of voice call, which comprises the following steps: a first security chip of first security equipment generates a call key and starts encryption and decryption operations of voice calls of a first call terminal by using the call key, wherein the first security equipment is independent of the first call terminal and is connected with the first call terminal; the method comprises the steps that a first security chip obtains a digital certificate of second security equipment, wherein the second security equipment is security equipment of a second communication terminal which performs voice communication with a first communication terminal; after the first security chip acquires the digital certificate of the second security device, the first security chip verifies the digital certificate of the second security device by using the root certificate in the first security device, and if the digital certificate of the second security device is verified to pass, the first security device outputs the identification information of the digital certificate of the second security device and prompts to confirm the identification information of the digital certificate of the second security device; after the first confirmation instruction is obtained, the first security chip continuously performs encryption and decryption operations on the voice call of the first call terminal by using the call key; after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and at least signs the ciphertext of the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface; a second security chip of a second security device receives ciphertext and signature data of a call key sent by a second communication terminal through a second communication interface, wherein the second security device is independent of the second communication terminal; the second security chip acquires the digital certificate of the first security device, verifies the signature data by using the public key of the first security device, and decrypts the ciphertext of the call key by using the private key of the second security device to obtain the call key if the signature data passes the verification; and after the signature data passes the verification, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

The invention provides a data processing method of voice call, which comprises the following steps: a first security chip of first security equipment acquires a digital certificate of second security equipment, wherein the first security equipment is independent of a first call terminal, the first security equipment is connected with the first call terminal through a first communication interface, and the second security equipment is security equipment of a second call terminal which performs voice call with the first call terminal; after the first security chip acquires the digital certificate of the second security device, the first security chip verifies the digital certificate of the second security device by using the root certificate in the first security device, and if the digital certificate of the second security device is verified to pass, the first security device outputs the identification information of the digital certificate of the second security device and prompts to confirm the identification information of the digital certificate of the second security device; after the first confirmation instruction is obtained, the first security chip starts the encryption and decryption operation of the voice call of the first call terminal by using the call key generated by the first security chip; after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and performs signature processing on the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface; a second security chip of a second security device receives ciphertext and signature data of a call key sent by a second communication terminal through a second communication interface, wherein the second security device is independent of the second communication terminal; the second security chip acquires the digital certificate of the first security device, and decrypts the ciphertext of the call key by using the private key of the second security device to obtain the call key; verifying the signature data by using a public key of the first safety device; and after the signature data passes the verification, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

The invention provides a data processing method of voice call, which comprises the following steps: a first security chip of first security equipment generates a call key and starts encryption and decryption operations of voice calls of a first call terminal by using the call key, wherein the first security equipment is independent of the first call terminal and is connected with the first call terminal; the method comprises the steps that a first security chip obtains a digital certificate of second security equipment, wherein the second security equipment is security equipment of a second communication terminal which performs voice communication with a first communication terminal; after the first security chip acquires the digital certificate of the second security device, the first security chip verifies the digital certificate of the second security device by using the root certificate in the first security device, and if the digital certificate of the second security device is verified to pass, the first security device outputs the identification information of the digital certificate of the second security device and prompts to confirm the identification information of the digital certificate of the second security device; after the first confirmation instruction is obtained, the first security chip continuously performs encryption and decryption operations on the voice call of the first call terminal by using the call key; after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and performs signature processing on the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface; a second security chip of a second security device receives ciphertext and signature data of a call key sent by a second communication terminal through a second communication interface, wherein the second security device is independent of the second communication terminal; the second security chip acquires the digital certificate of the first security device, and decrypts the ciphertext of the call key by using the private key of the second security device to obtain the call key; verifying the signature data by using a public key of the first safety device; and after the signature data passes the verification, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

In addition, after the signature data passes the verification, the second security chip starts the operation of encrypting and decrypting the voice call of the second call terminal by using the call key, which comprises the following steps: the second security chip receives a first confirmation instruction sent by the second communication terminal through the second communication interface, and obtains a second confirmation instruction according to the first confirmation instruction; and after the signature data passes the verification and a second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

In addition, after the signature data passes the verification, the second security chip starts the operation of encrypting and decrypting the voice call of the second call terminal by using the call key, which comprises the following steps: after the second security chip acquires the digital certificate of the first security device, the second security chip verifies the digital certificate of the first security device by using a root certificate in the second security device, and if the digital certificate of the first security device is verified to pass, the second security device outputs identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device; and after the signature data passes the verification and a second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

In addition, after the signature data passes the verification, the second security chip starts the encryption and decryption operation of the voice call of the second communication terminal by using the call key, and the method further comprises the following steps: the second security chip receives a first confirmation instruction sent by the second communication terminal through the second communication interface, and obtains a second confirmation instruction according to the first confirmation instruction; and after the second confirmation instruction is obtained, the second security chip continuously performs encryption and decryption operations on the voice call of the second call terminal by using the call key.

In addition, after the signature data passes the verification, the second security chip starts the encryption and decryption operation of the voice call of the second communication terminal by using the call key, and the method further comprises the following steps: after the second security chip acquires the digital certificate of the first security device, the second security chip verifies the digital certificate of the first security device by using a root certificate in the second security device, and if the digital certificate of the first security device is verified to pass, the second security device outputs identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device; and after the second confirmation instruction is obtained, the second security chip continuously performs encryption and decryption operations on the voice call of the second call terminal by using the call key.

In addition, the first security device prompting confirmation of identification information of a digital certificate of a second security device includes: the first safety equipment prompts whether the identification information of the digital certificate of the second safety equipment is consistent with the identity of the user of the second communication terminal to be confirmed; the first confirmation instruction is an instruction for confirming that the identification information of the digital certificate of the second safety device is consistent with the identity of the user of the second communication terminal.

Further, the first security device outputting identification information of a digital certificate of the second security device includes: the first safety equipment converts the identification information of the digital certificate of the second safety equipment into sound information to obtain the sound information of the identification information of the digital certificate of the second safety equipment, and plays the sound information of the identification information of the digital certificate of the second safety equipment; alternatively, the first security device displays identification information of the digital certificate of the second security device.

The invention provides a data processing method of voice call, which comprises the following steps: a first security chip of first security equipment generates a call key and starts encryption and decryption operations of voice calls of a first call terminal by using the call key, wherein the first security equipment is independent of the first call terminal and is connected with the first call terminal; the method comprises the steps that a first security chip obtains a digital certificate of second security equipment, wherein the second security equipment is security equipment of a second communication terminal which performs voice communication with a first communication terminal; after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and at least signs the ciphertext of the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface; a second security chip of a second security device acquires the digital certificate of the first security device, wherein the second security device is independent of the second communication terminal and is connected with the second communication terminal through a second communication interface; if the second security chip receives the ciphertext and the signature data of the call key sent by the second communication terminal through the second communication interface, the second security chip verifies the signature data by using the public key of the first security device, and if the signature data passes the verification, the ciphertext of the call key is decrypted by using the private key of the second security device to obtain the call key; the second security chip verifies the digital certificate of the first security device by using the root certificate in the second security device, and if the digital certificate of the first security device passes the verification, the second security device outputs the identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device; and after the second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

The invention provides a data processing method of voice call, which comprises the following steps: a first security chip of first security equipment generates a call key and starts encryption and decryption operations of voice calls of a first call terminal by using the call key, wherein the first security equipment is independent of the first call terminal and is connected with the first call terminal; the method comprises the steps that a first security chip obtains a digital certificate of second security equipment, wherein the second security equipment is security equipment of a second communication terminal which performs voice communication with a first communication terminal; after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and at least signs the ciphertext of the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface; a second security chip of a second security device acquires the digital certificate of the first security device, wherein the second security device is independent of the second communication terminal and is connected with the second communication terminal through a second communication interface; if the second security chip receives the ciphertext and the signature data of the call key sent by the second communication terminal through the second communication interface, the second security chip verifies the signature data by using the public key of the first security device, and if the signature data passes the verification, the ciphertext of the call key is decrypted by using the private key of the second security device to obtain the call key; the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key; the second security chip verifies the digital certificate of the first security device by using the root certificate in the second security device, and if the digital certificate of the first security device passes the verification, the second security device outputs the identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device; and after the second confirmation instruction is obtained, the second security chip continuously performs encryption and decryption operations on the voice call of the second call terminal by using the call key.

