[go: up one dir, main page]

CN101207484A - Multimedia subsystem and its method and device for establishing channel - Google Patents

Multimedia subsystem and its method and device for establishing channel Download PDF

Info

Publication number
CN101207484A
CN101207484A CNA2006101706332A CN200610170633A CN101207484A CN 101207484 A CN101207484 A CN 101207484A CN A2006101706332 A CNA2006101706332 A CN A2006101706332A CN 200610170633 A CN200610170633 A CN 200610170633A CN 101207484 A CN101207484 A CN 101207484A
Authority
CN
China
Prior art keywords
cscf
password
message
authentication challenge
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA2006101706332A
Other languages
Chinese (zh)
Other versions
CN100583766C (en
Inventor
侯晓钧
孔涛
高江海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhang Jinyan
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200610170633A priority Critical patent/CN100583766C/en
Publication of CN101207484A publication Critical patent/CN101207484A/en
Application granted granted Critical
Publication of CN100583766C publication Critical patent/CN100583766C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

本发明提供多媒体子系统及其建立通道的方法和装置,用于在IMS子系统中建立PSK TLS链接。本发明通过在注册消息中携带PSK TSL为可选安全策略,在信令注册的过程中进行共享密钥的协商,有效加快PSK TSL和信令注册的过程。

Figure 200610170633

The invention provides a multimedia subsystem and its method and device for establishing a channel, which are used for establishing a PSK TLS link in the IMS subsystem. The invention carries PSK TSL in the registration message as an optional security strategy, and negotiates the shared key in the process of signaling registration, thereby effectively speeding up the process of PSK TSL and signaling registration.

Figure 200610170633

Description

多媒体子系统及其建立通道的方法和装置 Multimedia subsystem and its method and device for establishing channel

技术领域 technical field

本发明涉及通信领域,尤其涉及多媒体子系统及其建立通道的方法和装置。The invention relates to the communication field, in particular to a multimedia subsystem and a method and device for establishing a channel.

背景技术 Background technique

目前,多媒体子系统(IMS,IP Multimedia Subsystem IP)网络中许多场景下采用传输层安全(TLS,TransportLayer Security)进行会话初始协议(SIP,Session Initiation Protocol)信令的加密。现有技术中终端与代理呼叫会话控制功能实体(P-CSCF,Proxy Call Session Control Function)建立TLS时,采用SIP信令的注册与建立TLS分开的思路,在注册前建立TLS链接,之后所有的SIP消息在此链路上传送。At present, in many scenarios in a multimedia subsystem (IMS, IP Multimedia Subsystem IP) network, Transport Layer Security (TLS, TransportLayer Security) is used to encrypt Session Initiation Protocol (SIP, Session Initiation Protocol) signaling. In the prior art, when a terminal establishes TLS with a Proxy Call Session Control Function (P-CSCF, Proxy Call Session Control Function), the registration of SIP signaling is separated from the establishment of TLS, and the TLS connection is established before registration, and all subsequent SIP messages are sent over this link.

由于现有技术中建立TLS链路与SIP信令的注册分离,建立TLS链路前必须先在终端和P-CSCF建立TCP链接,整个过程时延较长;且由于建立TLS与信令注册是分开的过程,在信令注册的过程中终端和P-CSCF之间都需要进行HTTP Digest的认证,终端用户必须判断证书的有效性,用户使用麻烦;其次,由于先建立TLS,再进行SIP信令的传输,若网络中存在恶意用户只建立TLS,不进行SIP信令的传输,在终端和P-CSCF之间建立大量的TLS,会造成P-CSCF的资源耗尽。Since the establishment of a TLS link is separated from the registration of SIP signaling in the prior art, a TCP link must be established between the terminal and the P-CSCF before the TLS link is established, and the whole process has a long delay; and since the establishment of TLS and the registration of signaling are separate In the separate process, HTTP Digest authentication is required between the terminal and the P-CSCF during the signaling registration process, and the terminal user must judge the validity of the certificate, which is troublesome for the user; secondly, because the TLS is established first, and then the SIP signal If there are malicious users in the network who only establish TLS and do not transmit SIP signaling, a large number of TLS will be established between the terminal and the P-CSCF, which will cause the resource exhaustion of the P-CSCF.

发明内容 Contents of the invention

本发明要解决的技术问题是提供一种多媒体子系统中建立通道的方法及多媒体子系统及终端及代理呼叫会话控制功能实体,可以减少终端和P-CSCF间建立PSK TLS链接以及在所述PSK TLS链接上进行SIP信令注册、传送的时延。The technical problem to be solved by the present invention is to provide a method for establishing a channel in a multimedia subsystem, a multimedia subsystem, a terminal, and a proxy call session control function entity, which can reduce the number of PSK TLS links established between the terminal and the P-CSCF and the number of connections between the PSK and PSK. The delay of SIP signaling registration and transmission on the TLS link.

