CN100388662C - A method for preventing users with 3G capability from using transitional authentication mode - Google Patents
A method for preventing users with 3G capability from using transitional authentication mode Download PDFInfo
- Publication number
- CN100388662C CN100388662C CNB2004100909307A CN200410090930A CN100388662C CN 100388662 C CN100388662 C CN 100388662C CN B2004100909307 A CNB2004100909307 A CN B2004100909307A CN 200410090930 A CN200410090930 A CN 200410090930A CN 100388662 C CN100388662 C CN 100388662C
- Authority
- CN
- China
- Prior art keywords
- authentication
- user
- transitional
- hss
- cscf
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
Abstract
本发明提供了一种防止具有3G能力用户使用过渡鉴权方式的方法,关键是,HSS接收到来自S-CSCF的请求使用过渡鉴权方式的鉴权请求,且确定请求鉴权的为3G用户后,判断该3G用户是否只能采用过渡鉴权方式进行鉴权,如果是,则继续执行过渡鉴权方式的鉴权操作,否则,向S-CSCF发送鉴权失败信息,不允许该3G采用过渡鉴权方式进行鉴权。应用本发明,避免了具有完全3G安全能力的用户应用过渡鉴权方案,同时避免了IMS系统出现安全漏洞,增加了IMS系统的安全性。
The present invention provides a method for preventing users with 3G capabilities from using the transitional authentication mode. The key is that the HSS receives an authentication request from the S-CSCF requesting to use the transitional authentication mode, and determines that the requesting authentication is a 3G user Finally, it is judged whether the 3G user can only use the transitional authentication mode for authentication, if yes, then continue to perform the authentication operation of the transitional authentication mode, otherwise, send authentication failure information to the S-CSCF, and the 3G user is not allowed to use the transitional authentication mode. Transition authentication mode is used for authentication. The application of the present invention avoids the user with full 3G security capability from using a transitional authentication scheme, and at the same time avoids security loopholes in the IMS system, thereby increasing the security of the IMS system.
Description
技术领域 technical field
本发明涉及移动通信技术领域,特别是指,在用户应用多媒体子系统(IMS)网络时,一种防止具有3G能力的用户使用过渡鉴权方式的方法。The invention relates to the technical field of mobile communication, in particular to a method for preventing a user with 3G capability from using a transitional authentication mode when the user applies a multimedia subsystem (IMS) network.
背景技术 Background technique
随着宽带网络的发展,移动通信不仅仅局限于传统的话音通信,通过与呈现业务(presence)、消息、网页(WEB)浏览、定位信息、推送业务(PUSH)以及文件共享等数据业务的结合,移动通信能够实现音频、视频、图片和文本等多种媒体类型的业务,以满足用户的多种需求。With the development of broadband network, mobile communication is not limited to traditional voice communication, but through the combination with data services such as presence, message, webpage (WEB) browsing, location information, push service (PUSH) and file sharing , mobile communication can implement services of various media types such as audio, video, picture and text, so as to meet various needs of users.
例如,消息业务能够提供即时消息、聊天室以及多媒体短消息的服务;视频业务能够提供娱乐、多媒体信息和日常交流等服务;电子商务业务能够提供产品目录、搜索引擎、购物车、订单管理以及支付等服务;游戏业务能够提供单人游戏和群组游戏等服务;定位业务能够提供寻人、向导以及报警等服务;个人助理业务能够提供地址本、日程表、书签管理、文件存储、事件提醒以及电子邮件等服务。For example, messaging services can provide instant messaging, chat rooms, and multimedia short message services; video services can provide services such as entertainment, multimedia information, and daily communication; e-commerce services can provide product catalogs, search engines, shopping carts, order management, and payment The game business can provide services such as single-player games and group games; the positioning business can provide services such as tracing, guides, and alarms; the personal assistant business can provide address book, schedule, bookmark management, file storage, event reminders, and other services. e-mail and other services.
在多种应用的推动下,第三代移动通信标准化伙伴项目(3GPP)以及第三代移动通信标准化伙伴项目2(3GPP2)等组织都先后推出了基于IP的多媒体子系统(IMS)架构,其目的是在移动网络中使用一种标准化的开放结构来实现多种多样的多媒体应用,以给用户提供更多的选择和更丰富的感受。Driven by various applications, organizations such as the 3rd Generation Partnership Project (3GPP) and the 3rd Generation Partnership Project 2 (3GPP2) have launched the IP-based Multimedia Subsystem (IMS) architecture. The purpose is to use a standardized open structure to realize a variety of multimedia applications in the mobile network, so as to provide users with more choices and richer experience.
IMS架构叠加在分组域网络之上,该架构与鉴权相关的实体包括呼叫状态控制功能(CSCF)实体和归属签约用户服务器(HSS)功能实体。The IMS architecture is superimposed on the packet domain network, and entities related to authentication in the architecture include a Call State Control Function (CSCF) entity and a Home Subscriber Server (HSS) functional entity.