The invention provides a data processing method of voice call, which comprises the following steps: a first security chip of first security equipment generates a call key and starts encryption and decryption operations of voice calls of a first call terminal by using the call key, wherein the first security equipment is independent of the first call terminal and is connected with the first call terminal; the method comprises the steps that a first security chip obtains a digital certificate of second security equipment, wherein the second security equipment is security equipment of a second communication terminal which performs voice communication with a first communication terminal; after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and at least signs the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface; a second security chip of a second security device acquires the digital certificate of the first security device, wherein the second security device is independent of the second communication terminal and is connected with the second communication terminal through a second communication interface; if the second security chip receives the ciphertext and the signature data of the call key sent by the second communication terminal through the second communication interface, the second security chip decrypts the ciphertext of the call key by using a private key of second security equipment to obtain the call key; verifying the signature data by using the public key of the first safety device; the second security chip verifies the digital certificate of the first security device by using the root certificate in the second security device, and if the digital certificate of the first security device passes the verification, the second security device outputs the identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device; and after the signature data passes the verification and a second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

The invention provides a data processing method of voice call, which comprises the following steps: a first security chip of first security equipment generates a call key and starts encryption and decryption operations of voice calls of a first call terminal by using the call key, wherein the first security equipment is independent of the first call terminal and is connected with the first call terminal; the method comprises the steps that a first security chip obtains a digital certificate of second security equipment, wherein the second security equipment is security equipment of a second communication terminal which performs voice communication with a first communication terminal; after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and at least signs the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface; a second security chip of a second security device acquires the digital certificate of the first security device, wherein the second security device is independent of the second communication terminal and is connected with the second communication terminal through a second communication interface; if the second security chip receives the ciphertext and the signature data of the call key sent by the second communication terminal through the second communication interface, the second security chip decrypts the ciphertext of the call key by using a private key of second security equipment to obtain the call key; verifying the signature data by using the public key of the first safety device, and if the signature data passes the verification, starting the encryption and decryption operation of the voice call of the second call terminal by using the call key by using the second safety chip; the second security chip verifies the digital certificate of the first security device by using the root certificate in the second security device, and if the digital certificate of the first security device passes the verification, the second security device outputs the identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device; and after the second confirmation instruction is obtained, the second security chip continuously performs encryption and decryption operations on the voice call of the second call terminal by using the call key.

In addition, after the first security chip starts the operation of encrypting and decrypting the voice call of the first call terminal by using the call key, the method further comprises the following steps: the first safety chip receives a second confirmation instruction sent by the first call terminal through the first communication interface, and obtains a first confirmation instruction according to the second confirmation instruction; and after the signature data passes the verification and the first confirmation instruction is obtained, the first security chip continuously performs encryption and decryption operations on the voice call of the first call terminal by using the call key.

In addition, the first security chip starts the operation of encrypting and decrypting the voice call of the first call terminal by using the call key, and the operation comprises the following steps: the first safety chip receives a second confirmation instruction sent by the first call terminal through the first communication interface, and obtains a first confirmation instruction according to the second confirmation instruction; and after the first confirmation instruction is obtained, the first security chip starts the encryption and decryption operation of the voice call of the first call terminal by using the call key.

In addition, the prompting, by the second security device, of the confirmation of the identification information of the digital certificate of the first security device includes: the second safety equipment prompts whether the identification information of the digital certificate of the first safety equipment is consistent with the identity of the user of the first communication terminal or not to be confirmed; the second confirmation instruction is an instruction for confirming that the identification information of the digital certificate of the first safety device is consistent with the identity of the user of the first communication terminal.

Further, the second security device outputting the identification information of the digital certificate of the first security device includes: the second safety equipment converts the identification information of the digital certificate of the first safety equipment into sound information to obtain the sound information of the identification information of the digital certificate of the first safety equipment, and plays the sound information of the identification information of the digital certificate of the first safety equipment; alternatively, the second security device displays identification information of the digital certificate of the first security device.

In addition, the second security chip acquires the digital certificate of the first security device, and the method comprises the following steps: the second security chip acquires the digital certificate of the first security device from the prestored digital certificate; or the second security chip receives the digital certificate of the first security device sent by the second communication terminal through the second communication interface.

In addition, the first security chip acquires a digital certificate of the second security device, including: the first security chip acquires a digital certificate of the second security device from pre-stored digital certificates; or, the first security chip receives the digital certificate of the second security device sent by the first call terminal through the first communication interface.

In addition, the method further comprises: if the first security chip detects that the voice call of the first call terminal is ended, the first security chip deletes the call key; and/or if the second security chip detects that the voice call of the second call terminal is ended, the second security chip deletes the call key.

Furthermore, a private key of the first secure device is generated by the first secure chip inside the first secure chip; and/or the private key of the second secure device is generated by the second secure chip internally to the second secure chip.

Compared with the mode that the call key is generated on the TF card in the prior art, the method provided by the embodiment of the invention reduces the possibility of being attacked by malicious software on the call terminal in the voice encryption process by generating the call key on the first safety equipment independent of the first call terminal; the voice encryption device is generated by a first security chip in first security equipment, and based on the high security of the first security chip, the possibility that a call key is stolen is reduced, and the security of voice encryption is ensured; in addition, the conversation key is used for encryption in the first security chip, so that the conversation key is called in a security environment, and the security use of the conversation key is ensured. In addition, the first safety device verifies the digital certificate of the second safety device and outputs a prompt to confirm the identification information of the digital certificate of the second safety device, so that the confirmation of the identity information of the second communication terminal is realized, the user of the first communication terminal determines whether the call is monitored by a third person, the success rate of identifying the monitoring of the third person in the voice call is improved, the possibility of monitoring the voice call is reduced, and when the user of the first communication terminal determines that the call is monitored by the third person, the user of the first communication terminal can take a monitoring-prevention safety measure in time to prevent information leakage, and the safety of data transmission in the voice call is improved.

The cipher text of the call key received by the second safety equipment is encrypted by using the public key of the second safety equipment, so that the cipher text of the call key can only be decrypted by the private key of the second safety equipment, and the safety of the call key is ensured; the signature data received by the second safety device is obtained by performing signature processing on the call key or the ciphertext of the call key, and the second safety device verifies the signature data to ensure whether the source of the signature data is the first safety device. In addition, the second safety device verifies the digital certificate of the first safety device and outputs a prompt to confirm the identification information of the digital certificate of the first safety device, so that the confirmation of the identity information of the first call terminal is realized, the user of the second call terminal determines whether the call is monitored by a third person, the success rate of identifying the monitoring of the third person in the voice call is improved, the possibility of monitoring the voice call is reduced, and when the user of the second call terminal determines that the call is monitored by the third person, the user of the second call terminal can timely take a monitoring-prevention safety measure to prevent information leakage, and the safety of data transmission in the voice call is improved.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.

Fig. 1 is a first flowchart illustrating a data processing method for voice call according to an embodiment of the present invention;

fig. 2 is a second flowchart illustrating a data processing method for voice call according to an embodiment of the present invention;

fig. 3 is a third flowchart illustrating a data processing method for voice call according to an embodiment of the present invention;

fig. 4 is a fourth flowchart illustrating a data processing method for voice call according to an embodiment of the present invention;

fig. 5 is a first flowchart illustrating a data processing method for voice call according to a second embodiment of the present invention;

fig. 6 is a second flowchart illustrating a data processing method for voice call according to a second embodiment of the present invention;

fig. 7 is a third flowchart illustrating a data processing method for voice call according to a second embodiment of the present invention;

fig. 8 is a fourth flowchart illustrating a data processing method for voice call according to a second embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention are clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.

Example one

Fig. 1 is a first flowchart illustrating a data processing method for a voice call according to an embodiment of the present invention. The method shown in fig. 1 comprises:

a first security chip of first security equipment acquires a digital certificate of second security equipment, wherein the first security equipment is independent of a first call terminal, the first security equipment is connected with the first call terminal through a first communication interface, and the second security equipment is security equipment of a second call terminal which performs voice call with the first call terminal;

after the first security chip acquires the digital certificate of the second security device, the first security chip verifies the digital certificate of the second security device by using the root certificate in the first security device, and if the digital certificate of the second security device is verified to pass, the first security device outputs the identification information of the digital certificate of the second security device and prompts to confirm the identification information of the digital certificate of the second security device;

after the first confirmation instruction is obtained, the first security chip starts the encryption and decryption operation of the voice call of the first call terminal by using the call key generated by the first security chip;

after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and at least signs the ciphertext of the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface;

a second security chip of a second security device receives ciphertext and signature data of a call key sent by a second communication terminal through a second communication interface, wherein the second security device is independent of the second communication terminal;

after the second security chip acquires the digital certificate of the first security device, the public key of the first security device is used for verifying the signature data, and if the signature data passes the verification, the private key of the second security device is used for decrypting the ciphertext of the call key to obtain the call key;

and after the signature data passes the verification, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

Wherein, the first security device prompts to confirm the identification information of the digital certificate of the second security device, including: the first safety equipment prompts whether the identification information of the digital certificate of the second safety equipment is consistent with the identity of the user of the second communication terminal to be confirmed;

the first confirmation instruction is an instruction for confirming that the identification information of the digital certificate of the second safety device is consistent with the identity of the user of the second communication terminal.

The public key of the second safety device is obtained from the digital certificate of the second safety device; wherein the public key of the first security device is obtained from the digital certificate of the first security device.

In the method shown in fig. 1, after prompting to confirm the identification information of the digital certificate of the second security device, the first security device triggers an operation of starting an encryption/decryption operation on a voice call of the first call terminal by using a call key; certainly, according to different application scenarios, after the first security device prompts to confirm the identification information of the digital certificate of the second security device, the triggered operation may also continue to perform encryption and decryption operations on the voice call of the first call terminal by using the call key, where specifically refer to the method flow shown in fig. 2.

Fig. 2 is a second flowchart illustrating a data processing method for voice call according to an embodiment of the present invention. The method shown in fig. 2 comprises:

a first security chip of first security equipment generates a call key and starts encryption and decryption operations of voice calls of a first call terminal by using the call key, wherein the first security equipment is independent of the first call terminal and is connected with the first call terminal;

the method comprises the steps that a first security chip obtains a digital certificate of second security equipment, wherein the second security equipment is security equipment of a second communication terminal which performs voice communication with a first communication terminal;

after the first confirmation instruction is obtained, the first security chip continuously performs encryption and decryption operations on the voice call of the first call terminal by using the call key;

In the method shown in fig. 1 and fig. 2, the signature object of the first security device performing signature processing is a ciphertext of the session key, and of course, according to different application scenarios, the signature object of the first security device performing signature processing may also be the session key itself, which refers to the method flow shown in fig. 3 and fig. 4 specifically.