为解决上述技术问题,本发明的目的是通过以下技术方案实现的:In order to solve the problems of the technologies described above, the purpose of the present invention is achieved through the following technical solutions:

本发明实施例提供一种多媒体子系统中建立通道的方法,包括:An embodiment of the present invention provides a method for establishing a channel in a multimedia subsystem, including:

终端向代理呼叫会话控制功能实体P-CSCF发送注册消息,所述注册消息包含共享密钥实现传输层安全PSK TLS的安全策略;P-CSCF将所述注册消息发送到服务呼叫会话控制功能实体S-CSCF;所述S-CSCF计算密码摘要,将携带所述用户名和所述密码摘要的认证挑战消息发送到所述P-CSCF;P-CSCF若支持PSK TLS安全策略,保存服务呼叫会话控制功能实体S-CSCF返回的认证挑战消息中携带的用户名和密码摘要,删除所述认证挑战消息中携带的用户名和密码摘要;P-CSCF向终端发送删除了用户名和密码摘要的认证挑战消息;终端与P-CSCF协商密钥派生算法,建立PSK TLS链接。The terminal sends a registration message to the proxy call session control function entity P-CSCF, and the registration message includes a shared key to realize the security policy of the transport layer security PSK TLS; the P-CSCF sends the registration message to the serving call session control function entity S -CSCF; the S-CSCF calculates a password digest, and sends an authentication challenge message carrying the user name and the password digest to the P-CSCF; if the P-CSCF supports the PSK TLS security policy, saves the service call session control function The user name and password abstract carried in the authentication challenge message returned by the entity S-CSCF, delete the user name and password abstract carried in the authentication challenge message; P-CSCF sends to the terminal the authentication challenge message with the user name and password abstract deleted; the terminal and The P-CSCF negotiates a key derivation algorithm and establishes a PSK TLS link.

可选的,所述P-CSCF若不支持PSK TLS的安全策略,向终端返回认证挑战错误消息。Optionally, if the P-CSCF does not support the PSK TLS security policy, return an authentication challenge error message to the terminal.

可选的,所述P-CSCF将所述表明共享密钥实现传输层安全PSK TLS为安全策略的注册消息发送到服务呼叫会话控制功能S-CSCF后,所述S-CSCF计算密码摘要,将携带所述用户名和所述密码摘要的认证挑战消息发送到所述P-CSCF之前,包括:Optionally, after the P-CSCF sends the registration message indicating that the shared key realizes the transport layer security PSK TLS as a security policy to the serving call session control function S-CSCF, the S-CSCF calculates the password digest, and the Before the authentication challenge message carrying the user name and the password digest is sent to the P-CSCF, it includes:

所述S-CSCF向归属签约用户服务器HSS发送携带用户名的密码索取消息;The S-CSCF sends a password request message carrying the user name to the home subscriber server HSS;

HSS根据用户名查询用户配置数据,将携带与所述用户名对应的密码和用户名的密码索取消息返回给S-CSCF。The HSS queries the user configuration data according to the user name, and returns the password request message carrying the password corresponding to the user name and the user name to the S-CSCF.

本发明实施例还提供一种多媒体子系统,包括:The embodiment of the present invention also provides a multimedia subsystem, including:

P-CSCF,用于接收终端发送的注册消息,所述注册消息包含共享密钥实现传输层安全PSK TLS的安全策略;将所述注册消息发送到服务呼叫会话控制功能S-CSCF,判断若支持PSK TLS安全策略,保存服务呼叫会话控制功能实体S-CSCF返回的认证挑战消息中携带的用户名和密码摘要,与终端协商密码摘要算法,建立与终端之间的PSK TLS链接;S-CSCF,用于计算密码摘要,将携带所述用户名和所述密码摘要的认证挑战消息发送到所述P-CSCF。P-CSCF is used to receive the registration message sent by the terminal, and the registration message includes a shared key to realize the security strategy of the transport layer security PSK TLS; the registration message is sent to the service call session control function S-CSCF, and it is judged if supported PSK TLS security policy, save the user name and password digest carried in the authentication challenge message returned by the service call session control function entity S-CSCF, negotiate with the terminal on the password digest algorithm, and establish a PSK TLS link with the terminal; S-CSCF uses For calculating the password digest, send an authentication challenge message carrying the user name and the password digest to the P-CSCF.

可选的,所述P-CSCF,用于若不支持PSK TLS安全策略,向所述终端返回认证挑战错误消息。Optionally, the P-CSCF is configured to return an authentication challenge error message to the terminal if the PSK TLS security policy is not supported.

可选的,所述多媒体子系统包括:Optionally, the multimedia subsystem includes:

所述S-CSCF,用于向归属签约用户服务器HSS发送携带用户名的密码索取消息;The S-CSCF is configured to send a password request message carrying a username to the home subscriber server HSS;

HSS,用于根据用户名查询用户配置数据,将携带与所述用户名对应的密码和用户名的密码索取消息返回给S-CSCF。The HSS is configured to query the user configuration data according to the user name, and return the password request message carrying the password corresponding to the user name and the user name to the S-CSCF.

