[go: up one dir, main page]

CN1756428A - Method for carrying out authentication for terminal user identification module in IP multimedia subsystem - Google Patents

Method for carrying out authentication for terminal user identification module in IP multimedia subsystem Download PDF

Info

Publication number
CN1756428A
CN1756428A CN200410084842.6A CN200410084842A CN1756428A CN 1756428 A CN1756428 A CN 1756428A CN 200410084842 A CN200410084842 A CN 200410084842A CN 1756428 A CN1756428 A CN 1756428A
Authority
CN
China
Prior art keywords
cscf
authentication
rand
tlv triple
terminal user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200410084842.6A
Other languages
Chinese (zh)
Other versions
CN100384120C (en
Inventor
谢红
王金城
朱东铭
顾炯炯
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNB2004100848426A priority Critical patent/CN100384120C/en
Publication of CN1756428A publication Critical patent/CN1756428A/en
Application granted granted Critical
Publication of CN100384120C publication Critical patent/CN100384120C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种在IP多媒体子系统中对终端用户标识模块进行鉴权的方法,该方法首先由IMS系统在收到UE发送来的注册请求后,确定针对该UE的三元组鉴权向量,所述三元组鉴权向量至少包含RAND和SRES,保留三元组中的SRES,并将RAND下发到UE;UE将所述RAND传送到自身的终端用户标识模块;终端用户标识模块计算RES,并将RES通过UE返回给IMS系统;IMS系统判断UE返回的RES是否与自身保存的SRES相等,如果是,则鉴权通过,否则,鉴权失败。本发明方案解决了现有技术中必须通过ISIM才能实现鉴权的问题。通过本发明方案实现了在IMS系统中通过SIM及USIM模块等对UE的鉴权,大大降低了IM业务的推广难度,且对现有网络的改动很小。

Figure 200410084842

The invention discloses a method for authenticating a terminal user identity module in an IP multimedia subsystem. In the method, firstly, the IMS system determines the triplet authentication for the UE after receiving the registration request sent by the UE Vector, the triplet authentication vector contains at least RAND and SRES, retains the SRES in the triplet, and sends the RAND to the UE; the UE transmits the RAND to its own end user identity module; the end user identity module Calculate the RES and return the RES to the IMS system through the UE; the IMS system judges whether the RES returned by the UE is equal to the SRES saved by itself, if yes, the authentication passes, otherwise, the authentication fails. The solution of the invention solves the problem in the prior art that the authentication must be realized through the ISIM. Through the solution of the invention, the UE is authenticated through the SIM and USIM modules in the IMS system, greatly reducing the difficulty of popularizing the IM service, and making little change to the existing network.

Figure 200410084842

Description

IP多媒体子系统中对终端用户标识模块进行鉴权的方法Method for Authenticating Terminal User Identity Module in IP Multimedia Subsystem

技术领域technical field

本发明涉及对移动终端的鉴权技术,更确切地说是涉及在IP多媒体子系统(IMS)中对终端用户标识模块进行鉴权的方法。The present invention relates to authentication technology for mobile terminal, more precisely, relates to a method for authenticating terminal user identity module in IP Multimedia Subsystem (IMS).

背景技术Background technique

随着多媒体业务的发展,目前已出现了针对移动终端的多媒体业务。现在为移动终端提供多媒体业务的IMS系统如图1所示,该系统起初是在第三代网络(3G)已有的分组域之外叠加的一个子域,这个子域专门用于支持IP多媒体业务。在条件成熟的情况下,IMS系统也可服务于终端局域网(WLAN)等其他方式接入的用户。With the development of multimedia services, multimedia services for mobile terminals have appeared at present. The current IMS system that provides multimedia services for mobile terminals is shown in Figure 1. The system was originally a subdomain superimposed on the existing packet domain of the third generation network (3G). This subdomain is specially used to support IP multimedia business. When the conditions are ripe, the IMS system can also serve users who access in other ways such as terminal local area network (WLAN).

IMS系统主要由呼叫控制实体和媒体网关部件构成,在各个部件之间主要使用会话发起协议(SIP)传输控制信令。呼叫控制部件主要完成呼叫控制、地址转换、计费、隐蔽移动终端(UE)的移动性等功能,是IMS系统中的关键部件;媒体网关部件则是为与现有公共开关电话网络(PSTN)网络兼容而引入的。另外,IMS系统中的归属用户服务器(HSS)是归属网络中用于保存IMS用户签约信息的设备。The IMS system is mainly composed of a call control entity and a media gateway component, and the session initiation protocol (SIP) is mainly used to transmit control signaling between each component. The call control component mainly completes functions such as call control, address translation, billing, and concealed mobile terminal (UE) mobility, and is a key component in the IMS system; the media gateway component is for communication with the existing public switched telephone network (PSTN) Introduced for network compatibility. In addition, the Home Subscriber Server (HSS) in the IMS system is a device used in the home network for storing IMS user subscription information.

IMS系统的安全包括用户在IMS系统的鉴权和SIP消息的保护。IMS系统的安全架构如图2所示。其中,UE与归属网之间的鉴权及安全联盟(SA:Security Association)协商采用IMS鉴权密钥协议(AKA)双向认证机制,SIP消息的加密和完整性保护采用的是逐跳处理方式。The security of the IMS system includes user authentication in the IMS system and protection of SIP messages. The security architecture of the IMS system is shown in Figure 2. Among them, the authentication and Security Association (SA: Security Association) negotiation between UE and home network adopts the IMS Authentication Key Agreement (AKA) two-way authentication mechanism, and the encryption and integrity protection of SIP messages adopt the hop-by-hop processing method .

具体来说,在IMS系统中,为实现对IP多媒体(IM)用户的鉴权,3GPP协议组织使用了专门的IMS用户标识模块(ISIM)模块作为用户侧的鉴权模块,并使用了通用移动通信系统(UMTS)的AKA机制。IMS系统对用户的鉴权处理过程如图3所示,对应以下步骤:Specifically, in the IMS system, in order to realize the authentication of IP Multimedia (IM) users, the 3GPP protocol organization uses a special IMS Subscriber Identity Module (ISIM) module as the authentication module on the user side, and uses the Universal Mobile AKA mechanism for communication systems (UMTS). The authentication process of the user by the IMS system is shown in Figure 3, corresponding to the following steps:

步骤301、UE在需要使用IMS业务时,依次通过代理-呼叫状态控制功能(P_CSCF)及查询-呼叫扩控制功能(I_CSCF)将注册请求发送给服务呼叫状态控制功能(S_CSCF)。Step 301, when UE needs to use IMS service, it sends registration request to Serving Call State Control Function (S_CSCF) through Proxy-Call State Control Function (P_CSCF) and Inquiry-Call State Control Function (I_CSCF) in sequence.