Fig. 3 is a third flowchart illustrating a data processing method for a voice call according to an embodiment of the present invention. The method shown in fig. 3 comprises:

after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and performs signature processing on the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface;

the second security chip acquires the digital certificate of the first security device, and decrypts the ciphertext of the call key by using the private key of the second security device to obtain the call key; verifying the signature data by using a public key of the first safety device;

In the method shown in fig. 3, after prompting to confirm the identification information of the digital certificate of the second security device, the first security device triggers an operation of starting an encryption/decryption operation on a voice call of the first call terminal by using a call key; certainly, according to different application scenarios, after the first security device prompts to confirm the identification information of the digital certificate of the second security device, the triggered operation may also continue to perform encryption and decryption operations on the voice call of the first call terminal by using the call key, where specifically refer to the method flow shown in fig. 4.

Fig. 4 is a fourth flowchart illustrating a data processing method for a voice call according to an embodiment of the present invention. The method shown in fig. 4 comprises:

In the method shown in fig. 1 to 4, after prompting to confirm the identification information of the digital certificate of the second security device, if the user confirms that the identification information of the digital certificate of the second security device is consistent with the identity of the second communication terminal, the user inputs a first confirmation instruction on the first security device or the first communication terminal.

The method for the first security chip to obtain the first confirmation instruction includes: the first safety chip receives a first confirmation instruction sent by the first call terminal through the first communication interface; or the first security chip receives a first confirmation instruction sent by a confirmation key on the first security device.

The first security chip receives a first confirmation instruction sent by the confirmation key on the first security device, attack of malicious software on the first call terminal can be reduced, and voice call security is guaranteed.

In the method shown in fig. 1 to 4, the first secure device performs operations of verifying the digital certificate of the second secure device, outputting the identification information of the digital certificate of the second secure device, and prompting to confirm the identification information of the digital certificate of the second secure device, so as to confirm whether the holder of the digital certificate of the second secure device is the user of the second communication terminal; certainly, in practical applications, according to different application requirements, the second security device may also determine whether the holder of the digital certificate of the first security device is the user of the first call terminal, specifically refer to implementation manners one to four:

the implementation mode is as follows:

after the signature data passes the verification, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key, and the operation comprises the following steps:

the second security chip receives a first confirmation instruction sent by the second communication terminal through the second communication interface, and obtains a second confirmation instruction according to the first confirmation instruction; and after the signature data passes the verification and a second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

When the user of the second communication terminal trusts the user of the first communication terminal, if the user of the first communication terminal confirms that the holder of the digital certificate of the second safety device is the user of the second communication terminal, the first safety device receives a first confirmation instruction and sends the first confirmation instruction to the first communication terminal through the first communication interface, the first communication terminal sends the first confirmation instruction to the second communication terminal through the communication network, the second communication terminal sends the first confirmation instruction to the second safety device through the second communication interface, and after receiving the first confirmation instruction, the second safety device can determine that third person monitoring does not exist between the first safety device and the second safety device, so that the second confirmation instruction is obtained.

The implementation mode two is as follows:

after the second security chip acquires the digital certificate of the first security device, the second security chip verifies the digital certificate of the first security device by using a root certificate in the second security device, and if the digital certificate of the first security device is verified to pass, the second security device outputs identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device; and after the signature data passes the verification and a second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

After the prompt for confirming the identification information of the digital certificate of the first security device, if the user confirms that the identification information of the digital certificate of the first security device is consistent with the identity of the first communication terminal, the user inputs a second confirmation instruction on the second security device or the second communication terminal.

The mode for the second secure chip to obtain the second confirmation instruction includes: the second security chip receives a second confirmation instruction sent by the second communication terminal through the second communication interface; or the second security chip receives a second confirmation instruction sent by a confirmation key on the second security device.

The second security chip receives a second confirmation instruction sent by the confirmation key on the second security device, attack of malicious software on the second communication terminal can be reduced, and voice communication security is guaranteed.

In the first implementation manner and the second implementation manner, after the second security device obtains the second confirmation instruction, the triggered operation is to start the encryption and decryption operation of the voice call of the second call terminal by using the call key; certainly, according to different application scenarios, after the second security device obtains the second confirmation instruction, the triggered operation may further perform an encryption/decryption operation on the voice call of the second call terminal by using the call key, where specifically refer to implementation third and implementation fourth.

The implementation mode is three:

after the signature data passes the verification, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key, and the method further comprises the following steps:

the second security chip receives a first confirmation instruction sent by the second communication terminal through the second communication interface, and obtains a second confirmation instruction according to the first confirmation instruction; and after the second confirmation instruction is obtained, the second security chip continuously performs encryption and decryption operations on the voice call of the second call terminal by using the call key.

The implementation mode is four:

after the second security chip acquires the digital certificate of the first security device, the second security chip verifies the digital certificate of the first security device by using a root certificate in the second security device, and if the digital certificate of the first security device is verified to pass, the second security device outputs identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device; and after the second confirmation instruction is obtained, the second security chip continuously performs encryption and decryption operations on the voice call of the second call terminal by using the call key.

Wherein, the input mode of the second confirmation instruction comprises:

the second security chip receives a second confirmation instruction sent by the second communication terminal through the second communication interface; alternatively, the first and second electrodes may be,

and the second security chip receives a second confirmation instruction sent by a confirmation key on the second security device.

The second security device receives a second confirmation instruction sent by the confirmation key on the second security device, attack of malicious software on the second communication terminal can be reduced, and voice communication security is guaranteed.

In the first implementation manner and the third implementation manner, the steps shown by the dashed-line frame portions in the flowcharts of the methods shown in fig. 1 to 4 are not executed, and in the second implementation manner and the fourth implementation manner, the steps shown by the dashed-line frame portions in the flowcharts of the methods shown in fig. 1 to 4 are executed.

The cipher text of the call key received by the second safety equipment is encrypted by using the public key of the second safety equipment, so that the cipher text of the call key can only be decrypted by the private key of the second safety equipment, and the safety of the call key is ensured; the signature data received by the second safety device is obtained by performing signature processing on the call key or the ciphertext of the call key, and the second safety device verifies the signature data to ensure whether the source of the signature data is the first safety device.

Furthermore, the second security device verifies the digital certificate of the first security device and outputs a prompt to confirm the identification information of the digital certificate of the first security device, so that the confirmation of the identity information of the first call terminal is realized, the user of the second call terminal determines whether the call is monitored by a third person, the success rate of recognizing the monitoring of the third person in the voice call is improved, the possibility of monitoring the voice call is reduced, and when the user of the second call terminal determines that the call has the monitoring of the third person, the user of the second call terminal can timely take a monitoring-prevention security measure to prevent information leakage, and the security of data transmission in the voice call is improved.

In the method shown in fig. 1 to 4, the first secure device performs operations of verifying the digital certificate of the second secure device, outputting the identification information of the digital certificate of the second secure device, and prompting to confirm the identification information of the digital certificate of the second secure device, so as to confirm whether the holder of the digital certificate of the second secure device is the user of the second communication terminal; certainly, in practical applications, according to different application requirements, the second security device performs operations of verifying the digital certificate of the first security device, outputting the identification information of the digital certificate of the first security device, and prompting to confirm the identification information of the digital certificate of the first security device, so as to confirm whether the holder of the digital certificate of the first security device is the user of the first call terminal, specifically referring to the methods shown in fig. 5 to 8 in the second embodiment.

Example two

Fig. 5 is a first flowchart illustrating a data processing method for voice call according to a second embodiment of the present invention. The method shown in fig. 5 includes:

a second security chip of a second security device acquires the digital certificate of the first security device, wherein the second security device is independent of the second communication terminal and is connected with the second communication terminal through a second communication interface;

if the second security chip receives the ciphertext and the signature data of the call key sent by the second communication terminal through the second communication interface, the second security chip verifies the signature data by using the public key of the first security device, and if the signature data passes the verification, the ciphertext of the call key is decrypted by using the private key of the second security device to obtain the call key;

the second security chip verifies the digital certificate of the first security device by using the root certificate in the second security device, and if the digital certificate of the first security device passes the verification, the second security device outputs the identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device;

and after the second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

Wherein the prompting of the second security device to confirm the identification information of the digital certificate of the first security device comprises: the second safety equipment prompts whether the identification information of the digital certificate of the first safety equipment is consistent with the identity of the user of the first communication terminal or not to be confirmed;

the second confirmation instruction is an instruction for confirming that the identification information of the digital certificate of the first safety device is consistent with the identity of the user of the first communication terminal.

In the method shown in fig. 5, after prompting to confirm the identification information of the digital certificate of the first security device, the second security device triggers an operation of starting an encryption/decryption operation on a voice call of the second communication terminal by using a call key; certainly, according to different application scenarios, after the second security device prompts to confirm the identification information of the digital certificate of the first security device, the triggered operation may also continue to perform encryption and decryption operations on the voice call of the second communication terminal by using the call key, where specifically refer to the method flow shown in fig. 6.