本发明实施例还提供一种终端,包括:The embodiment of the present invention also provides a terminal, including:

注册消息发送单元,用于向代理呼叫会话控制功能实体P-CSCF发送注册消息,所述注册消息包含共享密钥实现传输层安全PSK TLS的安全策略;认证挑战消息接收单元,用于在所述注册消息发送单元向所述P-CSCF发送注册消息后,接收P-CSCF发送的未携带用户名和密码摘要的认证挑战消息;密钥算法协商单元,用于在所述认证挑战消息接收单元接收P-CSCF发送的未携带用户名和密码摘要的认证挑战消息后,与P-CSCF协商密钥派生算法;建立PSK TLS单元,用于在所述密钥算法协商单元与P-CSCF协商密钥派生算法后,建立与P-CSCF之间的PSK TLS链接。The registration message sending unit is used to send the registration message to the proxy call session control function entity P-CSCF, and the registration message includes the security policy that the shared key realizes the transport layer security PSK TLS; the authentication challenge message receiving unit is used for in the described After the registration message sending unit sends the registration message to the P-CSCF, it receives the authentication challenge message sent by the P-CSCF without user name and password digest; the key algorithm negotiation unit is used to receive the P - After the authentication challenge message sent by the CSCF that does not carry the user name and password digest, negotiate the key derivation algorithm with the P-CSCF; establish a PSK TLS unit for negotiating the key derivation algorithm with the P-CSCF in the key algorithm negotiation unit After that, establish the PSK TLS connection with the P-CSCF.

本发明实施例还提供一种代理呼叫会话控制功能实体,包括:The embodiment of the present invention also provides a proxy call session control function entity, including:

注册消息转发单元,用于将所述终端发送的注册消息发送给S-CSCF,所述注册消息包含共享密钥实现传输层安全PSK TLS的安全策略;安全策略判断单元,用于判断是否支持PSK TLS安全策略,若支持则通知密码保存单元保存S-CSCF返回的认证挑战消息中携带的用户名和密码摘要;密码保存单元,用于在所述安全策略判断单元判断支持PSK TLS安全策略后,保存S-CSCF返回的认证挑战消息中携带的用户名和密码摘要,并删除所述认证挑战消息中携带的用户名和密码摘要;认证挑战消息转发单元,用于将所述密码保存单元删除了用户名和密码摘要的认证挑战消息发送到终端。密钥协商单元,用于在所述认证挑战消息转发单元将所述密码保存单元删除了用户名和密码摘要的认证挑战消息发送到终端后,与终端协商密钥派生算法;建立PSK TLS链接单元,用于在密钥协商单元与终端协商密钥派生算法后建立与终端之间的PSK TLS链接。The registration message forwarding unit is used to send the registration message sent by the terminal to the S-CSCF, and the registration message includes a shared key to realize the security strategy of the transport layer security PSK TLS; a security policy judging unit is used to judge whether to support PSK TLS security policy, if supported, then notify the password storage unit to save the user name and password summary carried in the authentication challenge message returned by the S-CSCF; the password storage unit is used to store after the security policy judging unit supports the PSK TLS security policy The user name and password abstract carried in the authentication challenge message returned by the S-CSCF, and delete the user name and password abstract carried in the authentication challenge message; the authentication challenge message forwarding unit is used to delete the user name and password from the password storage unit A digest of the Authentication Challenge message is sent to the endpoint. A key negotiation unit, configured to negotiate a key derivation algorithm with the terminal after the authentication challenge message forwarding unit sends the authentication challenge message in which the password storage unit has deleted the username and password digest to the terminal; establishes a PSK TLS link unit, It is used to establish a PSK TLS connection with the terminal after the key agreement unit negotiates the key derivation algorithm with the terminal.

以上技术方案可以看出,由于本发明在注册消息中表明共享密钥实现传输层安全PSK TLS为安全策略,在信令注册过程中协商安全策略,减少了建立PSK TLS链接和信令注册的时间,有效地减少信令注册、传送的时延。As can be seen from the above technical solutions, since the present invention indicates in the registration message that the shared key realizes the transport layer security PSK TLS as a security policy, the security policy is negotiated in the signaling registration process, which reduces the time for establishing a PSK TLS link and signaling registration , effectively reducing the delay of signaling registration and transmission.

进一步的,由于本发明在注册消息中携带的是用户名和密码摘要,有效地防止密码在传输的过程中被窃听,且注册消息中不需要再携带认证消息,终端和服务器端都不需要再进行认证信息的判断,用户使用方便。Further, since the present invention carries the user name and password digest in the registration message, it effectively prevents the password from being eavesdropped during transmission, and the registration message does not need to carry the authentication message, and neither the terminal nor the server needs to carry out any further authentication. Authentication information judgment, user-friendly.