步骤302、S_CSCF在收到注册请求后,如果自身存在针对该用户的五元组鉴权向量(AV),则直接利用该鉴权向量对用户进行鉴权,即进入步骤304;如果没有,则向HSS请求AV。Step 302, after receiving the registration request, if the S_CSCF has a quintuple authentication vector (AV) for the user, it will directly use the authentication vector to authenticate the user, that is, enter step 304; if not, then Request AV from HSS.

这里,五元组AV包括:随机数(RAND)、鉴权令牌(AUTN)、全球移动通信网使用的加密密钥(CK)、完整性密钥(IK)及预期响应(XRES)。Here, the five-tuple AV includes: a random number (RAND), an authentication token (AUTN), an encryption key (CK) used by the global mobile communication network, an integrity key (IK) and an expected response (XRES).

步骤303、HSS收到S_CSCF的请求后,确定五元组AV,并发送给S_CSCF。Step 303: After receiving the request from the S_CSCF, the HSS determines the quintuple AV and sends it to the S_CSCF.

当然,为提高效率,HSS一般会按顺序向S_CSCF发送多组五元组AV。Of course, in order to improve efficiency, the HSS generally sends multiple groups of quintuple AVs to the S_CSCF in sequence.

步骤304、S_CSCF保留HSS发送来的五元组AV中的XRES,将RAND、AUTN、CK及IK放在鉴权考验(Autn_Challenge)消息中,并将该消息通过I_CSCF发送给P_CSCF。Step 304, S_CSCF keeps the XRES in the quintuple AV sent by the HSS, puts RAND, AUTN, CK and IK in the Autn_Challenge message, and sends the message to the P_CSCF through the I_CSCF.

如果HSS发送多组五元组AV,则S_CSCF可以按顺序选择一组五元组AV,其他五元组AV则留在针对该用户的下一次鉴权中使用。If the HSS sends multiple sets of 5-tuple AVs, the S_CSCF can select a set of 5-tuple AVs in order, and the other 5-tuple AVs will be used in the next authentication for this user.

步骤305、P_CSCF保留S_CSCF通过Autn_Challenge消息发送来的CK和IK,并将RAND和AUTN下发到UE。In step 305, the P_CSCF retains the CK and IK sent by the S_CSCF through the Autn_Challenge message, and delivers the RAND and AUTN to the UE.

如果系统启动了一致性保护和保密性保护,则P_CSCF将在后续的会话中使用保存下来的IK和CK作为密钥。If the system has enabled consistency protection and confidentiality protection, P_CSCF will use the saved IK and CK as keys in subsequent sessions.

步骤306、UE将收到的RAND和AUTN发送到ISIM。Step 306, the UE sends the received RAND and AUTN to the ISIM.

步骤307、ISIM对收到的AUTN进行验证,并在验证通过后根据RAND计算响应(RES),然后将计算出的RES作为鉴权响应发送给UE,并由UE将该RES返回给S_CSCF,同时ISIM还根据RAND计算出IK和CK,并将IK和CK发送给UE。Step 307, ISIM verifies the received AUTN, and calculates a response (RES) according to RAND after the verification is passed, then sends the calculated RES to the UE as an authentication response, and the UE returns the RES to the S_CSCF, and at the same time ISIM also calculates IK and CK according to RAND, and sends IK and CK to UE.

ISIM对收到的AUTN进行验证包括确定AUTN中包含的MAC值是否合法,以及确定SQN是否可接受。其中,ISIM对SQN是否可接受的验证即为验证是否需要再同步。The verification of the received AUTN by the ISIM includes determining whether the MAC value contained in the AUTN is legal and whether the SQN is acceptable. Wherein, the verification of whether the SQN is acceptable by the ISIM is to verify whether resynchronization is required.

UE具体会通过P_CSCF和I_CSCF将RES发送给S_CSCF,并保留IK和CK,以作为后续会话中的密钥。Specifically, the UE will send the RES to the S_CSCF through the P_CSCF and the I_CSCF, and retain the IK and CK as keys in subsequent sessions.

步骤308~309、S_CSCF将UE发送来的鉴权响应中的RES与自身保存的XRES进行比较,如果相等,则确定鉴权通过,并通过I_CSCF及P_CSCF向UE发送鉴权成功消息;否则,确定鉴权失败。Steps 308-309, S_CSCF compares the RES in the authentication response sent by the UE with the XRES stored by itself, if they are equal, then determine that the authentication has passed, and send an authentication success message to the UE through the I_CSCF and P_CSCF; otherwise, determine Authentication failed.

上述处理过程要求使用单独的ISIM模块完成IM域的鉴权,也就是说,目前所设置的ISIM模块是专门用于实现IM域的鉴权的,而目前能够用于3G的终端用户标识模块都是不包含ISIM模块的,因此这些终端用户标识模块无法通过上述过程完成IM域的鉴权。比如,用户目前大多使用基于GSM/GPRS网络的用户标识模块(SIM)卡,即使部分网络升级到了3G网络,由于UE实现了双模应用,因此用户仍然可以通过SIM卡接入3G系统,这种情况下,由于SIM卡中没有ISIM模块,因此无法通过上述处理过程完成IM域的鉴权。再比如,目前已出现的针对3G的UICC卡,一般只包含了用于CS域和PS域鉴权的USIM模块,这样也就无法通过上述处理过程完成IM域的鉴权。The above process requires the use of a separate ISIM module to complete the authentication of the IM domain. It does not contain an ISIM module, so these end user identity modules cannot complete the authentication of the IM domain through the above process. For example, most users currently use Subscriber Identity Module (SIM) cards based on GSM/GPRS networks. Even if some networks are upgraded to 3G networks, users can still access 3G systems through SIM cards because UEs implement dual-mode applications. In this case, because there is no ISIM module in the SIM card, the authentication of the IM domain cannot be completed through the above processing procedure. For another example, currently available UICC cards for 3G generally only include a USIM module for authentication in the CS domain and PS domain, so that the authentication in the IM domain cannot be completed through the above process.