Fig. 6 is a second flowchart illustrating a data processing method for voice call according to a second embodiment of the present invention. The method shown in fig. 6 includes:

if the second security chip receives the ciphertext and the signature data of the call key sent by the second communication terminal through the second communication interface, the second security chip verifies the signature data by using the public key of the first security device, and if the signature data passes the verification, the ciphertext of the call key is decrypted by using the private key of the second security device to obtain the call key; the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key;

and after the second confirmation instruction is obtained, the second security chip continuously performs encryption and decryption operations on the voice call of the second call terminal by using the call key.

In the method shown in fig. 5 and fig. 6, the signature object of the signature processing performed by the second security device is the ciphertext of the session key, and of course, according to different application scenarios, the signature object of the signature processing performed by the second security device may also be the session key itself, which refers to the method flow shown in fig. 7 and fig. 8 specifically.

Fig. 7 is a third flowchart illustrating a data processing method for a voice call according to a second embodiment of the present invention. The method shown in fig. 7 includes:

after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and at least signs the call key by using the private key of the first security device to obtain signature data, and the first security device sends the ciphertext of the call key and the signature data to the first call terminal through the first communication interface;

if the second security chip receives the ciphertext and the signature data of the call key sent by the second communication terminal through the second communication interface, the second security chip decrypts the ciphertext of the call key by using a private key of second security equipment to obtain the call key; verifying the signature data by using the public key of the first safety device;

and after the signature data passes the verification and a second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

In the method shown in fig. 7, after prompting to confirm the identification information of the digital certificate of the first security device, the second security device triggers an operation of starting an encryption/decryption operation on a voice call of the second communication terminal by using a call key; certainly, according to different application scenarios, after the second security device prompts to confirm the identification information of the digital certificate of the first security device, the triggered operation may also continue to perform encryption and decryption operations on the voice call of the second communication terminal by using the call key, where specifically refer to the method flow shown in fig. 8.

Fig. 8 is a fourth flowchart illustrating a data processing method for voice call according to a second embodiment of the present invention. The method shown in fig. 8 includes:

if the second security chip receives the ciphertext and the signature data of the call key sent by the second communication terminal through the second communication interface, the second security chip decrypts the ciphertext of the call key by using a private key of second security equipment to obtain the call key; verifying the signature data by using the public key of the first safety device, and if the signature data passes the verification, starting the encryption and decryption operation of the voice call of the second call terminal by using the call key by using the second safety chip;

In the method shown in fig. 5 to 8, after prompting to confirm the identification information of the digital certificate of the first security device, if the user confirms that the identification information of the digital certificate of the first security device is consistent with the identity of the first communication terminal, the user inputs a second confirmation instruction on the second security device or the second communication terminal.

In the method shown in fig. 5 to 8, the second secure device performs operations of verifying the digital certificate of the first secure device, outputting the identification information of the digital certificate of the first secure device, and prompting to confirm the identification information of the digital certificate of the first secure device, so as to confirm whether the holder of the digital certificate of the first secure device is the user of the first call terminal; of course, in practical applications, according to different application requirements, the first security device may also determine whether the holder of the digital certificate of the second security device is the user of the second communication terminal, specifically refer to implementation mode one and implementation mode two:

the implementation mode is as follows:

the first security chip starts the operation of encrypting and decrypting the voice call of the first call terminal by using the call key, and the operation comprises the following steps:

the first safety chip receives a second confirmation instruction sent by the first call terminal through the first communication interface, and obtains a first confirmation instruction according to the second confirmation instruction; after the first confirmation instruction is obtained, the first security chip starts the encryption and decryption operation of the voice call of the first call terminal by using the call key generated by the first security chip.

In the first implementation manner, after the first security device obtains the first confirmation instruction, the triggered operation is to start the encryption and decryption operation of the voice call of the first call terminal by using the call key; certainly, according to different application scenarios, after the first security device obtains the first confirmation instruction, the triggered operation may further perform an encryption/decryption operation on the voice call of the first call terminal by using the call key, where specifically refer to implementation mode two.

The implementation mode two is as follows:

after the first security chip starts the operation of encrypting and decrypting the voice call of the first call terminal by using the call key, the method further comprises the following steps:

the first safety chip receives a second confirmation instruction sent by the first call terminal through the first communication interface, and obtains a first confirmation instruction according to the second confirmation instruction; and after the signature data passes the verification and the first confirmation instruction is obtained, the first security chip continuously performs encryption and decryption operations on the voice call of the first call terminal by using the call key.

Compared with the mode that the call key is generated on the TF card in the prior art, the method provided by the embodiment of the invention reduces the possibility of being attacked by malicious software on the call terminal in the voice encryption process by generating the call key on the first safety equipment independent of the first call terminal; and the first security chip in the first security device generates the first security chip, so that the possibility of stealing the call key is reduced based on the high security of the first security chip, and the security of voice encryption is ensured.

Furthermore, the first safety device verifies the digital certificate of the second safety device and outputs a prompt to confirm the identification information of the digital certificate of the second safety device, so that the confirmation of the identity information of the second communication terminal is realized, the user of the first communication terminal determines whether the call is monitored by a third person, the success rate of recognizing the monitoring of the third person in the voice call is improved, the possibility of monitoring the voice call is reduced, and when the user of the first communication terminal determines that the call has the monitoring of the third person, the user of the first communication terminal can timely take a monitoring-prevention safety measure to prevent information leakage, and the safety of data transmission in the voice call is improved.

The method of fig. 1-8 is further described below, wherein the following features apply to the method of fig. 1-8:

firstly, explaining a first safety device and a first call terminal:

the first security device may be a wearable device such as smart glasses, a smart watch, an earphone device, or integrated in the wearable device. Of course, the first security device may also be an intelligent key device capable of communicating with the call terminal, such as an intelligent key device USB key with a USB interface, an intelligent key device supporting an audio interface, an intelligent key device with a bluetooth communication function, or integrated in an intelligent key device capable of communicating with the call terminal; that is, the first security device is a separate device from the first telephony terminal and is not integrated with the first telephony terminal.

The first communication interface may be a wireless connection interface or a wired connection interface. If the first communication interface is a wireless connection interface, a wireless communication module, which can be a Wi-Fi module, a Wi-FiDirect module, an NFC module, a Bluetooth module or an infrared module, is arranged in the first safety device, for example, the first safety device is a Bluetooth headset; if the first communication interface is a wired connection interface, the first safety device may have a data transmission line, and an interface of the data transmission line may be an audio interface or a USB interface, for example, the first safety device is a line control earphone. Of course, the first safety device may also have two functions of wireless connection and wired connection, that is, the first safety device has a wireless communication module inside and a data transmission line outside.

If the first safety equipment is internally provided with the wireless communication module, the first safety equipment can be connected with the first call terminal through wireless connection; if the first communication interface is a wired connection interface, the first safety device can be connected with the first call terminal through wired connection.

The first communication terminal is a terminal with voice communication capability, and may be a traditional communication device, such as a fixed phone and a mobile phone, or a terminal with a network telephone function, such as a PC, a notebook computer, a tablet computer, and the like.

Secondly, explaining the second safety equipment and the second communication terminal:

the second security device may be a wearable device such as smart glasses, smart watches, an earphone device, or integrated in the wearable device. Of course, the second security device may also be an intelligent Key device capable of communicating with the call terminal, such as an intelligent Key device USB Key with a USB interface, an intelligent Key device supporting an audio interface, an intelligent Key device with a bluetooth communication function, or integrated in an intelligent Key device capable of communicating with the call terminal; i.e. the second security device is a separate device from the second telephony terminal and is not integrated in the second telephony terminal.

The second communication interface may be a wireless connection interface or a wired connection interface. If the second communication interface is a wireless connection interface, a wireless communication module, which can be a Wi-Fi module, a Wi-FiDirect module, an NFC module, a Bluetooth module or an infrared module, is arranged in the second safety device, for example, the second safety device is a Bluetooth headset; if the second communication interface is a wired connection interface, the second safety device may have a data transmission line, and an interface of the data transmission line may be an audio interface or a USB interface, for example, the second safety device is a line control earphone. Of course, the second safety device may also have two functions of wireless connection and wired connection, that is, the second safety device has a wireless communication module therein and is externally connected with a data transmission line.

If the second safety equipment is internally provided with a wireless communication module, the second safety equipment can be connected with a second communication terminal through wireless connection; if the second communication interface is a wired connection interface, the second security device may be connected to the second communication terminal through a wired connection.

The second communication terminal is a terminal with voice communication capability, and may be a traditional communication device, such as a fixed phone and a mobile phone, or a terminal with a network telephone function, such as a PC, a notebook computer, a tablet computer, and the like.

Thirdly, explaining a call key used by the first security device:

the session key may be generated using a key generation algorithm internal to the first secure chip, where the key generation algorithm may be a random number generation algorithm. Because the call key is generated by the first security chip in the first security device, compared with the key negotiation performed by the first call terminal in the prior art, the negotiation is completed by the first security device independent of the first call terminal, so that the possibility that the call key is attacked by malicious software in the first call terminal is reduced, and the call key generated by the first security chip in the first security device is safer and more reliable. In addition, the call key can be stored in the first security chip to ensure the storage security of the call key.

For the session key used by the first security device, after the first security chip in the first security device obtains the session key, the session key can be used to ensure the security of the voice call between the first security device and the second security device, which is equivalent to establishing a voice encryption channel between the first security device and the second security device based on the voice call in the prior art.

The voice encryption channel provided by the invention is a channel established between the first security device and the second security device, namely for the first security device, the voice encryption channel sequentially passes through the first security device, the first communication device, the second communication device and the second security device. Therefore, the voice encryption channel is established between the safety devices, so that the first communication terminal and the second communication terminal play a role in data transmission in the whole process from the establishment of the communication to the termination of the communication, the possibility of malicious software attack on the communication terminals is reduced, and the safety of data transmission is improved.