CSCF又可以分成服务CSCF(S-CSCF)、代理CSCF(P-CSCF)和查询CSCF(I-CSCF)三个逻辑实体,该三个逻辑实体可能是不同的物理设备,也可能是同一个物理设备中不同的功能模块。S-CSCF是IMS的业务控制中心,用于执行会话控制,维持会话状态,管理用户信息,产生计费信息等;P-CSCF是终端用户接入IMS的接入点,用于完成用户注册,服务质量(QoS)控制和安全管理等;I-CSCF负责IMS域之间的互通,管理S-CSCF的分配,对外隐藏网络拓扑结构和配置信息,并产生计费数据等。HSS是非常重要的用户数据库,用于支持各个网络实体对呼叫和会话的处理。CSCF can be further divided into three logical entities: Serving CSCF (S-CSCF), Proxy CSCF (P-CSCF) and Inquiring CSCF (I-CSCF). The three logical entities may be different physical devices or the same physical device. Different functional modules in the device. S-CSCF is the service control center of IMS, which is used to perform session control, maintain session status, manage user information, generate billing information, etc.; P-CSCF is the access point for terminal users to access IMS, and is used to complete user registration. Quality of Service (QoS) control and security management, etc.; I-CSCF is responsible for the intercommunication between IMS domains, manages the allocation of S-CSCF, hides network topology and configuration information from the outside, and generates charging data, etc. The HSS is a very important user database used to support the processing of calls and sessions by various network entities.
由于基于IMS开发的业务非常丰富,所以出现了运营商在2G的网络上使用IMS的需求。但在2G的网络上是无法支持基于3G网络的IMS的安全相关功能的,例如基于IMS层的接入认证等,因此,在现有技术中出现了为2G应用IMS业务的过渡鉴权方案,该方案为2G应用IMS业务提供一定的安全功能。Since the services developed based on IMS are very rich, there is a demand for operators to use IMS on 2G networks. However, the 2G network cannot support the security-related functions of the IMS based on the 3G network, such as access authentication based on the IMS layer, etc. Therefore, a transitional authentication scheme for applying the IMS service to the 2G has appeared in the prior art. This solution provides certain security functions for 2G application IMS services.
这样,基于2G接入的用户和基于3G接入的用户都能够接入并应用IMS中的业务,且基于2G和3G的接入IMS的方式相兼容,当基于2G的用户需要接入IMS系统时,用户侧会有一个指示要求执行过渡鉴权方案,S-CSCF收到这个指示后,就会向HSS请求过渡鉴权方案的信息,以执行过渡鉴权方案的鉴权。虽然基于2G接入的用户和基于3G接入的用户都能够接入并应用IMS中的业务,但基于3G的鉴权方式要比基于2G的鉴权方式严格许多,因而,对于网络而言基于3G的鉴权方式更加安全。In this way, both 2G-based users and 3G-based users can access and apply services in IMS, and the 2G-based and 3G-based access to IMS methods are compatible. When 2G-based users need to access the IMS system , the user side will have an instruction to implement the transitional authentication scheme. After receiving the indication, the S-CSCF will request the information of the transitional authentication scheme to the HSS to implement the authentication of the transitional authentication scheme. Although both 2G-based and 3G-based users can access and apply services in the IMS, the 3G-based authentication method is much stricter than the 2G-based authentication method. The 3G authentication method is more secure.
虽然上述方法方便了2G用户的接入,但有可能出现这种情况:基于3G的用户能够执行完全的3G鉴权方案,但是该用户可能想伺机盗取网络业务,不愿意执行3G的完全鉴权,因此其在注册请求时同样指示S-CSCF要求执行基于2G的过渡鉴权方案,S-CSCF只是直接按照用户的要求向HSS请求过渡鉴权方案的鉴权信息,而不做任何检查,这时,HSS在收到S-CSCF的请求后,虽然发现该用户是一个3G用户但它认为用户的手机可能是2G的手机因此会返回2G的过渡鉴权方案的信息给S-CSCF执行过渡鉴权方案。这样就使3G的IMS网络安全出现了一个漏洞,使具有完全3G能力的用户避过了应有的鉴权过程,为以后的业务过程造成了安全隐患,例如用户可以不进行空中接口的完整性保护,修改业务数据等等。Although the above method facilitates the access of 2G users, there may be such a situation: a 3G-based user can implement a complete 3G authentication scheme, but the user may want to wait for an opportunity to steal network services and is unwilling to implement a full 3G authentication scheme. Therefore, it also instructs the S-CSCF to implement a transitional authentication scheme based on 2G during the registration request, and the S-CSCF just requests the HSS for the authentication information of the transitional authentication scheme directly according to the user's request without any check. At this time, after receiving the request from the S-CSCF, the HSS finds that the user is a 3G user, but it thinks that the user's mobile phone may be a 2G mobile phone, so it will return the information of the 2G transition authentication scheme to the S-CSCF to perform the transition Authentication scheme. In this way, there is a loophole in the security of the 3G IMS network, which enables users with full 3G capabilities to avoid the due authentication process, causing security risks for future business processes. For example, users can not check the integrity of the air interface. Protect, modify business data, etc.