如果不用上述基于ISIM模块的处理过程完成对IM域的鉴权,而是希望通过USIM模块实现鉴权,则会出现因USIM模块在实现CS域或PS域鉴权的同时对IM域进行鉴权而引起频繁再同步的问题。所谓再同步是指:USIM模块中保存了SQNMS,如果HSS/HLR下发的五元组中的SQN比USIM模块中保存的SQNMS旧,而下发的SQN是以HSS/HLR保存的SQNHE为准的,这说明SQNHE比SQNMS旧,故将引发USIM模块会用自身的SQNMS去同步HSS/HLR中的SQNHEIf you do not want to complete the authentication of the IM domain through the above ISIM module-based processing process, but want to achieve authentication through the USIM module, it will occur that the USIM module authenticates the IM domain while implementing CS domain or PS domain authentication. And cause the problem of frequent resynchronization. The so-called resynchronization means: the SQN MS is saved in the USIM module, if the SQN in the quintuple sent by HSS/HLR is older than the SQN MS saved in the USIM module, and the SQN sent is the SQN saved by HSS/HLR HE prevails, which means that the SQN HE is older than the SQN MS , so the USIM module will use its own SQN MS to synchronize the SQN HE in the HSS/HLR.

具体来说,为提高网络的存取效率,针对CS域的VLR、针对PS域的SGSN,以及针对IM域的S_CSCF在索取鉴权向量时都会索取多组,每次只使用其中一组进行鉴权处理,并自行缓存剩余的鉴权向量。在这种情况下,如果各个域的操作频度不同,比如,SGSN和VLR先后向HSS获取了5组鉴权元组,在各自使用了一组之后,可能由于用户在CS域的操作很频繁,使得SGSN中已缓存的4组剩余鉴权向量将比USIM模块中的SQNMS旧,此时USIM模块中保存的SQNMS以VLR下发的SQN为准,这样,USIM模块就会用自身的SQNMS去同步HSS/HLR中的SQNHE,进而导致SGSN/VLR当前缓存的所有鉴权向量失效。从上述例子可见,如果不同域的操作频度相差较大,则必然会引起频繁的再同步。Specifically, in order to improve the access efficiency of the network, the VLR for the CS domain, the SGSN for the PS domain, and the S_CSCF for the IM domain will ask for multiple sets of authentication vectors, and only use one of them for authentication each time. authorization processing, and cache the remaining authentication vectors by itself. In this case, if the operation frequency of each domain is different, for example, SGSN and VLR have obtained 5 sets of authentication tuples from the HSS successively. , so that the 4 sets of remaining authentication vectors cached in the SGSN will be older than the SQN MS in the USIM module. The SQN MS desynchronizes the SQN HE in the HSS/HLR, thereby causing all authentication vectors currently cached by the SGSN/VLR to become invalid. It can be seen from the above examples that if the operating frequencies of different domains differ greatly, frequent resynchronization will inevitably occur.

为解决上述频繁再同步的问题,可以用HSS来替代现网中的所有HLR,因为HSS可以将下发的SQN划分为CS域、PS域和IM域,这样,USIM模块可以分别对各个域内的SQN进行比较,只要能够保证HSS下发给每个域的鉴权元组所对应的SQN是有序的,就不会导致不必要的再同步过程。由于每个域中都只有一个网络实体用于缓存鉴权元组,比如,CS域中有VLR缓存、PS域中有SGSN缓存,IM域中则有S_CSCF缓存,因此通过HSS对SQN的划分可以解决再同步问题。To solve the above frequent resynchronization problem, HSS can be used to replace all HLRs in the live network, because HSS can divide the issued SQN into CS domain, PS domain and IM domain, so that the USIM module can separately SQN comparison, as long as the SQN corresponding to the authentication tuple issued by the HSS to each domain is guaranteed to be in order, unnecessary re-synchronization process will not be caused. Since there is only one network entity in each domain to cache the authentication tuple, for example, there is a VLR cache in the CS domain, an SGSN cache in the PS domain, and an S_CSCF cache in the IM domain, so the division of the SQN by the HSS can be Fix resync issues.

但是,由于目前的网络处于初始阶段,大规模替换HLR基本上是不可能的,更为合理的解决方案是在现网的基础上叠加一个或多个专门提供IM业务的HSS,而现有的HLR保持不变,继续提供CS和PS域的业务,HSS则通过与现网中HLR的交互获取用户的CS/PS信息。这种组网情况下,新增的IM域和已有的CS/PS域可以共享USIM,且IM域的HSS能够从用户归属的HLR获取鉴权向量,但由于HLR无法将下发的SQN划分为CS域、PS域和IM域,因此频繁再同步的问题仍然没有解决。However, since the current network is in the initial stage, it is basically impossible to replace the HLR on a large scale. A more reasonable solution is to superimpose one or more HSSs dedicated to providing IM services on the basis of the existing network, while the existing The HLR remains unchanged and continues to provide services in the CS and PS domains, while the HSS obtains the user's CS/PS information through interaction with the HLR in the existing network. In this networking situation, the newly added IM domain and the existing CS/PS domain can share the USIM, and the HSS in the IM domain can obtain the authentication vector from the HLR to which the user belongs, but the HLR cannot divide the issued SQN There are CS domain, PS domain and IM domain, so the problem of frequent resynchronization is still not solved.

另外,如果采用在现有网络上叠加建设IMS系统时,由于需要对SQN进行校验,因此需要现网的HLR与新增的HSS共享同一个AUC,对现网的影响较大。In addition, if the IMS system is superimposed on the existing network, because the SQN needs to be verified, the HLR of the existing network and the newly added HSS need to share the same AUC, which has a great impact on the existing network.