And after detecting that the voice call of the user of the first call terminal is finished, the first security chip deletes the call key.

After the call is finished, the first safety chip destroys the call key used by the voice call, so that the possibility that the call key is unreasonably utilized after being stolen can be reduced, the operation safety of the first safety chip is ensured, and the storage space of the first safety chip is effectively utilized.

The first security chip starts the encryption and decryption operation of the voice call of the first call terminal by using the call key, and can be started when the user of the first call terminal and the user of the second call terminal start the voice call, and also can be started in the process of the voice call between the user of the first call terminal and the user of the second call terminal.

Fourthly, explaining a call key used by the second security device:

the cipher text of the call key received by the second safety device is encrypted by using the public key of the second safety device, so that the cipher text of the call key can only be decrypted by the private key of the second safety device, and the safety of the call key is ensured. The signature data received by the second safety device is obtained by performing signature processing on the call key or the ciphertext of the call key, and the second safety device verifies the signature data to ensure whether the source of the signature data is the first safety device.

For the session key used by the second security device, after the second security chip in the second security device obtains the session key, the session key can be used to ensure the security of the voice call between the first security device and the second security device, which is equivalent to establishing a voice encryption channel between the first security device and the second security device based on the voice call in the prior art.

The voice encryption channel provided by the invention is a channel established between the first security device and the second security device, namely for the first security device, the voice encryption channel sequentially passes through the second security device, the second communication device, the first communication device and the first security device. Therefore, the voice encryption channel is established between the safety devices, so that the first communication terminal and the second communication terminal play a role in data transmission in the whole process from the establishment of the communication to the termination of the communication, the possibility of malicious software attack on the communication terminals is reduced, and the safety of data transmission is improved.

And after detecting that the voice call of the user of the second call terminal is finished, the second security chip deletes the call key.

After the call is finished, the second security chip destroys the call key used by the voice call, so that the possibility that the call key is unreasonably utilized after being stolen can be reduced, the operation security of the second security chip is ensured, and the storage space of the second security chip is effectively utilized.

The second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key, and can be started when the user of the first call terminal and the user of the second call terminal start the voice call, and also can be started in the process of the voice call between the user of the first call terminal and the user of the second call terminal.

Fifthly, explaining a mode of acquiring the digital certificate of the second security device by the first security chip:

in the first mode, the first security chip acquires a digital certificate of the second security device from a pre-stored digital certificate;

the first security device may store digital certificates of one or more security devices in advance, and may search the digital certificate of the second security device according to the identifier of the second security device; and because the digital certificate is pre-stored in the first security device and is not directly acquired from the outside, the possibility of tampering the digital certificate is reduced.

In the second mode, the first security chip receives the digital certificate of the second security device sent by the first call terminal through the first communication interface.

When the first secure chip obtains the digital certificate of the second secure device from the outside, the following method may be further implemented, including:

b1, the first call terminal acquires the digital certificate of the second security device from the digital certificate center and sends the acquired digital certificate of the second security device to the first security device through the first communication interface;

and B2, the second security device sends the digital certificate of the second security device to the second call terminal, the second call terminal sends the digital certificate of the second security device to the first call terminal, and the first call terminal sends the digital certificate of the second security device to the first security device through the first communication interface after receiving the digital certificate of the second security device.

In the method B2, the triggering condition for the second security device to send the digital certificate of the second security device to the second communication terminal may be initiated by the second security device actively, or initiated by the second security device after receiving the certificate acquisition request sent by the first security device.

In the method B1 and the method B2, the digital certificate of the second security device can be obtained in two ways, but in comparison, the digital certificate of the second security device is obtained from the digital certificate center by the first session terminal in the method B1, because the source of the digital certificate is reliable, and the possibility that an attacker who monitors the session modifies the digital certificate is low, the possibility that the digital certificate is tampered is reduced, and the security that the first session terminal obtains the digital certificate of the second security device from the outside is ensured.

Sixth, a description is given of a manner in which the second secure chip acquires the digital certificate of the first secure device:

in the first mode, the second security chip acquires the digital certificate of the first security device from the pre-stored digital certificate;

the second security device may store digital certificates of one or more security devices in advance, and may search the digital certificate of the first security device according to the identifier of the first security device; and because the digital certificate is pre-stored in the second security device and is not directly acquired from the outside, the possibility of tampering the digital certificate is reduced.

In the second mode, the second security chip receives the digital certificate of the first security device sent by the second communication terminal through the second communication interface.

When the second secure chip obtains the digital certificate of the first secure device from the outside, the following method may be further implemented, including:

b1, the second communication terminal acquires the digital certificate of the first safety equipment from the digital certificate center and sends the acquired digital certificate of the first safety equipment to the second safety equipment through the second communication interface;

and B2, the first security device sends the digital certificate of the first security device to the first call terminal, the first call terminal sends the digital certificate of the first security device to the second call terminal, and the second call terminal sends the digital certificate of the first security device to the second security device through the second communication interface after receiving the digital certificate of the first security device.

In the mode B2, the trigger condition for the first security device to send the digital certificate of the first security device to the first call terminal may be initiated by the first security device actively, or initiated by the first security device after receiving the certificate acquisition request sent by the second security device.

In the method B1 and the method B2, the digital certificate of the first security device can be obtained in two ways, but in comparison, the digital certificate of the first security device is obtained from the digital certificate center by the second session terminal in the method B1, because the source of the digital certificate is reliable, and the possibility that an attacker who monitors the session modifies the digital certificate is low, the possibility that the digital certificate is tampered is reduced, and the security that the second session terminal obtains the digital certificate of the first security device from the outside is ensured.

Seventhly, the identification information of the digital certificate of the second safety equipment output by the first safety chip and the identification information of the digital certificate of the second safety equipment confirmed by the prompt of the first safety chip are explained:

the first safety device outputs the identification information of the digital certificate of the second safety device, and the method comprises the following steps:

in the first mode, the first security device converts the identification information of the digital certificate of the second security device into sound information to obtain the sound information of the identification information of the digital certificate of the second security device, and plays the sound information of the identification information of the digital certificate of the second security device;

the sound information of the identification information of the digital certificate of the second security device can be played through the module with the playing function of the first security device, for example, the module with the playing function can be a speaker or a loudspeaker; and playing can be carried out through a module with a playing function of the first call terminal.

In a second manner, the first security device displays identification information of the digital certificate of the second security device.

The identification information of the digital certificate of the second security device may be displayed by the module with the display function of the first security device, for example, the module with the display function may be a display screen; the display can also be performed through a module with a display function of the first call terminal.

Compared with the mode of outputting the identification information of the digital certificate of the second safety equipment on the first call terminal, the mode of outputting the identification information of the digital certificate of the second safety equipment by the first safety equipment can reduce the possibility of malicious software attack on the first call terminal and improve the safety of data transmission.

The first safety device prompts confirmation of the identification information of the digital certificate of the second safety device, the prompt information can be played through a module with a playing function on the first safety device to realize the function of prompting confirmation of the identification information of the digital certificate of the second safety device, and the prompt information can also be displayed through a module with a display function on the first safety device to realize the function of prompting confirmation of the identification information of the digital certificate of the second safety device.

In addition, the prompt information can be played through a module with a playing function on the first call terminal, or the prompt information can be displayed through a module with a displaying function on the first call terminal, so that the function of confirming the identification information of the digital certificate of the second safety device is prompted.

Compared with the mode of prompting the first call terminal to confirm the identification information of the digital certificate of the second safety equipment, the mode of prompting the first safety equipment to confirm the identification information of the digital certificate of the second safety equipment can reduce the possibility of malicious software attack on the first call terminal and improve the safety of data transmission.

Here, the prompt information for confirming the identification information of the digital certificate of the second security device and the identification information of the digital certificate of the second security device may be output together, for example, to output "please confirm the identification information XXX of the digital certificate of the second security device", where XXX represents the content of the identification information of the digital certificate of the second security device. The output mode can adopt a playing mode or a display mode.

Of course, the prompt information for confirming the identification information of the digital certificate of the second security device may be output separately from the identification information of the digital certificate of the second security device, for example, first output information "please confirm the identification information of the digital certificate of the second security device" and then output information "the identification information of the digital certificate of the second security device is XXX", or first output information "the identification information of the digital certificate of the second security device is XXX" and then output information "please confirm the identification information of the digital certificate of the second security device". The output modes of the two pieces of information can be output in a playing mode or a display mode, and the output modes of the two pieces of information can be the same or different.

Eighth, explaining that the second security device outputs the identification information of the digital certificate of the first security device and that the second security device prompts confirmation of the identification information of the digital certificate of the first security device:

the second security device outputting the identification information of the digital certificate of the first security device includes:

in the first mode, the second security device converts the identification information of the digital certificate of the first security device into sound information to obtain the sound information of the identification information of the digital certificate of the first security device, and plays the sound information of the identification information of the digital certificate of the first security device;

the sound information of the identification information of the digital certificate of the first security device can be played through a module with a playing function of the second security device, for example, the module with the playing function can be a speaker or a loudspeaker; and playing can be carried out through a module with a playing function of the second communication terminal.

In a second manner, the second security device displays the identification information of the digital certificate of the first security device.