进一步的,本发明提供若P-CSCF不支持PSK TLS的安全策略,向终端返回认证挑战错误消息,避免若P-CSCF不支持PSK TLS的安全策略时,终端长时间得不到响应,浪费用户时间。Further, the present invention provides that if the P-CSCF does not support the security policy of PSK TLS, an authentication challenge error message is returned to the terminal, so as to avoid that if the P-CSCF does not support the security policy of PSK TLS, the terminal cannot receive a response for a long time, wasting users time.

进一步的,由于本发明提供P-CSCF通过S-CSCF向HSS索取用户名以及与用户名对应的密码,S-CSCF计算密码摘要反馈给P-CSCF,减少P-CSCF的负担。Further, since the present invention provides that the P-CSCF requests the user name and the password corresponding to the user name from the HSS through the S-CSCF, the S-CSCF calculates the password digest and feeds it back to the P-CSCF, reducing the burden on the P-CSCF.

进一步的,由于本发明在建立PSK TLS链接时,进行密码摘要算法的协商,保证终端和P-CSCF密码摘要算法的一致性,保证顺利建立PSK TLS链接。Further, since the present invention negotiates the password digest algorithm when establishing the PSK TLS link, it ensures the consistency of the terminal and the P-CSCF password digest algorithm, and ensures the smooth establishment of the PSK TLS link.

附图说明 Description of drawings

图1是本发明提供的多媒体子系统中建立通道的方法实施例图;Fig. 1 is the embodiment diagram of the method for establishing channel in the multimedia subsystem provided by the present invention;

图2是本发明实施例提供的多媒体子系统结构图。FIG. 2 is a structural diagram of a multimedia subsystem provided by an embodiment of the present invention.

具体实施方式 Detailed ways

本发明提供一种在多媒体子系统中建立通道的方法及多媒体子系统及终端及代理呼叫会话控制功能实体,可以实现在终端和P-CSCF间建立PSK TLS链接。本发明通过在注册消息中携带PSK TSL为可选安全策略,在信令注册的过程中进行共享密钥的协商,有效加快PSK TSL和信令注册的过程。The present invention provides a method for establishing a channel in a multimedia subsystem, the multimedia subsystem, a terminal, and a proxy call session control function entity, which can realize the establishment of a PSK TLS link between the terminal and the P-CSCF. The present invention carries the PSK TSL in the registration message as an optional security strategy, and negotiates the shared key in the process of signaling registration, thereby effectively accelerating the process of PSK TSL and signaling registration.

以下本发明提供详细的实施例。The following invention provides detailed examples.

请参阅图1是本发明提供的多媒体子系统中建立通道的方法实施例图。Please refer to FIG. 1 , which is a diagram of an embodiment of a method for establishing a channel in a multimedia subsystem provided by the present invention.

101、终端向P-CSCF发送注册消息;101. The terminal sends a registration message to the P-CSCF;

终端向P-CSCF发送的注册消息中包含共享密钥实现传输层安全PSKTLS的安全策略。The registration message sent by the terminal to the P-CSCF includes the security policy of the shared key to realize the security of the transport layer PSKTLS.

102、P-CSCF收到注册消息后,将注册消息发送到S-CSCF;102. After receiving the registration message, the P-CSCF sends the registration message to the S-CSCF;

P-CSCF向S-CSCF发送的注册消息中包含共享密钥实现传输层安全PSKTLS的安全策略。The registration message sent by the P-CSCF to the S-CSCF contains the security policy of the shared key to realize the security PSKTLS of the transport layer.

103、S-CSCF向HSS发送密码索取消息;103. The S-CSCF sends a password request message to the HSS;

S-CSCF向HSS发送密码索取消息(MAR消息),密码索取消息中携带注册消息中携带的用户名;The S-CSCF sends a password request message (MAR message) to the HSS, and the password request message carries the user name carried in the registration message;

S-CSCF根据所述表明共享密钥实现传输层安全PSK TLS为安全策略的注册消息中携带的用户名向归属签约用户服务器(HSS,Home SubscriberServer)请求与用户名对应的密码。The S-CSCF requests the password corresponding to the username from the Home Subscriber Server (HSS, Home Subscriber Server) according to the username carried in the registration message indicating that the shared key realizes the transport layer security PSK TLS as the security policy.

104、HSS将携带与所述用户名对应的密码和用户名的密码索取消息返回给S-CSCF;104. The HSS returns the password request message carrying the password corresponding to the user name and the user name to the S-CSCF;

HSS查询存储的注册用户注册的登陆密码返回给S-CSCF。The HSS queries and stores the login password registered by the registered user and returns it to the S-CSCF.