从以上描述可知,要想SIM卡中实现IM业务,或者使用USIM卡实现IM业务且不会出现频繁再同步的问题,目前按照3GPP的建议方案就是将卡更换为包含ISIM模块的卡。根据目前的运营模式,如果用户想要升级UE,可以通过各种途径实现,包括购置新机、通过Java或者手机制造商提供的接口升级等,这些升级具有很强的可操作性。但如果用户想要换卡,则必须到运营商授权的专门营业点进行更换,而为保证业务的持续性,新卡中的IMSI与旧卡中的IMSI必须保证一定的关联性,比如,必须归属同一个HLR,因此,换卡在实际操作时必然非常繁琐。As can be seen from the above description, if you want to realize IM service in SIM card, or use USIM card to realize IM service without frequent re-synchronization problem, the current solution suggested by 3GPP is to replace the card with a card containing ISIM module. According to the current operation mode, if the user wants to upgrade the UE, he can do so through various means, including purchasing a new phone, upgrading through Java or the interface provided by the mobile phone manufacturer, etc. These upgrades are highly operable. However, if the user wants to change the card, he must go to a special business point authorized by the operator to replace it. In order to ensure the continuity of the business, the IMSI in the new card must be related to the IMSI in the old card. Belonging to the same HLR, therefore, changing the card must be very cumbersome in actual operation.

综上所述,目前要想使用IM业务,则用户的终端用户标识模块中必须包含ISIM模块,显然这对终端用户标识模块的要求比较高,往往需要用户更换自身的SIM卡或USIM卡才能实现。而换卡在实际操作中非常繁琐,必然会大大降低IM业务的吸引力,增加运营商推广IM业务的难度。To sum up, if you want to use the IM service at present, the user's terminal user identification module must contain an ISIM module. Obviously, this requires relatively high requirements for the terminal user identification module, and often requires the user to replace his own SIM card or USIM card to achieve . However, card replacement is very cumbersome in actual operation, which will inevitably greatly reduce the attractiveness of IM services and increase the difficulty for operators to promote IM services.

发明内容Contents of the invention

有鉴于此,本发明的主要目的在于提供在IMS系统中对终端用户标识模块进行鉴权的方法,以使用户不用更换自身的终端用户标识模块,即可使用3G系统中的IM业务。In view of this, the main purpose of the present invention is to provide a method for authenticating the terminal user identity module in the IMS system, so that the user can use the IM service in the 3G system without replacing his own user identity module.

为达到以上目的,本发明的技术方案是这样实现的:一种在IP多媒体子系统中对终端用户标识模块进行鉴权的方法,该方法包括以下步骤:In order to achieve the above object, the technical solution of the present invention is achieved in that a method for authenticating the terminal user identity module in the IP multimedia subsystem, the method may include the following steps:

a.IP多媒体子系统IMS在收到移动终端UE发送来的注册请求后,确定针对该UE的三元组鉴权向量,所述三元组鉴权向量至少包含随机数RAND和符号响应SRES,保留三元组中的SRES,并将RAND下发到UE;a. After the IP multimedia subsystem IMS receives the registration request sent by the mobile terminal UE, it determines the triplet authentication vector for the UE, and the triplet authentication vector includes at least a random number RAND and a symbolic response SRES, Retain the SRES in the triplet, and send the RAND to the UE;

b.UE将所述RAND传送到自身的终端用户标识模块;b. The UE transmits the RAND to its own end user identity module;

c.终端用户标识模块根据RAND计算RES,并将RES通过UE返回给IMS系统;c. The terminal user identity module calculates the RES according to the RAND, and returns the RES to the IMS system through the UE;

d.IMS系统判断UE返回的RES是否与自身保存的SRES相等,如果是,则鉴权通过,否则,鉴权失败。d. The IMS system judges whether the RES returned by the UE is equal to the SRES saved by itself, and if yes, the authentication is passed; otherwise, the authentication fails.

所述步骤a中,所述IMS系统确定针对UE的三元组鉴权向量包括:IMS系统中的S_CSCF判断自身是否存有针对该UE的三元组鉴权向量,如果是,则执行后续步骤;否则,向归属用户服务器HSS请求针对该UE的三元组鉴权向量;In the step a, the IMS system determining the triplet authentication vector for the UE includes: the S_CSCF in the IMS system judges whether it has a triplet authentication vector for the UE, and if so, performs subsequent steps ; Otherwise, request the triplet authentication vector for the UE from the home subscriber server HSS;

HSS在收到S_CSCF发送来的鉴权向量请求后,确定针对该UE的三元组鉴权向量,并发送给S_CSCF。After receiving the authentication vector request sent by the S_CSCF, the HSS determines the triplet authentication vector for the UE and sends it to the S_CSCF.

所述UE中的终端用户标识模块为用户标识模块SIM,所述HSS直接确定针对该UE中SIM模块的三元组鉴权向量。The terminal subscriber identity module in the UE is a subscriber identity module SIM, and the HSS directly determines the triplet authentication vector for the SIM module in the UE.

所述UE中的终端用户标识模块为用户服务标识模块USIM;The terminal user identity module in the UE is a user service identity module USIM;

所述HSS确定针对UE的三元组鉴权向量包括:HSS首先确定针对USIM模块的五元组鉴权向量,并将所述五元组鉴权向量转换为三元组鉴权向量。The HSS determining the triplet authentication vector for the UE includes: the HSS first determines the five-tuple authentication vector for the USIM module, and converts the five-tuple authentication vector into a triplet authentication vector.

所述三元组鉴权向量进一步包括:Kc;所述五元组鉴权向量包括:RAND、XRES、IK、CK和AUTN;所述将五元组鉴权向量转换为三元组鉴权向量为:丢弃五元组中的AUTN,保留RAND,将XRES转换为SRES,并将IK和CK转换为Kc。The three-tuple authentication vector further includes: Kc; the five-tuple authentication vector includes: RAND, XRES, IK, CK, and AUTN; the five-tuple authentication vector is converted into a three-tuple authentication vector is: discard AUTN in the quintuple, keep RAND, convert XRES to SRES, and convert IK and CK to Kc.