The identification information of the digital certificate of the first security device may be displayed by a module with a display function of the second security device, for example, the module with the display function may be a display screen; and the display can be carried out through a module with a display function of the second communication terminal.

Compared with the mode of outputting the identification information of the digital certificate of the first safety equipment on the second communication terminal, the mode of outputting the identification information of the digital certificate of the first safety equipment through the second safety equipment can reduce the possibility of malicious software attack on the second communication terminal and improve the safety of data transmission.

The second security device prompts confirmation of the identification information of the digital certificate of the first security device, the prompt information can be played through a module with a playing function on the second security device to prompt confirmation of the identification information of the digital certificate of the first security device, and the prompt information can also be displayed through a module with a display function on the second security device to prompt confirmation of the identification information of the digital certificate of the first security device.

In addition, the prompt information can be played through a module with a playing function on the second communication terminal, or the prompt information can be displayed through a module with a displaying function on the second communication terminal, so that the function of confirming the identification information of the digital certificate of the first safety device is prompted.

Compared with the mode of prompting the second communication terminal to confirm the identification information of the digital certificate of the first safety equipment, the mode of prompting the second safety equipment to confirm the identification information of the digital certificate of the first safety equipment can reduce the possibility of malicious software attack on the second communication terminal and improve the safety of data transmission.

Here, the prompt information for confirming the identification information of the digital certificate of the first secure device and the identification information of the digital certificate of the first secure device may be output together, for example, to output "please confirm the identification information XXX of the digital certificate of the first secure device", where XXX represents the content of the identification information of the digital certificate of the first secure device. The output mode can adopt a playing mode or a display mode.

Of course, the prompt information for confirming the identification information of the digital certificate of the first security device may be output separately from the identification information of the digital certificate of the first security device, for example, first output information "please confirm the identification information of the digital certificate of the first security device" and then output information "the identification information of the digital certificate of the first security device is XXX", or first output information "the identification information of the digital certificate of the first security device is XXX" and then output information "please confirm the identification information of the digital certificate of the first security device". The output modes of the two pieces of information can be output in a playing mode or a display mode, and the output modes of the two pieces of information can be the same or different.

Ninth, the identification information of the private key of the first security device and the digital certificate of the second security device is explained:

the private key of the first secure device is generated by the first secure chip internally to the first secure chip.

For the private key in the first secure device, the management mode of the private key in the prior art is generated from the outside and then imported into the first secure device, which is called a "ground mode", and the above mode is easy for hackers to intercept the private key before the private key is imported into the first secure device, so the management mode of the private key in the prior art has a certain security risk, and therefore, the private key used in the present invention is generated inside the first secure chip in the first secure device, that is, the generation environment of the private key is in the first secure device, that is, the generation program of the public-private key pair is directly burned in the first secure chip by a developer, and the public key cryptographic algorithm program is also burned in the first secure chip. After the public and private keys are generated, the private key is stored in a key area in the first security chip and is not allowed to be accessed externally. And when a public and private key pair in the key area is used for carrying out digital signature and asymmetric decryption operation, the private key is called inside the first security chip to execute operation. Since the use of the private key is called by the first security chip, the private key does not leave the first security device in the whole process of generating and using the private key, which is called as a mode of 'no landing', so a hacker has no opportunity to intercept the private key, thereby ensuring the security of the private key.

The identification information of the digital certificate of the second safety equipment is at least one of name information, contact information and identity information of a digital certificate holder of the second safety equipment; the name information can be name, network name, pen name, etc., the contact mode can be mobile phone number, electronic mail box, and the identity information can be ID card number, employee's card number, passport number.

Tenthly, explaining the private key of the second security device and the identification information of the digital certificate of the first security device:

the private key of the second secure device is generated by the second secure chip internally to the second secure chip.

For the private key in the second secure device, the management mode of the private key in the prior art is generated from the outside and then imported into the second secure device, which is called a "ground mode", and the above mode is easy for hackers to intercept the private key before the private key is imported into the second secure device, so the management mode of the private key in the prior art has a certain security risk, and therefore, the private key used in the present invention is generated inside the second secure chip in the second secure device, that is, the generation environment of the private key is in the second secure device, that is, the generation program of the public-private key pair is directly burned in the second secure chip by developers, and the public key cryptographic algorithm program is also burned in the second secure chip. After the public and private keys are generated, the private key is stored in a key area in the second security chip and is not allowed to be accessed externally. And when the public and private key pair in the key area is used for carrying out digital signature and asymmetric decryption operation, the private key is called inside the second security chip to execute operation. Since the use of the private key is called by the second security chip, the private key does not leave the second security device in the whole process of generating and using the private key, which is called as a mode of 'no landing', so a hacker has no opportunity to intercept the private key, thereby ensuring the security of the private key.

The identification information of the digital certificate of the first safety equipment is at least one of name information, contact information and identity information of a digital certificate holder of the first safety equipment; the name information can be name, network name, pen name, etc., the contact mode can be mobile phone number, electronic mail box, and the identity information can be ID card number, employee's card number, passport number.

Eleven, the first security chip utilizes the root certificate to verify the digital certificate of the second security device:

the root certificate is a certificate issued by the CA certificate authority to itself and is the starting point of the chain of trust. The digital certificate of the security device is issued by the CA certificate authority, and the root certificate of the CA certificate authority is stored in the security device. For example, the digital certificates of the first security device and the second security device are issued by the CA certificate authority, and the root certificate of the CA certificate authority is stored in each of the first security device and the second security device.

The root certificate of the CA certification center is used for authenticating the digital certificate issued by the CA certification center for the safety equipment so as to judge whether a certain digital certificate is a legal certificate issued by the CA certification center; for example, when the first security device obtains the digital certificate of the second security device, the digital certificate of the second security device is verified by using the root certificate issued by the CA certificate authority, and if the verification is passed, it indicates that the digital certificate of the second security device is a legal certificate issued by the CA certificate authority; otherwise, the digital certificate indicating the second secure device is not a legal certificate issued by the CA certificate authority.

The digital certificate issued by the CA at least comprises three parts of information, namely the information of the user, the public key of the user and the signature of the CA certification center on the information in the digital certificate. The authenticity of the digital certificate can be verified by verifying the signature of the CA authentication center in the digital certificate on the information in the digital certificate. When the signature of the information in the digital certificate is verified by the CA certificate authority, the verification is completed by using the public key of the CA certificate authority, and the public key of the CA certificate authority is stored in the root certificate of the CA certificate authority, so that the root certificate needs to be stored in the security equipment in advance to realize the authentication of the digital certificate issued by the CA certificate authority to the security equipment.

For example, in the method shown in fig. 1 to 8, in order to verify whether the digital certificate of the second security device is legal, the first security device needs to store in advance a root certificate of a CA certificate authority that issues digital certificates for the first security device and the second security device.

In addition, the method shown in fig. 1 to 8 of the present invention describes a processing flow when the digital certificate of the second secure device is verified to pass and the first confirmation instruction is obtained, and of course, the method shown in fig. 1 to 8 of the present invention further provides a processing manner of the following scenario:

if the digital certificate of the second safety equipment is verified to be not passed, the first safety equipment outputs prompt information that the verification is not passed so that a user of the first call terminal can finish the voice call on the first call terminal or the first safety equipment;

after the prompt of confirming the identification information of the digital certificate of the second safety equipment, if the identification information of the digital certificate of the second safety equipment is inconsistent with the identity of the user of the second communication terminal, the first communication terminal or the first safety equipment receives an instruction of ending the voice communication.

Twelfth, the digital certificate of the first security device is verified using the root certificate:

The root certificate of the CA certification center is used for authenticating the digital certificate issued by the CA certification center for the safety equipment so as to judge whether a certain digital certificate is a legal certificate issued by the CA certification center; for example, when the second security device obtains the digital certificate of the first security device, the digital certificate of the first security device is verified by using the root certificate issued by the CA certificate authority, and if the digital certificate of the first security device is verified to pass, it indicates that the digital certificate of the first security device is a legal certificate issued by the CA certificate authority; otherwise, the digital certificate indicating the first secure device is not a legal certificate issued by the CA certificate authority.

For example, in the method shown in fig. 1 to 8, in order to verify whether the digital certificate of the first security device is legal, the second security device needs to store in advance a root certificate of a CA certificate authority that issues digital certificates for the first security device and the second security device.

Thirteen, explaining the transmission mode of the cipher text and the signature data of the call key:

the cipher text and the signature data of the call key are transmitted from the first safety device to the second safety device by the following modes, including:

the first communication terminal receives the ciphertext and the signature data of the communication key sent by the first safety equipment through the first communication interface, and sends the ciphertext and the signature data of the communication key to the second communication terminal through the communication network; and the second communication terminal receives the ciphertext and the signature data of the call key from the first communication terminal through the communication network and sends the ciphertext and the signature data of the call key to the second safety equipment through the second communication interface.

In addition, the method shown in fig. 1 to 8 of the present invention describes a processing flow when the digital certificate of the first secure device is verified to pass and the second confirmation instruction is obtained, and of course, the method shown in fig. 1 to 8 of the present invention also provides a processing manner of the following scenario:

if the first safety device verifies that the digital certificate of the second safety device does not pass, the first safety device outputs prompt information indicating that the verification does not pass so that a user of the first call terminal can end the voice call on the first call terminal or the first safety device;

Similarly, the processing method of the second security device when verifying that the digital certificate of the first security device does not pass and/or when the identification information of the digital certificate of the first security device is inconsistent with the identity of the user of the first communication terminal is similar to that of the first security device, and is not described herein again.