发明内容 Contents of the invention
有鉴于此,本发明的目的在于提供一种防止具有3G能力用户使用过渡鉴权方式的方法,增加IMS系统的安全性。In view of this, the purpose of the present invention is to provide a method for preventing users with 3G capabilities from using a transitional authentication mode, so as to increase the security of the IMS system.
为达到上述目的,本发明的技术方案是这样实现的:In order to achieve the above object, technical solution of the present invention is achieved in that way:
一种防止具有3G能力用户使用过渡鉴权方式的方法,包括以下步骤:A method for preventing users with 3G capabilities from using a transitional authentication method, comprising the following steps:
归属签约用户服务器HSS接收到来自服务呼叫状态控制功能实体S-CSCF的请求使用过渡鉴权方式的鉴权请求,且确定请求鉴权的为3G用户后,判断该3G用户是否只能采用过渡鉴权方式进行鉴权,如果是,则继续执行过渡鉴权方式的鉴权操作,否则,向S-CSCF发送鉴权失败信息。The home subscriber server HSS receives the authentication request from the serving call state control function entity S-CSCF requesting to use the transitional authentication mode, and after determining that the requesting authentication is a 3G user, it determines whether the 3G user can only use the transitional authentication mode. Authentication in the authentication mode, if yes, continue to perform the authentication operation in the transitional authentication mode, otherwise, send authentication failure information to the S-CSCF.
较佳地,所述来自S-CSCF的鉴权请求中包含有用户永久身份标识;Preferably, the authentication request from the S-CSCF includes the permanent identity of the user;
所述判断的方法包括以下步骤:The method of said judgment comprises the following steps:
a、HSS根据用户的用户永久身份标识获取该用户的公共身份标识IMPU或用户的电话号码MSISDN后,向呈现状态服务器Presence Server发送包含IMPU或MSISDN的查询该3G用户设备能力信息的消息;a. After obtaining the user's public identity IMPU or the user's phone number MSISDN according to the user's permanent user identity, the HSS sends a message to the Presence Server to query the capability information of the 3G user equipment including the IMPU or MSISDN;
b、HSS根据Presence Server返回的用户设备能力信息确定该3G用户是否只能采用过渡鉴权方式进行鉴权。b. The HSS determines whether the 3G user can only use the transitional authentication method for authentication according to the user equipment capability information returned by the Presence Server.
较佳地,当保存用户设备能力信息的设备能力信息服务器Capability Server与Presence Server不是同一个服务器时,Presence Server接收到来自HSS查询用户设备能力信息的消息后,该方法进一步包括:Presence Server向CapabilityServer请求该3G用户的用户设备能力信息,且获得Capability Server的返回消息后,再将该返回消息发送给HSS,然后再执行步骤b。Preferably, when the equipment capability information server Capability Server and the Presence Server storing the user equipment capability information are not the same server, after the Presence Server receives a message from the HSS to query the user equipment capability information, the method further includes: the Presence Server sends the CapabilityServer Request the user equipment capability information of the 3G user, and after obtaining the return message from the Capability Server, send the return message to the HSS, and then perform step b.
较佳地,步骤b所述确定方法为:如果Presence Server的返回该3G用户的设备能力为2G设备能力信息,或返回该设备能力信息为空,或返回未找到该3G用户的设备能力信息,则HSS确定该3G用户只能采用过渡鉴权方式进行鉴权。Preferably, the determination method described in step b is: if the equipment capability of the 3G user returned by the Presence Server is 2G equipment capability information, or the equipment capability information returned is empty, or the equipment capability information of the 3G user is not found in the return, Then the HSS determines that the 3G user can only be authenticated in a transitional authentication mode.
较佳地,所述来自S-CSCF的鉴权请求中包含有用户设备标识IMEI;Preferably, the authentication request from the S-CSCF includes the user equipment identifier IMEI;
所述判断的方法包括以下步骤:HSS向Capability Server发送包含IMEI的查询该3G用户设备能力信息的消息;Capability Server自身内保存的厂家/终端类型和设备能力的对应列表确定该3G用户的终端是否是2G终端,并给HSS返回用户设备能力信息;HSS根据Capability Server返回的用户设备能力信息确定该3G用户是否只能采用过渡鉴权方式进行鉴权。The method of described judgment comprises the following steps: HSS sends to Capability Server the message that includes IMEI inquiry this 3G user equipment capability information; It is a 2G terminal, and returns the user equipment capability information to the HSS; the HSS determines whether the 3G user can only use the transitional authentication method for authentication according to the user equipment capability information returned by the Capability Server.