所述步骤c中,所述终端用户标识模块根据RAND计算RES包括:USIM模块根据是否收到AUTN判断是否将五元组转换为三元组,比如判断是否需要启动3G+Kc模式,如果没有收到AUTN,则启动3G+Kc模式,并根据RAND计算出XRES,将XRES转换为SRES;如果收到AUTN,则不启动3G+Kc模式,并结束本处理流程。In the step c, the calculation of the RES by the terminal user identification module according to the RAND includes: the USIM module judges whether to convert the quintuple into a triplet according to whether the AUTN is received, such as judging whether it is necessary to start the 3G+Kc mode, if not received When AUTN is received, the 3G+Kc mode is started, and XRES is calculated according to RAND, and XRES is converted into SRES; if AUTN is received, the 3G+Kc mode is not started, and this processing flow ends.

所述步骤a中,IMS系统将RAND下发到UE为:S_CSCF通过I_CSCF及P_CSCF将RAND下发到UE;In the step a, the IMS system sends the RAND to the UE as follows: the S_CSCF sends the RAND to the UE through the I_CSCF and the P_CSCF;

步骤c中,所述终端用户标识模块将RES通过UE返回给IMS系统为:终端用户标识模块将RES发送给UE,UE再将所述RES通过代理呼叫状态控制功能P_CSCF及I_CSCF发送给S_CSCF。In step c, the end user identity module returns the RES to the IMS system through the UE: the end user identity module sends the RES to the UE, and the UE sends the RES to the S_CSCF through the proxy call state control functions P_CSCF and I_CSCF.

所述系统启用一致性保护和保密性保护;且所述三元组中进一步包括Kc;The system enables consistency protection and confidentiality protection; and Kc is further included in the triplet;

所述步骤a进一步包括:IMS系统中的S_CSCF将三元组中的Kc转换为CK和IK,并将所述CK和IK通过I_CSCF发送给P_CSCF;The step a further includes: the S_CSCF in the IMS system converts Kc in the triplet into CK and IK, and sends the CK and IK to the P_CSCF through the I_CSCF;

所述步骤c进一步包括:终端用户标识模块计算Kc,并将所述Kc上传给UE;The step c further includes: the terminal user identity module calculates Kc, and uploads the Kc to the UE;

该方法进一步包括:UE将终端用户标识模块上传的Kc转换为IK和CK;UE和P_CSCF将所述IK和CK作为后续会话中的密钥。The method further includes: the UE converts the Kc uploaded by the terminal user identity module into IK and CK; the UE and the P_CSCF use the IK and CK as keys in subsequent sessions.

所述系统启用一致性保护和保密性保护;The system enables consistency protection and confidentiality protection;

所述步骤a进一步包括:IMS系统中的S_CSCF将三元组中的Kc直接通过I_CSCF发送给P_CSCF;The step a further includes: the S_CSCF in the IMS system sends the Kc in the triplet to the P_CSCF directly through the I_CSCF;

所述步骤c进一步包括:终端用户标识模块计算Kc,并将所述Kc上传给UE;The step c further includes: the terminal user identity module calculates Kc, and uploads the Kc to the UE;

该方法进一步包括:P_CSCF及UE将自身收到的Kc转换为CK和IK;UE和P_CSCF并将所述IK和CK作为后续会话中的密钥。The method further includes: P_CSCF and UE convert Kc received by themselves into CK and IK; UE and P_CSCF use the IK and CK as keys in subsequent sessions.

所述终端用户标识模块为USIM模块;The terminal user identity module is a USIM module;

步骤c中,所述终端用户标识模块计算Kc进一步包括:USIM模块在根据没有收到AUTN确定需要将五元组转换为三元组,比如需要启动3G+Kc模式后,根据RAND计算出IK和CK,并将IK和CK转换为Kc,之后将所述Kc发送给UE。In step c, the calculation of Kc by the terminal user identification module further includes: the USIM module determines that the quintuple needs to be converted into a triplet according to the failure to receive the AUTN, for example, after the 3G+Kc mode needs to be started, calculate the IK and IK according to the RAND CK, and convert the IK and CK into Kc, and then send the Kc to the UE.

本发明方案通过IMS系统使用三元组鉴权向量对终端用户标识模块进行鉴权,在实现了使用现有的SIM模块或USIM模块进行鉴权的同时,还避开了USIM模块对SQN的校验,继而使得在现网基础上新建的HSS不需要与现网中的HLR共享同一个AUC,也就是说,可以针对HSS单独设置AUC,从而使得在现网中增加HSS时,不需要因鉴权问题升级任何已有的现网设备。The scheme of the present invention uses the triplet authentication vector to authenticate the terminal user identification module through the IMS system, and while realizing the authentication using the existing SIM module or USIM module, it also avoids the verification of the SQN by the USIM module. In this way, the new HSS based on the existing network does not need to share the same AUC with the HLR in the existing network. upgrade any existing existing network equipment.

通过本发明方案,使得使用诸如SIM模块、USIM模块之类的用户不需要升级或换卡即可享受IM业务,大大降低了IM业务的推广难度。Through the scheme of the invention, users using such as SIM modules and USIM modules can enjoy IM services without upgrading or changing cards, which greatly reduces the difficulty of popularizing IM services.

另外,本发明方案所涉及的所有修改和改造都是在IM域的相关网络实体中实现的,对于目前的GSM、GPRS以及UMTS中的所有设备都没有任何的额外要求,使得在现有网络上叠加一个专门用于提供IM域的IMS系统成为可能。In addition, all the modifications and transformations involved in the solution of the present invention are implemented in the relevant network entities in the IM domain, and there is no additional requirement for all equipment in the current GSM, GPRS and UMTS, so that the existing network It is possible to overlay an IMS system dedicated to providing the IM domain.

附图说明Description of drawings

图1为目前的IMS系统结构示意图;Figure 1 is a schematic diagram of the structure of the current IMS system;

图2为IMS的安全架构示意图;FIG. 2 is a schematic diagram of a security architecture of the IMS;

图3为现有技术中IMS系统通过ISIM对UE进行鉴权的消息流时序图;FIG. 3 is a sequence diagram of a message flow in which an IMS system authenticates a UE through an ISIM in the prior art;

图4为本发明中IMS系统通过SIM对UE进行鉴权的消息流时序图;FIG. 4 is a sequence diagram of a message flow in which the IMS system authenticates the UE through the SIM in the present invention;

图5为本发明中IMS系统通过SIM对UE进行鉴权的另一种方案的消息流时序图;FIG. 5 is a message flow sequence diagram of another scheme in which the IMS system authenticates the UE through the SIM in the present invention;

图6为本发明中IMS系统通过USIM对UE进行鉴权的消息流时序图;FIG. 6 is a sequence diagram of a message flow in which the IMS system authenticates the UE through the USIM in the present invention;

图7为本发明中IMS系统通过USIM对UE进行鉴权的另一种方案的消息流时序图。FIG. 7 is a message flow sequence diagram of another solution for the IMS system to authenticate the UE through the USIM in the present invention.