105、S-CSCF向P-CSCF发送认证挑战消息;105. The S-CSCF sends an authentication challenge message to the P-CSCF;

S-CSCF根据HSS返回的密码,采用MD5算法计算密码摘要;将携带用户名和密码摘要的认证挑战消息(4xx-Auth_Challenge)中发送给P-CSCF;P-CSCF收到认证挑战消息后判断是否支持PSK TLS安全策略,若支持则保存认证挑战消息中携带的用户名和密码摘要,并删除认证挑战消息中的用户名和密码摘要;P-CSCF若不支持PSK TLS安全策略,向终端返回认证挑战错误消息。S-CSCF uses the MD5 algorithm to calculate the password digest according to the password returned by HSS; sends the authentication challenge message (4xx-Auth_Challenge) carrying the user name and password digest to P-CSCF; P-CSCF judges whether to support it after receiving the authentication challenge message PSK TLS security policy, if supported, save the username and password digest carried in the authentication challenge message, and delete the username and password digest in the authentication challenge message; if the P-CSCF does not support the PSK TLS security policy, return an authentication challenge error message to the terminal .

106、P-CSCF向终端发送认证挑战消息;106. The P-CSCF sends an authentication challenge message to the terminal;

P-CSCF将S-CSCF发送的认证挑战消息中的用户名密码摘要提取出来并保存。P-CSCF向终端发送未携带用户名和密码摘要的认证挑战消息中。The P-CSCF extracts and saves the digest of the user name and password in the authentication challenge message sent by the S-CSCF. The P-CSCF sends an authentication challenge message that does not carry the user name and password digest to the terminal.

107、终端与P-CSCF协商密钥派生算法;107. The terminal negotiates a key derivation algorithm with the P-CSCF;

终端收到P-CSCF发送的认证挑战消息后,向P-CSCF发送ClientHello消息,携带密钥派生算法为PSK方式或者DH方式。After receiving the authentication challenge message sent by the P-CSCF, the terminal sends a ClientHello message to the P-CSCF, carrying the key derivation algorithm as PSK or DH.

P-CSCF收到终端发送的ClientHello消息后,向终端发送ServerHello消息,选择与ClientHello消息中携带相同的密钥派生算法,为PSK方式或者DH方式。After receiving the ClientHello message sent by the terminal, the P-CSCF sends a ServerHello message to the terminal, and selects the same key derivation algorithm as carried in the ClientHello message, which is PSK or DH.

108、建立终端与P-CSCF之间的PSK TLS;108. Establish PSK TLS between the terminal and the P-CSCF;

终端与P-CSCF进行密钥派生算法的协商后,利用终端和P-CSCF已有的密码摘要派生成加密密钥和完整性密钥,建立终端与P-CSCF之间的PSKTLS。After negotiating the key derivation algorithm between the terminal and the P-CSCF, the encryption key and the integrity key are derived by using the existing password digest of the terminal and the P-CSCF, and the PSKTLS between the terminal and the P-CSCF is established.

109、终端通过PSKTLS向P-CSCF发送后续注册消息,进行后续的标准流程;109. The terminal sends a subsequent registration message to the P-CSCF through PSKTLS, and performs subsequent standard procedures;

注册请求消息REGISTER将认证回应(用户名和密码以及校验信息)携带到P-CSCF实体,以进行后续的标准注册流程。The registration request message REGISTER carries the authentication response (username, password and verification information) to the P-CSCF entity for subsequent standard registration procedures.

请参阅图2是本发明提供的多媒体子系统结构图。Please refer to FIG. 2 which is a structural diagram of the multimedia subsystem provided by the present invention.

P-CSCF300,用于接收终端发送注册消息,将所述注册消息发送到服务呼叫会话控制功能实体S-CSCF,判断若支持PSK TLS安全策略,保存服务呼叫会话控制功能实体S-CSCF返回的认证挑战消息中携带的用户名和密码摘要,与终端协商密钥派生算法,建立与终端之间的PSK TLS链接;P-CSCF300 is used to receive the registration message sent by the terminal, send the registration message to the serving call session control function entity S-CSCF, determine if the PSK TLS security policy is supported, and save the authentication returned by the serving call session control function entity S-CSCF Challenge the user name and password digest carried in the message, negotiate with the terminal on the key derivation algorithm, and establish a PSK TLS connection with the terminal;

S-CSCF400,用于计算密码摘要,将携带所述用户名和所述密码摘要的认证挑战消息发送到所述P-CSCF。The S-CSCF400 is configured to calculate a password digest, and send an authentication challenge message carrying the user name and the password digest to the P-CSCF.

在上述方案基础上,所述P-CSCF300若不支持PSK TLS安全策略,向所述终端返回认证挑战错误消息。On the basis of the above solution, if the P-CSCF 300 does not support the PSK TLS security policy, it returns an authentication challenge error message to the terminal.