较佳地,所述确定方法为:如果Capability Server返回的用户设备能力信息为2G设备能力信息,则确定该3G用户只能采用过渡鉴权方式进行鉴权。Preferably, the determination method is: if the user equipment capability information returned by the Capability Server is 2G equipment capability information, then it is determined that the 3G user can only be authenticated in a transitional authentication mode.
较佳地,所述来自S-CSCF的鉴权请求中包含有用户设备标识IMEI;Preferably, the authentication request from the S-CSCF includes the user equipment identifier IMEI;
所述判断的方法包括以下步骤:HSS根据自身内保存的厂家/终端类型和设备能力的对应列表,确定该3G用户的终端是否是2G终端,如果是,则确定该3G用户只能采用过渡鉴权方式进行鉴权。The method for judging includes the following steps: HSS determines whether the terminal of the 3G user is a 2G terminal according to the corresponding list of manufacturers/terminal types and equipment capabilities stored in itself, and if so, determines that the 3G user can only use transitional authentication. Authorization mode for authentication.
较佳地,所述HSS向S-CSCF发送鉴权失败信息中包含失败原因值,且该失败原因值为不接受鉴权方式;Preferably, the authentication failure information sent by the HSS to the S-CSCF includes a failure reason value, and the failure reason value is not accepting the authentication mode;
所述S-CSCF接收到该失败信息后,通知用户鉴权失败,且失败原因值为不接受鉴权方式。After receiving the failure information, the S-CSCF notifies the user that the authentication fails, and the reason for the failure is that the authentication mode is not accepted.
较佳地,所述HSS向S-CSCF发送鉴权失败信息中包含失败原因值和采用3G鉴权方式进行鉴权的信息,且该失败原因值为不接受鉴权方式;S-CSCF接收到该信息后,直接使用3G的鉴权方案对该3G用户进行鉴权,或者,通知用户鉴权失败,且失败原因值为不接受鉴权方式。Preferably, the HSS sends the authentication failure information to the S-CSCF, which includes the failure reason value and the authentication information using the 3G authentication method, and the failure reason value is not accepting the authentication method; the S-CSCF receives After receiving the information, directly use the 3G authentication scheme to authenticate the 3G user, or notify the user of authentication failure, and the failure reason value is that the authentication method is not accepted.
较佳地,HSS接收到来自S-CSCF的请求使用过渡鉴权方式的鉴权请求后,进一步包括:HSS首先判断该请求中是否有代理呼叫状态控制功能实体P-CSSF支持的能力信息,且该能力信息为仅支持2G用户接入网络,如果是,则接受该请求,并继续执行过渡鉴权方式的鉴权操作,否则,继续执行后续操作。Preferably, after the HSS receives the authentication request from the S-CSCF requesting to use the transitional authentication mode, it further includes: the HSS first judges whether there is capability information supported by the proxy call state control function entity P-CSSF in the request, and The capability information is that only 2G users are supported to access the network, if yes, accept the request, and continue to perform the authentication operation of the transitional authentication mode, otherwise, continue to perform subsequent operations.
本发明由HSS接收到来自S-CSCF的请求使用过渡鉴权方式的鉴权请求,且确定请求鉴权的为3G用户后,判断该3G用户是否只能采用过渡鉴权方式进行鉴权,如果是,则继续执行过渡鉴权方式的鉴权操作,否则,向S-CSCF发送鉴权失败信息,不允许该3G采用过渡鉴权方式进行鉴权。应用本发明,避免了具有完全3G安全能力的用户应用过渡鉴权方案,同时避免了IMS系统出现安全漏洞,增加了IMS系统的安全性。In the present invention, the HSS receives an authentication request from the S-CSCF requesting to use the transitional authentication mode, and after determining that the requesting authentication is a 3G user, it is judged whether the 3G user can only use the transitional authentication mode for authentication, if If yes, continue to perform the authentication operation in the transitional authentication mode; otherwise, send authentication failure information to the S-CSCF, and not allow the 3G to perform authentication in the transitional authentication mode. The application of the present invention avoids the user with full 3G security capability from using a transitional authentication scheme, and at the same time avoids security loopholes in the IMS system, thereby increasing the security of the IMS system.
附图说明 Description of drawings
图1所示为应用本发明实施例一的流程示意图;FIG. 1 is a schematic flow diagram of the application of Embodiment 1 of the present invention;
图2所示为应用本发明实施例二的流程示意图。FIG. 2 is a schematic flow chart of the application of Embodiment 2 of the present invention.
具体实施方式 Detailed ways
为使本发明的技术方案更加清楚,下面结合附图及具体实施例再对本发明做进一步地详细说明。In order to make the technical solution of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.
图1所示为应用本发明实施例一的流程示意图。FIG. 1 is a schematic flow chart of Embodiment 1 of the application of the present invention.