具体实施方式Detailed ways

由于图3所示处理过程需要验证AUTN,对于SIM模块及USIM模块来说,验证AUTN会带来频繁再同步的问题,因此,本发明的核心思想在于:S_CSCF在需要对UE进行鉴权时,利用不包含AUTN的三元组鉴权向量进行鉴权来避开对SQN的校验。这样,HSS发送给S_CSCF的鉴权向量也应该为三元组。Since the process shown in Figure 3 needs to verify the AUTN, for the SIM module and the USIM module, verifying the AUTN will bring frequent resynchronization problems, therefore, the core idea of the present invention is: when the S_CSCF needs to authenticate the UE, use The three-tuple authentication vector that does not contain AUTN performs authentication to avoid the verification of the SQN. In this way, the authentication vector sent by the HSS to the S_CSCF should also be a triplet.

下面分别以SIM和USIM作为终端用户标识模块为例,结合附图对本发明方案作详细的说明。Taking the SIM and the USIM as the terminal user identification module as examples, the solutions of the present invention will be described in detail below in conjunction with the accompanying drawings.

图4所示为SIM卡接入IM域的鉴权处理过程,对应以下步骤:Figure 4 shows the authentication process for SIM card access to the IM domain, corresponding to the following steps:

步骤401、UE在需要使用IMS业务时,依次通过P_CSCF及I_CSCF将注册请求发送给S_CSCF。Step 401, when the UE needs to use the IMS service, it sends a registration request to the S_CSCF through the P_CSCF and the I_CSCF in sequence.

步骤402、S_CSCF在收到注册请求后,判断自身是否存在针对该用户的三元组AV,如果存在,则直接利用该AV对用户进行鉴权,即进入步骤404;如果不存在,则向HSS请求AV。Step 402, after receiving the registration request, the S_CSCF judges whether there is a triplet AV for the user, if it exists, it directly uses the AV to authenticate the user, that is, enters step 404; if it does not exist, it sends to the HSS Request AV.

这里,三元组AV包括:RAND、符号响应SRES和Kc。Here, triplet AV includes: RAND, symbol response SRES and Kc.

步骤403、HSS在收到S_CSCF的请求后,确定针对该SIM模块的三元组AV,并发送给S_CSCF。Step 403, after receiving the request from the S_CSCF, the HSS determines the triplet AV for the SIM module and sends it to the S_CSCF.

由于SIM本身就支持三元组AV,因此HSS可以直接确定针对该SIM的三元组AV。Since the SIM itself supports the triplet AV, the HSS can directly determine the triplet AV for the SIM.

另外,为提高效率,HSS一般会按顺序向S_CSCF发送多组三元组AV。In addition, in order to improve efficiency, the HSS generally sends multiple sets of triplet AVs to the S_CSCF in sequence.

步骤404、S_CSCF保留HSS发送来的三元组AV中的SRES,使用标准算法将Kc转换为CK和IK,之后将RAND及转换得到的CK和IK通过Auth_Challenge消息发送给P_CSCF。Step 404, S_CSCF retains the SRES in the triplet AV sent by the HSS, converts Kc into CK and IK using a standard algorithm, and then sends the RAND and the converted CK and IK to the P_CSCF through the Auth_Challenge message.

如果HSS发送的是多组三元组AV,则S_CSCF可以按顺序选择一组AV,其他AV则留在针对该用户的下一次鉴权中使用。If the HSS sends multiple sets of triplet AVs, the S_CSCF can select a set of AVs in order, and the other AVs will be used in the next authentication for the user.

步骤405、P_CSCF保留S_CSCF通过Auth_Challenge消息发送来的CK和IK,并将RAND下发到UE。Step 405, P_CSCF retains CK and IK sent by S_CSCF through Auth_Challenge message, and delivers RAND to UE.

如果系统启动了一致性保护和保密性保护,则P_CSCF将在后续的会话中使用保存下来的IK和CK作为密钥。If the system has enabled consistency protection and confidentiality protection, P_CSCF will use the saved IK and CK as keys in subsequent sessions.

步骤406、UE将收到的RAND传送给SIM。Step 406, the UE sends the received RAND to the SIM.

步骤407、SIM在收到RAND后,根据RAND计算出RES和Kc,并将RES作为鉴权响应通过UE返回给S_CSCF,同时将Kc上传给UE。Step 407: After receiving the RAND, the SIM calculates RES and Kc according to the RAND, returns the RES to the S_CSCF through the UE as an authentication response, and uploads Kc to the UE.

UE具体会依次通过P_CSCF和I_CSCF将SIM返回的鉴权响应发送给S_CSCF。Specifically, the UE will send the authentication response returned by the SIM to the S_CSCF through the P_CSCF and the I_CSCF in turn.

步骤408~409、S_CSCF将UE发送来的鉴权响应中的RES与自身保存的SRES进行比较,如果相等,则确定鉴权通过,并通过I_CSCF及P_CSCF向UE发送鉴权成功消息;否则,确定鉴权失败。Steps 408-409, S_CSCF compares the RES in the authentication response sent by the UE with the SRES saved by itself, if they are equal, then determine that the authentication has passed, and send an authentication success message to the UE through I_CSCF and P_CSCF; otherwise, determine Authentication failed.

通过上述处理过程即可实现对SIM的鉴权。当然,如果系统启动了一致性保护和保密性保护,则UE还需要将SIM发送来的Kc转换为IK和CK,以作为后续会话的一致性密钥和完整性密钥。Authentication to the SIM can be realized through the above-mentioned processing procedure. Of course, if the system starts the consistency protection and the confidentiality protection, the UE also needs to convert the Kc sent by the SIM into IK and CK as the consistency key and the integrity key of the subsequent session.