The method shown in fig. 1 to 8 of the present invention is further described below by taking an application scenario as an example, and the method shown in fig. 1 is taken as an example for description here:

when the call terminal A and the call terminal B carry out voice call, the call terminal A is connected with the safety equipment A through the first communication interface, and the call terminal B is connected with the safety equipment B through the second communication interface. The method comprises the steps that a security device A generates a call key, the public key of the security device B is used for encrypting the call key to obtain a ciphertext AB of the call key, the private key of the security device A is used for signing the ciphertext AB of the call key to obtain signature data AB, and the security device A sends the ciphertext AB of the call key and the signature data AB to the security device B; and after the security device B receives the ciphertext AB and the signature data AB of the call key, verifying the signature data AB by using the public key of the security device A, and if the verification is passed, decrypting the ciphertext AB of the call key by using the private key of the security device B to obtain the call key, thereby realizing the operation of encrypting and decrypting the voice call of the security device A and the security device B by using the call key.

When a third person exists in the call process of the call terminal a and the call terminal B, wherein the call terminal of the third person is a call terminal C, and the security device of the call terminal C is a security device C, the voice call process is as follows:

the method comprises the steps that a security device A generates a call key, the public key of the security device C is used for encrypting the call key to obtain a ciphertext AC of the call key, the private key of the security device A is used for signing the ciphertext AC of the call key to obtain signature data AC, and the security device A sends the ciphertext AC of the call key and the signature data AC to the security device C; and after receiving the ciphertext AC and the signature data AC of the call key, the security device C verifies the signature data AC by using the public key of the security device A, and if the verification is passed, the security device C decrypts the ciphertext AC of the call key by using the private key of the security device C to obtain the call key.

The safety device C encrypts the call key by using the public key of the safety device B to obtain a ciphertext CB of the call key, signs the ciphertext CB of the call key by using the private key of the safety device C to obtain signature data CB, and sends the ciphertext CB of the call key and the signature data CB to the safety device B; and after the security device B receives the ciphertext CB of the call key and the signature data CB, the public key of the security device C is used for verifying the signature data CB, and if the verification is passed, the private key of the security device B is used for decrypting the ciphertext CB of the call key to obtain the call key.

Therefore, when a third person exists in the conversation process of the conversation terminal a and the conversation terminal B, the security device a and the security device B can still perform encryption and decryption operations on respective voice conversations by using the conversation key, but at the moment, the conversation of the conversation terminal a and the conversation terminal B is monitored by the third person.

Based on the above problem, the method shown in fig. 1 to 8 introduces the technical features of "verifying the digital certificate by using the root certificate" and "outputting the identification information of the digital certificate", so that the method shown in fig. 1 to 8 can solve the above problem, which is specifically described as follows:

the first safety device verifies the digital certificate of the second safety device by using the root certificate;

if the verification is not passed, the digital certificate of the second safety equipment can be confirmed not to be a legal certificate issued by a CA certificate authority; at this moment, the first safety device sends out alarm prompt information to prompt the user in order to ensure the transmission safety of the call key, so that the user can take safety measures in time.

If the verification is passed, the digital certificate of the second security device can be confirmed to be a legal certificate issued by a CA (certificate authority); however, the first security device still cannot determine whether the holder of the certificate passing the verification is the user of the second communication terminal, so that the identification information of the digital certificate of the second security device needs to be output, and the identification information of the digital certificate of the second security device needs to be prompted to be confirmed; otherwise, the holder of the digital certificate of the second safety device is not the user of the second communication terminal, that is, the holder of the digital certificate of the second safety device is the third person, so that the purpose of identifying whether the third person exists in the voice call is achieved.

Similarly, in the method flows shown in fig. 1 to 8, the second security device verifies the digital certificate of the first security device by using the root certificate;

if the verification is not passed, the digital certificate of the first safety equipment can be confirmed not to be a legal certificate issued by a CA certificate authority; at this moment, the second safety device sends out alarm prompt information to prompt the user in order to ensure the transmission safety of the call key, so that the user can take safety measures in time.

If the verification is passed, the digital certificate of the first security device can be confirmed to be a legal certificate issued by a CA (certificate authority); however, the second security device still cannot determine whether the holder of the certificate passing the verification is the user of the first call terminal, so that the identification information of the digital certificate of the first security device needs to be output, and the identification information of the digital certificate of the first security device needs to be prompted to be confirmed; otherwise, the holder of the digital certificate of the first safety device is not the user of the first call terminal, that is, the holder of the digital certificate of the first safety device is the third person, so that the purpose of identifying whether the third person exists in the voice call is achieved.

The method comprising the above technical features is further explained by taking the above listed application scenarios as examples:

before the security device A encrypts the call key and signs the encrypted call key, the security device A verifies the digital certificate of the security device C by using the root certificate, if the verification is passed, the identification information of the digital certificate of the security device C is output, and the identification information of the digital certificate of the security device C is prompted to be confirmed, the user of the first call terminal can judge that the holder of the digital certificate of the security device C is not the user of the second call terminal according to the identification information of the digital certificate of the security device C, and therefore the situation that third person monitoring exists in the call of the call terminal A and the call terminal B can be judged.

Similarly, before the security device B decrypts the received cipher text of the session key and verifies the signature data, the security device B verifies the digital certificate of the security device C by using the root certificate, if the verification is passed, the identification information of the digital certificate of the security device C is output, and the identification information of the digital certificate of the security device C is prompted to be confirmed, and the user of the second session terminal can judge that the holder of the digital certificate of the security device C is not the user of the first session terminal according to the identification information of the digital certificate of the security device C, so that the situation that a third person monitors the session between the session terminal a and the session terminal B can be judged.

The method shown in fig. 2 to 8 is similar to the method shown in fig. 1, and the technical effect similar to the method shown in fig. 1 can be achieved, and is not described herein again.

Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.

It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, the various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.

It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.

In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.

The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.

In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made in the above embodiments by those of ordinary skill in the art without departing from the principle and spirit of the present invention. The scope of the invention is defined by the appended claims and equivalents thereof.

Claims

1. A data processing method for voice call is characterized in that the method comprises the following steps:

a first security chip of first security equipment acquires a digital certificate of second security equipment, wherein the first security equipment is independent of a first call terminal and is connected with the first call terminal through a first communication interface, and the second security equipment is security equipment of a second call terminal which performs voice call with the first call terminal;

after the first security chip acquires the digital certificate of the second security device, the first security chip verifies the digital certificate of the second security device by using a root certificate in the first security device, and if the digital certificate of the second security device is verified to pass, the first security device outputs identification information of the digital certificate of the second security device and prompts to confirm the identification information of the digital certificate of the second security device;

after a first confirmation instruction is obtained, the first security chip starts the encryption and decryption operation of the voice call of the first call terminal by using the call key generated by the first security chip;

after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and performs signature processing on the ciphertext of the call key by using the private key of the first security device to obtain signature data, wherein the public key of the second security device is acquired from the digital certificate of the second security device, and the first security device transmits the ciphertext of the call key and the signature data to the first call terminal through the first communication interface;

a second security chip of the second security device receives the ciphertext of the call key and the signature data sent by the second call terminal through a second communication interface, wherein the second security device is independent of the second call terminal;

the second security chip acquires a digital certificate of first security equipment, verifies the signature data by using a public key of the first security equipment, and decrypts a ciphertext of the call key by using a private key of the second security equipment to obtain the call key if the signature data passes verification, wherein the public key of the first security equipment is acquired from the digital certificate of the first security equipment;

and after the signature data passes verification, the second security chip starts to encrypt and decrypt the voice call of the second call terminal by using the call key.

2. A data processing method for voice call is characterized in that the method comprises the following steps:

a first security chip of first security equipment generates a call key and starts encryption and decryption operations on voice calls of a first call terminal by using the call key, wherein the first security equipment is independent of the first call terminal and is connected with the first call terminal;

the first security chip acquires a digital certificate of second security equipment, wherein the second security equipment is security equipment of a second communication terminal which performs voice communication with the first communication terminal;

after the first confirmation instruction is obtained, the first security chip utilizes the call key to continue encryption and decryption operations on the voice call of the first call terminal;

after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and performs signature processing on the ciphertext of the call key by using the private key of the first security device to obtain signature data, wherein the public key of the second security device is acquired from the digital certificate of the second security device, and the first security device transmits the ciphertext of the call key and the signature data to the first call terminal through a first communication interface;

3. A data processing method for voice call is characterized in that the method comprises the following steps:

after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and performs signature processing on the call key by using the private key of the first security device to obtain signature data, wherein the public key of the second security device is acquired from the digital certificate of the second security device, and the first security device transmits the ciphertext of the call key and the signature data to the first call terminal through the first communication interface;

the second security chip acquires a digital certificate of the first security device, and decrypts a ciphertext of the call key by using a private key of the second security device to obtain the call key; verifying the signature data by using a public key of the first security device, wherein the public key of the first security device is obtained from a digital certificate of the first security device;

4. A data processing method for voice call is characterized in that the method comprises the following steps:

after the first security chip acquires the digital certificate of the second security device, the first security chip encrypts the call key by using the public key of the second security device to obtain a ciphertext of the call key, and performs signature processing on the call key by using the private key of the first security device to obtain signature data, wherein the public key of the second security device is acquired from the digital certificate of the second security device, and the first security device transmits the ciphertext of the call key and the signature data to the first call terminal through a first communication interface;

5. The method according to any one of claims 1 to 4, wherein after the signature data is verified to pass, the second security chip starting encryption and decryption operations on the voice call of the second communication terminal by using the call key comprises:

the second security chip receives a first confirmation instruction sent by the second communication terminal through the second communication interface, and obtains a second confirmation instruction according to the first confirmation instruction; and after the signature data is verified to pass and a second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

6. The method according to any one of claims 1 to 4, wherein after the signature data is verified to pass, the second security chip starting encryption and decryption operations on the voice call of the second communication terminal by using the call key comprises:

after the second security chip acquires the digital certificate of the first security device, the second security chip verifies the digital certificate of the first security device by using a root certificate in the second security device, and if the digital certificate of the first security device is verified to pass, the second security device outputs identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device; and after the signature data is verified to pass and a second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

7. The method according to any one of claims 1 to 4, wherein after verifying that the signature data passes, the second secure chip starts an encryption/decryption operation on a voice call of the second communication terminal by using the call key, and further comprising:

the second security chip receives a first confirmation instruction sent by the second communication terminal through the second communication interface, and obtains a second confirmation instruction according to the first confirmation instruction; and after a second confirmation instruction is obtained, the second security chip utilizes the call key to continue to carry out encryption and decryption operations on the voice call of the second call terminal.