同样可选的,所述S-CSCF400,用于向归属签约用户服务器HSS发送携带用户名的密码索取消息;Also optionally, the S-CSCF400 is configured to send a password request message carrying a username to the home subscriber server HSS;

HSS500,用于根据用户名查询用户配置数据,将携带与所述用户名对应的密码和用户名的密码索取消息返回给S-CSCF。The HSS500 is configured to query user configuration data according to the user name, and return a password request message carrying the password corresponding to the user name and the user name to the S-CSCF.

本发明还提供一种终端,包括:注册消息发送单元,用于向代理呼叫会话控制功能实体P-CSCF发送注册消息,所述注册消息包含共享密钥实现传输层安全PSK TLS的安全策略;认证挑战消息接收单元,用于在所述注册消息发送单元向所述P-CSCF发送注册消息后,接收P-CSCF发送的未携带用户名和密码摘要的认证挑战消息;密钥算法协商单元,用于在所述认证挑战消息接收单元接收P-CSCF发送的未携带用户名和密码摘要的认证挑战消息后,与P-CSCF协商密钥派生算法;建立PSK TLS单元,用于在所述密钥算法协商单元与P-CSCF协商密钥派生算法后,建立与P-CSCF之间的PSK TLS链接。The present invention also provides a terminal, including: a registration message sending unit, configured to send a registration message to the proxy call session control function entity P-CSCF, the registration message includes a shared key to realize the security policy of the transport layer security PSK TLS; authentication The challenge message receiving unit is configured to receive the authentication challenge message sent by the P-CSCF without the username and password digest after the registration message sending unit sends the registration message to the P-CSCF; the key algorithm negotiation unit is configured to After the authentication challenge message receiving unit receives the authentication challenge message sent by the P-CSCF and does not carry the user name and password digest, it negotiates with the P-CSCF on a key derivation algorithm; establishes a PSK TLS unit for negotiation of the key algorithm After the unit negotiates the key derivation algorithm with the P-CSCF, it establishes a PSK TLS link with the P-CSCF.

本发明还提供一种代理呼叫会话控制功能实体,包括:The present invention also provides a proxy call session control function entity, including:

注册消息转发单元,用于将所述终端发送的注册消息发送给S-CSCF,所述注册消息包含共享密钥实现传输层安全PSK TLS的安全策略;安全策略判断单元,用于判断是否支持PSK TLS安全策略,若支持则通知密码保存单元保存S-CSCF返回的认证挑战消息中携带的用户名和密码摘要;密码保存单元,用于在所述安全策略判断单元判断支持PSK TLS安全策略后,保存S-CSCF返回的认证挑战消息中携带的用户名和密码摘要,并删除所述认证挑战消息中携带的用户名和密码摘要;认证挑战消息转发单元,用于将所述密码保存单元删除了用户名和密码摘要的认证挑战消息发送到终端。密钥协商单元,用于在所述认证挑战消息转发单元将所述密码保存单元删除了用户名和密码摘要的认证挑战消息发送到终端后,与终端协商密钥派生算法;建立PSK TLS链接单元,用于在密钥协商单元与终端协商密钥派生算法后建立与终端之间的PSKTLS链接。The registration message forwarding unit is used to send the registration message sent by the terminal to the S-CSCF, and the registration message includes a shared key to realize the security strategy of the transport layer security PSK TLS; a security policy judging unit is used to judge whether to support PSK TLS security policy, if supported, then notify the password storage unit to save the user name and password summary carried in the authentication challenge message returned by the S-CSCF; the password storage unit is used to store after the security policy judging unit supports the PSK TLS security policy The user name and password abstract carried in the authentication challenge message returned by the S-CSCF, and delete the user name and password abstract carried in the authentication challenge message; the authentication challenge message forwarding unit is used to delete the user name and password from the password storage unit A digest of the Authentication Challenge message is sent to the endpoint. A key negotiation unit, configured to negotiate a key derivation algorithm with the terminal after the authentication challenge message forwarding unit sends the authentication challenge message in which the password storage unit has deleted the username and password digest to the terminal; establishes a PSK TLS link unit, It is used to establish a PSKTLS link with the terminal after the key agreement unit and the terminal negotiate a key derivation algorithm.

以上对本发明所提供的一种在多媒体子系统中建立通道的方法及多媒体子系统及一种终端及一种代理呼叫会话控制功能实体进行了详细介绍,本文中应用了具体个例对本发明的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本发明的方法及其核心思想;同时,对于本领域的一般技术人员,依据本发明的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本发明的限制。A method for establishing a channel in a multimedia subsystem provided by the present invention, a multimedia subsystem, a terminal, and a proxy call session control functional entity have been introduced in detail above. In this paper, specific examples are used to explain the principles of the present invention. and the embodiment have been described, the description of the above embodiment is only used to help understand the method of the present invention and its core idea; at the same time, for those of ordinary skill in the art, according to the idea of the present invention, in the specific embodiment and application scope There will be changes. In summary, the contents of this specification should not be construed as limiting the present invention.