在上述处理过程中,S_CSCF与UE使用的转换算法可以是3GPP TS33.102中给定的三元组和五元组转换算法,从而提高通用性。In the above process, the conversion algorithm used by S_CSCF and UE can be the three-tuple and five-tuple conversion algorithm given in 3GPP TS33.102, so as to improve the versatility.

对于针对SIM卡鉴权的过程来说,还可以通过图5所示过程实现。该过程与上述图4所示过程相比,图5中的步骤501~503,以及步骤506~509与图4中的相应步骤相同,其主要区别在于:For the SIM card authentication process, it can also be realized through the process shown in FIG. 5 . Compared with the above-mentioned process shown in Figure 4, steps 501-503 and steps 506-509 in Figure 5 are the same as the corresponding steps in Figure 4, and the main differences are:

在步骤504中,S_CSCF不对Kc进行转换,而是直接将Kc通过Auth_Challenge消息发送给P_CSCF。In step 504, the S_CSCF does not convert the Kc, but directly sends the Kc to the P_CSCF through the Auth_Challenge message.

在步骤505中,P_CSCF保留的是S_CSCF通过Auth_Challenge消息发送来的Kc。当然,如果系统启动了一致性保护和保密性保护,则P_CSCF还需要使用标准算法将该Kc转换为CK和IK,并在后续的会话中使用保存下来的IK和CK作为密钥。In step 505, what the P_CSCF retains is the Kc sent by the S_CSCF through the Auth_Challenge message. Of course, if the system has enabled consistency protection and confidentiality protection, P_CSCF also needs to use standard algorithms to convert the Kc into CK and IK, and use the saved IK and CK as keys in subsequent sessions.

上述结合图4及图5对通过SIM鉴权的过程进行了描述,对于通过USIM进行鉴权的过程来说,则如图6所示,对应以下步骤:The process of authenticating through SIM has been described above in conjunction with Figure 4 and Figure 5, and for the process of authenticating through USIM, as shown in Figure 6, it corresponds to the following steps:

步骤601、UE在需要使用IMS业务时,依次通过P_CSCF及I_CSCF将注册请求发送给S_CSCF。Step 601, when the UE needs to use the IMS service, it sends a registration request to the S_CSCF through the P_CSCF and the I_CSCF in sequence.

步骤602、S_CSCF在收到注册请求后,判断自身是否存在针对该用户的三元组AV,如果存在,则直接利用该AV对用户进行鉴权,即进入步骤404;如果不存在,则向HSS请求三元组AV。Step 602, after receiving the registration request, the S_CSCF judges whether there is a triplet AV for the user, if it exists, it directly uses the AV to authenticate the user, that is, enters step 404; if not, it sends the AV to the HSS A triplet AV is requested.

这里,三元组AV包括:RAND、SRES和Kc。Here, triplet AV includes: RAND, SRES and Kc.

步骤603、HSS在收到S_CSCF的请求后,确定与该USIM对应的五元组AV,该五元组AV包括RAND、XRES、IK、CK和AUTN,再使用标准转换算法将该五元组AV转换为相应的三元组AV,该三元组AV包括RAND、SRES和Kc,然后将所得的三元组AV下发给S_CSCF。Step 603. After receiving the request from S_CSCF, the HSS determines the quintuple AV corresponding to the USIM. The quintuple AV includes RAND, XRES, IK, CK and AUTN, and then uses the standard conversion algorithm to determine the quintuple AV Convert to the corresponding triplet AV, the triplet AV includes RAND, SRES and Kc, and then send the obtained triplet AV to the S_CSCF.

由于USIM本身不支持三元组AV,因此HSS需要首先确定USIM所支持的五元组AV,再将其转换为相应的三元组AV。主要转换工作为:保留原有的RAND,丢弃AUTN,将XRES转换为SRES,以及将IK和CK转换为Kc。Since the USIM itself does not support the triplet AV, the HSS needs to first determine the quintuple AV supported by the USIM, and then convert it into the corresponding triplet AV. The main conversion work is: keep the original RAND, discard AUTN, convert XRES to SRES, and convert IK and CK to Kc.

另外,为提高效率,HSS一般会确定多个五元组AV,并将每个五元组AV转换为相应的三元组AV,然后再将转换得到的三元组AV按顺序发送给S_CSCF。In addition, in order to improve efficiency, the HSS generally determines multiple quintuple AVs, converts each quintuple AV into a corresponding triplet AV, and then sends the converted triplet AVs to the S_CSCF in sequence.

步骤604、S_CSCF保留HSS发送来的三元组AV中的SRES,使用标准算法将Kc转换为CK和IK,之后将RAND及转换得到的CK和IK通过Auth_Challenge消息发送给P_CSCF。Step 604, S_CSCF retains the SRES in the triplet AV sent by the HSS, converts Kc into CK and IK using a standard algorithm, and then sends RAND and the converted CK and IK to P_CSCF through Auth_Challenge message.

当然,如果HSS发送的是多组三元组AV,则S_CSCF可以按顺序选择一组AV,其他AV则留在针对该用户的下一次鉴权中使用。Of course, if the HSS sends multiple sets of triplet AVs, the S_CSCF can select a set of AVs in order, and the other AVs will be used in the next authentication for the user.

步骤605、P_CSCF保留S_CSCF通过Auth_Challenge消息发送来的CK和IK,并将RAND下发到UE。Step 605, P_CSCF retains the CK and IK sent by S_CSCF through the Auth_Challenge message, and sends RAND to UE.

如果系统启动了一致性保护和保密性保护,则P_CSCF将在后续的会话中使用保存下来的IK和CK作为密钥。If the system has enabled consistency protection and confidentiality protection, P_CSCF will use the saved IK and CK as keys in subsequent sessions.

步骤606、UE将收到的RAND传送给USIM。Step 606, the UE sends the received RAND to the USIM.

步骤607、USIM在收到RAND后,在根据AUTN确定需要将五元组转换为三元组后,利用RAND计算出XRES、IK及CK,然后再使用转换算法将XRES转换为RES,将IK和CK转换为Kc,并将所述RES作为鉴权响应通过UE返回给S_CSCF,同时将转换得到的Kc上传给UE。Step 607: After receiving the RAND, the USIM determines that the quintuple needs to be converted into a triplet according to the AUTN, uses RAND to calculate XRES, IK, and CK, and then uses the conversion algorithm to convert XRES into RES, and convert IK and The CK is converted into Kc, and the RES is returned to the S_CSCF through the UE as an authentication response, and the converted Kc is uploaded to the UE.