8. The method according to any one of claims 1 to 4, wherein after verifying that the signature data passes, the second secure chip starts an encryption/decryption operation on a voice call of the second communication terminal by using the call key, and further comprising:

after the second security chip acquires the digital certificate of the first security device, the second security chip verifies the digital certificate of the first security device by using a root certificate in the second security device, and if the digital certificate of the first security device is verified to pass, the second security device outputs identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device; and after a second confirmation instruction is obtained, the second security chip utilizes the call key to continue to carry out encryption and decryption operations on the voice call of the second call terminal.

9. The method of any of claims 1 to 4, wherein the prompting, by the first security device, for confirmation of identification information of the digital certificate of the second security device comprises:

the first safety equipment prompts whether the identification information of the digital certificate of the second safety equipment is consistent with the identity of the user of the second communication terminal or not to be confirmed;

the first confirmation instruction is an instruction for confirming that the identification information of the digital certificate of the second safety equipment is consistent with the identity of the user of the second communication terminal.

10. The method of claim 5, wherein the first security device prompting confirmation of identification information of the digital certificate of the second security device comprises:

11. The method of claim 6, wherein the first security device prompting confirmation of identification information of the digital certificate of the second security device comprises:

12. The method of claim 7, wherein the first security device prompting confirmation of identification information of the digital certificate of the second security device comprises:

13. The method of claim 8, wherein prompting, by the first security device, for confirmation of identification information of the digital certificate of the second security device comprises:

14. The method according to any one of claims 1 to 4, wherein the first security device outputting the identification information of the digital certificate of the second security device comprises:

the first safety equipment converts the identification information of the digital certificate of the second safety equipment into sound information to obtain the sound information of the identification information of the digital certificate of the second safety equipment, and plays the sound information of the identification information of the digital certificate of the second safety equipment; alternatively, the first and second electrodes may be,

the first security device displays identification information of a digital certificate of the second security device.

15. The method of claim 5, wherein the first security device outputting the identification information of the digital certificate of the second security device comprises:

16. The method of claim 6, wherein the first security device outputting the identification information of the digital certificate of the second security device comprises:

17. The method of claim 7, wherein the first security device outputting the identification information of the digital certificate of the second security device comprises:

18. The method of claim 8, wherein the first security device outputting the identification information of the digital certificate of the second security device comprises:

19. The method of claim 9, wherein the first security device outputting the identification information of the digital certificate of the second security device comprises:

20. The method of claim 6, wherein the second security device prompting confirmation of identification information of the digital certificate of the first security device comprises:

the second safety equipment prompts to confirm whether the identification information of the digital certificate of the first safety equipment is consistent with the identity of the user of the first call terminal;

21. The method of claim 8, wherein the second security device prompting confirmation of identification information of the digital certificate of the first security device comprises:

22. The method of claim 6, wherein the second security device outputting the identification information of the digital certificate of the first security device comprises:

the second security device converts the identification information of the digital certificate of the first security device into sound information to obtain the sound information of the identification information of the digital certificate of the first security device, and plays the sound information of the identification information of the digital certificate of the first security device; alternatively, the first and second electrodes may be,

the second security device displays identification information of the digital certificate of the first security device.

23. The method of claim 8, wherein the second security device outputting the identification information of the digital certificate of the first security device comprises:

24. The method of claim 6, wherein the second security chip obtaining the digital certificate of the first security device comprises:

the second security chip acquires the digital certificate of the first security device from the pre-stored digital certificate; alternatively, the first and second electrodes may be,

and the second security chip receives the digital certificate of the first security device sent by the second communication terminal through the second communication interface.

25. The method of claim 8, wherein the second security chip obtaining the digital certificate of the first security device comprises:

26. A data processing method for voice call is characterized in that the method comprises the following steps:

a second security chip of a second security device acquires a digital certificate of a first security device, wherein the second security device is independent of the second communication terminal and is connected with the second communication terminal through a second communication interface;

if the second security chip receives the ciphertext and the signature data of the call key sent by the second call terminal through the second communication interface, the second security chip verifies the signature data by using the public key of the first security device, and if the signature data passes the verification, the ciphertext of the call key is decrypted by using the private key of the second security device to obtain the call key, wherein the public key of the first security device is obtained from the digital certificate of the first security device;

the second security chip verifies the digital certificate of the first security device by using the root certificate in the second security device, and if the digital certificate of the first security device is verified to pass, the second security device outputs the identification information of the digital certificate of the first security device and prompts to confirm the identification information of the digital certificate of the first security device;

and after a second confirmation instruction is obtained, the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key.

27. A data processing method for voice call is characterized in that the method comprises the following steps:

if the second security chip receives the ciphertext and the signature data of the call key sent by the second call terminal through the second communication interface, the second security chip verifies the signature data by using the public key of the first security device, and if the signature data passes the verification, the ciphertext of the call key is decrypted by using the private key of the second security device to obtain the call key, wherein the public key of the first security device is obtained from the digital certificate of the first security device; the second security chip starts the encryption and decryption operation of the voice call of the second call terminal by using the call key;

and after a second confirmation instruction is obtained, the second security chip utilizes the call key to continue to carry out encryption and decryption operations on the voice call of the second call terminal.

28. A data processing method for voice call is characterized in that the method comprises the following steps:

if the second security chip receives the cipher text and the signature data of the call key sent by the second call terminal through the second communication interface, the second security chip decrypts the cipher text of the call key by using the private key of the second security device to obtain the call key; verifying the signature data by using a public key of the first security device, wherein the public key of the first security device is obtained from a digital certificate of the first security device;

29. A data processing method for voice call is characterized in that the method comprises the following steps:

if the second security chip receives the cipher text and the signature data of the call key sent by the second call terminal through the second communication interface, the second security chip decrypts the cipher text of the call key by using the private key of the second security device to obtain the call key; verifying the signature data by using the public key of the first safety equipment, and if the signature data passes verification, starting encryption and decryption operations on voice call of the second communication terminal by using the call key by using the second safety chip, wherein the public key of the first safety equipment is obtained from the digital certificate of the first safety equipment;

30. The method according to any one of claims 26 to 29, wherein after the first security chip starts the encryption and decryption operation of the voice call of the first call terminal by using the call key, the method further comprises:

the first safety chip receives a second confirmation instruction sent by the first call terminal through the first communication interface, and obtains a first confirmation instruction according to the second confirmation instruction; and after the signature data is verified to pass and a first confirmation instruction is obtained, the first security chip continuously performs encryption and decryption operations on the voice call of the first call terminal by using the call key.

31. The method according to any one of claims 26 to 29, wherein the first security chip starts an encryption/decryption operation for the voice call of the first call terminal by using the call key, and the method comprises:

the first safety chip receives a second confirmation instruction sent by the first call terminal through the first communication interface, and obtains a first confirmation instruction according to the second confirmation instruction; and after the first confirmation instruction is obtained, the first security chip starts the encryption and decryption operation of the voice call of the first call terminal by using the call key.

32. The method of any of claims 26 to 29, wherein the prompting by the second security device to confirm identification information of the digital certificate of the first security device comprises:

33. The method of any one of claims 26 to 29, wherein the second security device outputting the identification information of the digital certificate of the first security device comprises:

34. The method according to any one of claims 26 to 29, wherein the second secure chip obtaining the digital certificate of the first secure device comprises:

35. The method of any one of claims 1 to 4, 10-13, 15-19, or 26-29, wherein the first secure chip obtaining a digital certificate for a second secure device comprises:

the first security chip acquires the digital certificate of the second security device from the pre-stored digital certificate; alternatively, the first and second electrodes may be,

and the first security chip receives the digital certificate of the second security device sent by the first call terminal through the first communication interface.

36. The method of any one of claims 1 to 4, 10-13, or 15-29, further comprising:

if the first security chip detects that the voice call of the first call terminal is ended, the first security chip deletes the call key; and/or the presence of a gas in the gas,

and if the second security chip detects that the voice call of the second call terminal is ended, the second security chip deletes the call key.

37. The method of any of claims 1-4, 10-13, or 15-29, wherein a private key of the first secure device is generated by the first secure chip internally to the first secure chip; and/or the private key of the second secure device is generated by the second secure chip inside the second secure chip.