步骤101,3G的用户需要使用IMS业务时,在IMS域内发起登记请求信息,该登记请求信息经P-CSCF和I-CSCF转发到S-CSCF,同时该登记请求消息中包含了请求使用过渡鉴权方案的指示。Step 101, when a 3G user needs to use the IMS service, a registration request message is initiated in the IMS domain, and the registration request message is forwarded to the S-CSCF via the P-CSCF and the I-CSCF. Instructions for rights programs.
步骤102,S-CSCF按照登记请求消息中的鉴权方案指示,向HSS发送鉴权请求,该鉴权请求中包含指示使用过渡鉴权方式的信息,同时还包含用户永久身份标识(IMPI)。In step 102, the S-CSCF sends an authentication request to the HSS according to the authentication scheme instruction in the registration request message, and the authentication request includes information indicating the use of transitional authentication mode and the user permanent identity (IMPI).
步骤103,HSS接收到步骤102所述鉴权请求,且确定请求鉴权的为3G用户后,根据用户的IMPI获取该用户的公共身份标识(IMPU)或MSISDN,然后向呈现状态服务器(Presence Server)发送包含IMPU或MSISDN的查询该3G用户设备能力信息的消息。Step 103, after the HSS receives the authentication request described in step 102, and after determining that the request authentication is a 3G user, it obtains the user's public identity (IMPU) or MSISDN according to the user's IMPI, and then sends the user's public identity (IMPU) or MSISDN to the presence server (Presence Server) ) sending a message including IMPU or MSISDN to query the capability information of the 3G user equipment.
如果Presence服务器中保存有用户设备能力信息,即Presence服务器与用于保存用户设备能力信息的设备能力信息服务器(Capability Server)是同一个服务器,则从自身查询该3G用户的设备能力信息,然后直接执行步骤106,如果Presence服务器与Capability服务器不是同一个服务器则执行步骤104。If the user equipment capability information is stored in the presence server, that is, the presence server is the same server as the equipment capability information server (Capability Server) used to store the user equipment capability information, then query the equipment capability information of the 3G user from itself, and then directly Execute step 106, and execute step 104 if the presence server and the capability server are not the same server.
步骤104,Presence服务器向Capability服务器请求该3G用户的用户设备能力信息。Step 104, the presence server requests the capability information of the user equipment of the 3G user from the capability server.
步骤105,Capability服务器向Presence服务器的返回包含用户设备能力信息的消息。Step 105, the Capability server returns a message including the capability information of the user equipment to the Presence server.
步骤106,Presence服务器向HSS返回包含用户设备能力信息的消息。Step 106, the presence server returns a message including the capability information of the user equipment to the HSS.
步骤107,HSS根据Presence服务器返回的信息确定该3G用户是否只能采用过渡鉴权方式进行鉴权,如果是,则执行步骤110,否则执行步骤108。In step 107, the HSS determines whether the 3G user can only be authenticated in a transitional authentication mode according to the information returned by the presence server, and if so, executes step 110, otherwise executes step 108.
上述HSS确定方法为:如果Presence服务器的返回该3G用户的设备能力为2G设备能力信息,或返回该设备能力信息为空,或返回未找到该3G用户的设备能力信息,则HSS确定该3G用户只能采用过渡鉴权方式进行鉴权。The above HSS determination method is as follows: if the equipment capability of the 3G user returned by the presence server is 2G equipment capability information, or the equipment capability information returned is empty, or the equipment capability information of the 3G user is not found, then the HSS determines the 3G user Only transitional authentication can be used for authentication.
步骤108,HSS向S-CSCF发送鉴权失败信息,该失败信息中包含失败原因值,且该失败原因值为不接受鉴权方式。In step 108, the HSS sends authentication failure information to the S-CSCF, the failure information includes a failure reason value, and the failure reason value is an authentication mode not accepted.
步骤109,S-CSCF接收到步骤108所述信息后,通知用户鉴权失败,且失败原因值为不接受鉴权方式。In step 109, after receiving the information described in step 108, the S-CSCF notifies the user that the authentication fails, and the value of the cause of failure is that the authentication mode is not accepted.
用户收到失败的通知后,可以重新发起注册过程启动3G的鉴权过程,以便能够接入到业务中。After receiving the failure notification, the user can re-initiate the registration process to start the 3G authentication process, so as to be able to access the service.
步骤110~步骤111,HSS给S-CSCF返回采用过渡鉴权方式时的鉴权信息,S-CSCF与UE之间进行互鉴权,并继续执行后续操作。In steps 110 to 111, the HSS returns the authentication information when the transitional authentication mode is adopted to the S-CSCF, the S-CSCF and the UE perform mutual authentication, and continue to perform subsequent operations.