Claims (8)

1. set up the method for passage in the IP multimedia subsystem, IMS, it is characterized in that, comprising:
Terminal sends registration message to proxy call conversation control function entity P-CSCF, and described registration message comprises shares the security strategy that key is realized Transport Layer Security PSK TLS;
P-CSCF sends to service call session control function entity S-CSCF with described registration message;
Described S-CSCF calculates cryptographic summary, and the authentication challenge message of carrying described user name and described cryptographic summary is sent to described P-CSCF;
P-CSCF is if support PSK TLS security strategy, and the username and password summary that carries in the authentication challenge message that preservation service call session control function entity S-CSCF returns is deleted the username and password summary that carries in the described authentication challenge message;
P-CSCF sends the authentication challenge message of having deleted the username and password summary to terminal;
Terminal and P-CSCF arranging key derive from algorithm, set up PSK TLS link.
2. set up the method for passage in the IP multimedia subsystem, IMS according to claim 1, it is characterized in that, comprising: described P-CSCF is not if support the security strategy of PSK TLS, to terminal return authentication challenge error message.
3. set up the method for passage in the IP multimedia subsystem, IMS according to claim 2, it is characterized in that, after described P-CSCF sends to service call conversation control function S-CSCF with the described registration message that shows that shared key realization Transport Layer Security PSK TLS is a security strategy, described S-CSCF calculates cryptographic summary, the authentication challenge message of carrying described user name and described cryptographic summary is sent to before the described P-CSCF, comprising:
Described S-CSCF sends the password that carries user name to home signature user server HSS and asks for message;
HSS asks for message with the password that carries password corresponding with described user name and user name and returns to S-CSCF according to user name inquiring user configuration data.
4. an IP multimedia subsystem, IMS is characterized in that, comprising:
P-CSCF is used for the registration message that receiving terminal sends, and described registration message comprises shares the security strategy that key is realized Transport Layer Security PSK TLS; Described registration message is sent to service call conversation control function S-CSCF, judge if support PSK TLS security strategy, the username and password summary that carries in the authentication challenge message that preservation service call session control function entity S-CSCF returns, consult the cryptographic summary algorithm with terminal, set up with terminal between PSK TLS link;
S-CSCF is used to calculate cryptographic summary, and the authentication challenge message of carrying described user name and described cryptographic summary is sent to described P-CSCF.
5. IP multimedia subsystem, IMS according to claim 4 is characterized in that, described P-CSCF is used for if do not support PSK TLS security strategy, to described terminal return authentication challenge error message.
6. IP multimedia subsystem, IMS according to claim 5 is characterized in that, described IP multimedia subsystem, IMS comprises:
Described S-CSCF is used for sending the password that carries user name to home signature user server HSS and asks for message;
HSS is used for the password that carries password corresponding with described user name and user name being asked for message returning to S-CSCF according to user name inquiring user configuration data.
7. a terminal is characterized in that, comprising:
The registration message transmitting element is used for sending registration message to proxy call conversation control function entity P-CSCF, and described registration message comprises shares the security strategy that key is realized Transport Layer Security PSK TLS;
The authentication challenge message receiving element is used at described registration message transmitting element receiving the authentication challenge message of not carrying the username and password summary that P-CSCF sends after described P-CSCF sends registration message;
The key algorithm negotiation element is used for deriving from algorithm with the P-CSCF arranging key after described authentication challenge message receiving element receives the authentication challenge message of not carrying the username and password summary of P-CSCF transmission;
Set up PSK TLS unit, be used for after described key algorithm negotiation element and P-CSCF arranging key derive from algorithm, set up with P-CSCF between PSK TLS link.
8. a proxy call conversation control function entity is characterized in that, comprising:
The registration message retransmission unit is used for the registration message that described terminal sends is sent to S-CSCF, and described registration message comprises shares the security strategy that key is realized Transport Layer Security PSKTLS;
The security strategy judging unit is used to judge whether to support PSK TLS security strategy, if support then to notify the username and password summary that carries in the password preservation unit preservation authentication challenge message that S-CSCF returns;
Password is preserved the unit, be used for after described security strategy judgment unit judges is supported PSK TLS security strategy, the username and password summary that carries in the authentication challenge message that preservation S-CSCF returns, and delete the username and password summary that carries in the described authentication challenge message;
The authentication challenge message retransmission unit, the authentication challenge message that has been used for described password preservation element deletion the username and password summary sends to terminal.
The key agreement unit is used for deriving from algorithm with the terminal arranging key after described authentication challenge message retransmission unit has been preserved element deletion with described password the authentication challenge message of username and password summary sent to terminal;
Set up PSK TLS link unit, be used for after key agreement unit and terminal arranging key derive from algorithm, setting up with terminal between PSK TLS link.
CN200610170633A 2006-12-22 2006-12-22 Multimedia subsystem and its method and device for establishing channel Expired - Fee Related CN100583766C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200610170633A CN100583766C (en) 2006-12-22 2006-12-22 Multimedia subsystem and its method and device for establishing channel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200610170633A CN100583766C (en) 2006-12-22 2006-12-22 Multimedia subsystem and its method and device for establishing channel