为了HSS能够进行更准确的判断,P-CSCF将转发给S-CSCF的登记请求信息中加入自己的能力信息,即在登记请求信息中指示出所经的P-CSCF是支持3G用户接入IMS的能力还是仅支持2G用户接入的能力,在HSS接收到来自S-CSCF的鉴权请求后,先判断转发的P-CSCF的能力信息,如果该P-CSCF是仅支持2G用户接入的能力,就直接接受用户的过渡鉴权方式的请求,并继续执行该过渡鉴权方式的后续操作,否则再执行步骤103。In order for the HSS to make more accurate judgments, the P-CSCF will add its own capability information to the registration request information forwarded to the S-CSCF, that is, the registration request information indicates that the P-CSCF it passes through supports 3G users to access IMS The capability still only supports 2G user access. After the HSS receives the authentication request from the S-CSCF, it first judges the capability information of the forwarded P-CSCF. If the P-CSCF only supports 2G user access , directly accept the request of the transitional authentication mode from the user, and continue to perform subsequent operations of the transitional authentication mode, otherwise, go to step 103.
上述增加的判断在P-CSCF不属于同一个运营商的时候是很有用的。一个运营商可以保证自己的P-CSCF能够同时支持2G和3G的IMS接入,这时在HSS就没有必要做这个判断,但当用户处于漫游状态使用其它运营商的P-CSCF接入时,该运营商就不能保证P-CSCF的能力了,所以这时需要对P-CSCF的能力进行判断。The above added judgment is useful when the P-CSCFs do not belong to the same operator. An operator can ensure that its own P-CSCF can support both 2G and 3G IMS access. At this time, there is no need to make this judgment in the HSS. The operator cannot guarantee the capability of the P-CSCF, so it is necessary to judge the capability of the P-CSCF at this time.
至此,应用上述流程避免了具有完全3G能力的用户,即应用3G终端的3G用户,使用过渡鉴权方案的可能。So far, the application of the above process avoids the possibility that users with full 3G capabilities, that is, 3G users using 3G terminals, use the transitional authentication scheme.
图2所示为应用本发明实施例二的流程示意图。FIG. 2 is a schematic flow chart of the application of Embodiment 2 of the present invention.
步骤201,3G的用户需要使用IMS业务时,在IMS域内发起登记请求信息,该登记请求信息经P-CSCF和I-CSCF转发到S-CSCF,同时该登记请求消息中包含了请求使用过渡鉴权方案的指示,以及自身设备的国际移动设备识别码(IMEI),在IMEI中包含有厂家/终端类型的信息。Step 201, when a 3G user needs to use the IMS service, a registration request message is initiated in the IMS domain, and the registration request message is forwarded to the S-CSCF via the P-CSCF and the I-CSCF, and the registration request message includes a request to use transitional authentication. The indication of the right plan, as well as the International Mobile Equipment Identity (IMEI) of the own equipment, which contains the information of the manufacturer/terminal type.
步骤202,S-CSCF按照登记请求消息中的鉴权方案指示,向HSS发送鉴权请求,该鉴权请求中包含指示使用过渡鉴权方式的信息,同时还包含IMPI以及IMEI。In step 202, the S-CSCF sends an authentication request to the HSS according to the authentication scheme instruction in the registration request message, and the authentication request includes information indicating the use of transitional authentication mode, as well as IMPI and IMEI.
步骤203,HSS接收到步骤102所述鉴权请求,且确定请求鉴权的为3G用户后,向设备能力信息服务器(Capability Server)发送查询该3G用户设备能力信息的消息,该消息中包含IMEI。该Capability服务器中存储有厂家/终端类型和设备能力的对应列表。Capability服务器从接收到的IMEI信息中获取厂家/终端类型,并根据自身的厂家/终端类型和设备能力的对应列表确定该用户所用设备的设备能力信息。Step 203, after the HSS receives the authentication request described in step 102, and after determining that the request for authentication is a 3G user, it sends a message inquiring about the 3G user equipment capability information to the device capability information server (Capability Server), which includes the IMEI . The Capability server stores a corresponding list of manufacturers/terminal types and device capabilities. The Capability server obtains the manufacturer/terminal type from the received IMEI information, and determines the device capability information of the device used by the user according to its own manufacturer/terminal type and the corresponding list of device capabilities.
步骤204,Capability服务器向HSS返回包含用户设备能力信息的消息。Step 204, the Capability server returns a message including the capability information of the user equipment to the HSS.
步骤205,HSS根据Capability服务器返回的信息确定该3G用户是否只能采用过渡鉴权方式进行鉴权,如果是,则执行步骤208,否则执行步骤206。In step 205, the HSS determines whether the 3G user can only be authenticated in a transitional authentication mode according to the information returned by the Capability server, and if so, executes step 208, otherwise executes step 206.
上述HSS确定方法为:如果Capability服务器返回的用户设备能力信息为2G设备能力信息,则确定该3G用户只能采用过渡鉴权方式进行鉴权。The method for determining the above HSS is as follows: if the user equipment capability information returned by the Capability server is 2G equipment capability information, then it is determined that the 3G user can only be authenticated in a transitional authentication mode.
步骤206,HSS向S-CSCF发送鉴权失败信息,该失败信息中包含失败原因值,且该失败原因值为不接受鉴权方式。In step 206, the HSS sends authentication failure information to the S-CSCF, the failure information includes a failure reason value, and the failure reason value is an authentication mode not accepted.
用户收到失败的通知后,可以重新发起注册过程启动3G的鉴权过程,以便能够接入到业务中。After receiving the failure notification, the user can re-initiate the registration process to start the 3G authentication process, so as to be able to access the service.
步骤207,S-CSCF接收到步骤206所述信息后,通知用户鉴权失败,且失败原因值为不接受鉴权方式。In step 207, after receiving the information in step 206, the S-CSCF notifies the user that the authentication fails, and the failure reason value is that the authentication mode is not accepted.
步骤208~步骤209,HSS给S-CSCF返回采用过渡鉴权方式时的鉴权信息,S-CSCF与UE之间进行互鉴权,并继续执行后续操作。In steps 208 to 209, the HSS returns the authentication information when the transitional authentication mode is adopted to the S-CSCF, the S-CSCF and the UE perform mutual authentication, and continue to perform subsequent operations.
针对上述实施例,如果网络中没有Capability服务器,也可以在HSS中预先配置厂家/终端类型和设备能力的对应列表,此时,HSS根据该预先设定的厂家/终端类型和设备能力的对应列表判断该3G用户的终端是否是2G的终端,如果是,则确定该3G用户只能采用过渡鉴权方式进行鉴权。For the above embodiments, if there is no Capability server in the network, the corresponding list of manufacturer/terminal type and device capability can also be pre-configured in the HSS. At this time, the HSS will It is judged whether the terminal of the 3G user is a 2G terminal, and if so, it is determined that the 3G user can only be authenticated in a transitional authentication mode.
为了HSS能够进行更准确的判断,P-CSCF将转发给S-CSCF的登记请求信息中加入自己的能力信息,即在登记请求信息中指示出所经的P-CSCF是支持3G用户接入IMS的能力还是仅支持2G用户接入的能力,在HSS接收到来自S-CSCF的鉴权请求后,先判断转发的P-CSCF的能力信息,如果该P-CSCF是仅支持2G用户接入的能力,就直接同意用户的过渡鉴权方式的请求,并继续执行该过渡鉴权方式的后续操作,否则再执行步骤203。In order for the HSS to make more accurate judgments, the P-CSCF will add its own capability information to the registration request information forwarded to the S-CSCF, that is, the registration request information indicates that the P-CSCF it passes through supports 3G users to access IMS The capability still only supports 2G user access. After the HSS receives the authentication request from the S-CSCF, it first judges the capability information of the forwarded P-CSCF. If the P-CSCF only supports 2G user access , directly agree to the user’s request for the transitional authentication mode, and continue to perform subsequent operations of the transitional authentication mode, otherwise, go to step 203 .
上述增加的判断在P-CSCF不属于同一个运营商的时候是很有用的。一个运营商可以保证自己的P-CSCF能够同时支持2G和3G的IMS接入,这时在HSS就没有必要做这个判断,但当用户处于漫游状态使用其它运营商的P-CSCF接入时,该运营商就不能保证P-CSCF的能力了,所以这时需要对P-CSCF的能力进行判断。The above added judgment is useful when the P-CSCFs do not belong to the same operator. An operator can ensure that its own P-CSCF can support both 2G and 3G IMS access. At this time, there is no need to make this judgment in the HSS. The operator cannot guarantee the capability of the P-CSCF, so it is necessary to judge the capability of the P-CSCF at this time.
至此,应用上述流程同样避免了具有完全3G能力的用户,即应用3G终端的3G用户,使用过渡鉴权方案的可能。So far, the application of the above process also avoids the possibility that users with full 3G capabilities, that is, 3G users using 3G terminals, will use the transitional authentication scheme.
对于上述两个流程中,如果HSS返回的失败信息中还包括采用3G鉴权方式进行鉴权的信息,则S-CSCF接收到该信息后,可以直接使用3G的鉴权方案对该3G用户进行鉴权,也可通知用户鉴权失败,且失败原因值为不接受鉴权方式。For the above two procedures, if the failure information returned by the HSS also includes the information of using the 3G authentication method for authentication, after receiving the information, the S-CSCF can directly use the 3G authentication scheme to authenticate the 3G user. Authentication, or notify the user of authentication failure, and the failure reason value is not acceptable authentication method.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.