Publications (2)

Publication Number Publication Date
CN101207484A true CN101207484A (en) 2008-06-25
CN100583766C CN100583766C (en) 2010-01-20

Family

ID=39567394

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200610170633A Expired - Fee Related CN100583766C (en) 2006-12-22 2006-12-22 Multimedia subsystem and its method and device for establishing channel

Country Status (1)

Country Link
CN (1) CN100583766C (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102685742A (en) * 2011-03-15 2012-09-19 中国移动通信集团公司 WLAN (Wireless Local Area Network ) access authentication method and device
CN101729528B (en) * 2009-05-21 2012-11-28 中兴通讯股份有限公司 Media safety implementation method and system of IMS conference call
CN106105100A (en) * 2014-03-18 2016-11-09 Twc专利信托公司 Low delay, high capacity, high power capacity API gateway
CN107231332A (en) * 2016-03-24 2017-10-03 华为技术有限公司 Security strategy determines method and device
CN107612931A (en) * 2017-10-20 2018-01-19 苏州科达科技股份有限公司 Multipoint session method and multipoint session system

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101729528B (en) * 2009-05-21 2012-11-28 中兴通讯股份有限公司 Media safety implementation method and system of IMS conference call
CN102685742A (en) * 2011-03-15 2012-09-19 中国移动通信集团公司 WLAN (Wireless Local Area Network ) access authentication method and device
CN102685742B (en) * 2011-03-15 2016-01-27 中国移动通信集团公司 A kind of WLAN access authentication method and device
CN106105100A (en) * 2014-03-18 2016-11-09 Twc专利信托公司 Low delay, high capacity, high power capacity API gateway
CN106105100B (en) * 2014-03-18 2019-09-06 Twc专利信托公司 The method and apparatus for handling Application Programming Interface request
CN107231332A (en) * 2016-03-24 2017-10-03 华为技术有限公司 Security strategy determines method and device
CN107612931A (en) * 2017-10-20 2018-01-19 苏州科达科技股份有限公司 Multipoint session method and multipoint session system

Also Published As

Publication number Publication date
CN100583766C (en) 2010-01-20

Similar Documents

Publication Publication Date Title
US8959238B2 (en) Systems, methods and computer program products for providing access to web services via device authentication in an IMS network
KR100976635B1 (en) Method for providing media security in an IMS network and IMS network providing media security
JP5881949B2 (en) Method and apparatus for end-to-edge media protection in IMS systems
JP4806400B2 (en) Identity processing in trusted domains of IP networks
US8959343B2 (en) Authentication system, method and device
CN107147611B (en) Transport layer security TLS chain establishment method, user equipment, server and system
US8713634B2 (en) Systems, methods and computer program products supporting provision of web services using IMS
WO2012068922A1 (en) Ims multimedia communication method and system, terminal and ims core network
US7813509B2 (en) Key distribution method
WO2008040213A1 (en) Message encryption and signature method, system and device in communication system
CN101150592A (en) session control system
US20080120705A1 (en) Systems, Methods and Computer Program Products Supporting Provision of Web Services Using IMS
US10051016B2 (en) Method, server and user equipment for accessing an HTTP server
US11089561B2 (en) Signal plane protection within a communications network
CN102111379A (en) Authentication system, method and device
US7940748B2 (en) Systems, methods and computer program products supporting provision of web services using IMS
CN100583766C (en) Multimedia subsystem and its method and device for establishing channel
US8683034B2 (en) Systems, methods and computer program products for coordinated session termination in an IMS network
CN101098336B (en) IMS terminal configuration server and IMS localization entry point detection method
US20200204595A1 (en) Media protection within the core network of an ims network
CN102082769B (en) Authentication system, device and method for IMS terminal when obtaining non-IMS service
CN101483821A (en) Method for establishing IMS service
WO2008083620A1 (en) A method, a system and an apparatus for media flow security context negotiation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20170814

Address after: 519031, Guangdong, Zhuhai province Hengqin financial industry service base building No. 5 2-I

Patentee after: The International Intellectual Property Trading Center Co. Ltd.

Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen

Patentee before: Huawei Technologies Co., Ltd.

TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20171222

Address after: No. 1523, Shuangqiao District, Chengde City, Hebei Province, Guangzhou

Patentee after: Zhang Jinyan

Address before: 519031, Guangdong, Zhuhai province Hengqin financial industry service base building No. 5 2-I

Patentee before: The International Intellectual Property Trading Center Co. Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20100120

Termination date: 20171222