Claims (10)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2004100909307A CN100388662C (en) | 2004-11-10 | 2004-11-10 | A method for preventing users with 3G capability from using transitional authentication mode |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CNB2004100909307A CN100388662C (en) | 2004-11-10 | 2004-11-10 | A method for preventing users with 3G capability from using transitional authentication mode |
Publications (2)
Publication Number | Publication Date |
---|---|
CN1774123A CN1774123A (en) | 2006-05-17 |
CN100388662C true CN100388662C (en) | 2008-05-14 |
Family
ID=36760840
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CNB2004100909307A Expired - Fee Related CN100388662C (en) | 2004-11-10 | 2004-11-10 | A method for preventing users with 3G capability from using transitional authentication mode |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN100388662C (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101645901B (en) * | 2009-09-03 | 2012-10-17 | 烽火通信科技股份有限公司 | Method for deciding user authentication mode by IMS network based on terminal capabilities |
CN103037442A (en) * | 2011-09-29 | 2013-04-10 | 中国移动通信集团江苏有限公司 | Method and system for achieving flow separation scheduling |
CN103428857B (en) * | 2012-05-22 | 2017-12-15 | 盐城中咏投资发展有限公司 | The differentiation radio resource management method and device of terminal |
CN103686695A (en) * | 2013-12-30 | 2014-03-26 | 大唐移动通信设备有限公司 | Terminal type judgement method and system |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002082731A1 (en) * | 2001-04-03 | 2002-10-17 | Nokia Corporation | Registering a user in a communication network |
WO2003065680A1 (en) * | 2002-01-31 | 2003-08-07 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for providing multiple sdp media flows in a single pop context |
US20030159067A1 (en) * | 2002-02-21 | 2003-08-21 | Nokia Corporation | Method and apparatus for granting access by a portable phone to multimedia services |
WO2003084257A1 (en) * | 2002-03-28 | 2003-10-09 | Nokia Corporation | Method and system for re-authentication in ip multimedia core network system (ims) |
US6671507B1 (en) * | 2000-06-16 | 2003-12-30 | Siemens Aktiengesellschaft | Authentication method for inter-system handover between at least two radio communications systems |
-
2004
- 2004-11-10 CN CNB2004100909307A patent/CN100388662C/en not_active Expired - Fee Related
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6671507B1 (en) * | 2000-06-16 | 2003-12-30 | Siemens Aktiengesellschaft | Authentication method for inter-system handover between at least two radio communications systems |
WO2002082731A1 (en) * | 2001-04-03 | 2002-10-17 | Nokia Corporation | Registering a user in a communication network |
US20040122934A1 (en) * | 2001-04-03 | 2004-06-24 | Ilkka Westman | Registering a user in a communication network |
WO2003065680A1 (en) * | 2002-01-31 | 2003-08-07 | Telefonaktiebolaget Lm Ericsson (Publ) | Method for providing multiple sdp media flows in a single pop context |
US20030159067A1 (en) * | 2002-02-21 | 2003-08-21 | Nokia Corporation | Method and apparatus for granting access by a portable phone to multimedia services |
WO2003084257A1 (en) * | 2002-03-28 | 2003-10-09 | Nokia Corporation | Method and system for re-authentication in ip multimedia core network system (ims) |
Also Published As
Publication number | Publication date |
---|---|
CN1774123A (en) | 2006-05-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7822407B2 (en) | Method for selecting the authentication manner at the network side | |
US10285042B2 (en) | System and method for terminating communication sessions with roaming mobile devices | |
CN100379315C (en) | Method for authenticating a user terminal | |
CN102474523B (en) | Method and apparatus for initiating pre-configuration of subscriber data in an HSS of an IP Multimedia Subsystem network | |
CN101401476B (en) | Access control in a communication network | |
WO2006136097A1 (en) | A method for processing the register abnormality during the user register procedure | |
WO2006099815A1 (en) | A method for implementing the user registering in the ip multimedia subsystem and the system thereof | |
CN102111759A (en) | Authentication method, system and device | |
CN1299533C (en) | Method for user to register on belonging signatory user's service device | |
CN105307144B (en) | A kind of register method, method of calling, application server and network domain arrangement | |
EP2250791B1 (en) | Securing contact information | |
CN100493227C (en) | A method for processing users who update IP addresses on the network side | |
CN110324291A (en) | A kind of communication means and Related product | |
US20130019012A1 (en) | IMS Guest Registration for Non-IMS Users | |
CN101175083A (en) | IP Multimedia Subsystem Service Realization System and Method | |
CN100388662C (en) | A method for preventing users with 3G capability from using transitional authentication mode | |
CN106790055B (en) | Registration method and device of IMS (IP multimedia subsystem) | |
CN1753363A (en) | The method for selecting the authentication mode on the network side | |
KR100888506B1 (en) | Service system in IMS based network, service method thereof and terminal registration method | |
JP2012010051A (en) | Ims authentication control system and ims authentication control method | |
CN100459804C (en) | Device, system and method of authenticating when terminal to access second system network | |
WO2006133624A1 (en) | A method for registering at the internet protocol multimedia subsystem | |
CN100387014C (en) | How to handle exceptions during user registration | |
CN101345994A (en) | Cross-network user information acquisition method and functional entity | |
CN1980229B (en) | Method for obtaining network protocol multi-media subsystem terminal accessing-point information |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080514 Termination date: 20211110 |