其中,USIM根据AUTN确定需要将五元组转换为三元组,可以是根据AUTN确定需要启动3G+Kc模式。USIM根据AUTN确定是否需要启动3G+Kc模式具体为:USIM判断是否收到AUTN,如果收到AUTN,则不启动3G+Kc模式,并按照原有处理逻辑进行处理;如果没有收到AUTN,则启动3G+Kc模式,之后执行所述后续处理过程。Wherein, the USIM determines according to the AUTN that it needs to convert the quintuple into a triple, and it may be determined according to the AUTN that it needs to start the 3G+Kc mode. According to the AUTN, the USIM determines whether to start the 3G+Kc mode. Specifically: the USIM judges whether the AUTN is received. The 3G+Kc mode is started, and then the subsequent processing is performed.

UE具体会依次通过P_CSCF和I_CSCF将USIM返回的鉴权响应发送给S_CSCF。Specifically, the UE will send the authentication response returned by the USIM to the S_CSCF through the P_CSCF and the I_CSCF in turn.

步骤608~609、S_CSCF将UE发送来的鉴权响应中的RES与自身保存的SRES进行比较,如果相等,则确定鉴权通过,并通过I_CSCF及P_CSCF向UE发送鉴权成功消息;否则,鉴权失败。Steps 608-609, S_CSCF compares the RES in the authentication response sent by the UE with the SRES saved by itself, and if they are equal, it determines that the authentication has passed, and sends an authentication success message to the UE through the I_CSCF and P_CSCF; otherwise, the authentication right failed.

当然,如果系统启动了一致性保护和保密性保护,则UE还需要将USIM发送来的Kc转换为IK和CK,以作为后续会话的一致性密钥和完整性密钥。Certainly, if the system starts the consistency protection and the confidentiality protection, the UE also needs to convert the Kc sent by the USIM into IK and CK as the consistency key and the integrity key of the subsequent session.

同样,上述处理所使用的转换算法可以是3GPP TS 33.102中给定的三元组和五元组转换算法,从而提高通用性。Similarly, the conversion algorithm used in the above processing may be the triplet and quintuple conversion algorithm given in 3GPP TS 33.102, thereby improving versatility.

对于针对USIM卡鉴权的过程来说,还可以通过图7所示过程实现。该过程与上述图6所示过程相比,其主要区别与上述SIM卡鉴权过程中图4与图5所示流程之间的区别相同。也就是说,S_CSCF可以对Kc不作转换,而是直接发送给P_CSCF,如果系统启动了一致性保护和保密性保护,则P_CSCF还需要使用标准算法将该Kc转换为CK和IK,并将其作为后续会话中的密钥。For the process of authenticating the USIM card, it can also be realized through the process shown in FIG. 7 . Compared with the process shown in FIG. 6 above, the main difference between this process and the process shown in FIG. 4 and FIG. 5 in the above SIM card authentication process is the same. That is to say, S_CSCF can not convert Kc, but directly send it to P_CSCF. If the system has enabled consistency protection and confidentiality protection, P_CSCF also needs to use standard algorithms to convert Kc into CK and IK, and use them as key in subsequent sessions.

以上所述仅为本发明方案的较佳实施例,并不用以限定本发明的保护方案。The above descriptions are only preferred embodiments of the solution of the present invention, and are not intended to limit the protection solution of the present invention.

Claims (10)

1, a kind of method of terminal user identification module being carried out authentication in IP Multimedia System is characterized in that, this method may further comprise the steps:
The a.IP multimedia subsystem, IMS is after receiving the register requirement that mobile terminal UE is sent, determine tlv triple authentication vector at this UE, described tlv triple authentication vector comprises random number RA ND and symbol response SRES at least, keeps the SRES in the tlv triple, and RAND is issued to UE;
B.UE is sent to described RAND the terminal user identification module of self;
C. terminal user identification module calculates RES according to RAND, and RES is returned to the IMS system by UE;
The d.IMS system judges whether the RES that UE returns equates with the SRES that self preserves, if then authentication is passed through, otherwise, failed authentication.
2, method according to claim 1, it is characterized in that among the described step a, the definite tlv triple authentication vector at UE of described IMS system comprises: the service in the IMS system-CSCF S_CSCF judges the tlv triple authentication vector that self whether has at this UE, if then carry out subsequent step; Otherwise, to the tlv triple authentication vector of home subscriber server HSS request at this UE;
HSS determines the tlv triple authentication vector at this UE, and sends to S_CSCF after receiving the authentication vector request that S_CSCF sends.
3, method according to claim 2 is characterized in that, the terminal user identification module among the described UE is Subscriber Identity Module SIM, and described HSS directly determines the tlv triple authentication vector at sim module among this UE.
4, method according to claim 2 is characterized in that, the terminal user identification module among the described UE is user's service identifiers module USIM;
Described HSS determines to comprise at the tlv triple authentication vector of UE: HSS at first determines the five-tuple authentication vector at the USIM module, and described five-tuple authentication vector is converted to the tlv triple authentication vector.
5, method according to claim 4 is characterized in that, described tlv triple authentication vector further comprises: the encryption key Kc that the global mobile communication net uses; Described five-tuple authentication vector comprises: RAND, intended response XRES, Integrity Key IK, encryption key CK and authentication-tokens AUTN;
Describedly the five-tuple authentication vector is converted to the tlv triple authentication vector is: abandon the AUTN in the five-tuple, keep RAND, XRES is converted to SRES, and IK and CK are converted to Kc.
6, method according to claim 4, it is characterized in that among the described step c, described terminal user identification module calculates RES according to RAND and comprises: whether USIM module basis receives AUTN judges whether that needs are converted to tlv triple with five-tuple, if do not receive AUTN, then determine and five-tuple need be converted to tlv triple, calculate XRES according to RAND, XRES is converted to SRES; If receive AUTN, then do not carry out conversion, and finish this handling process.
7, method according to claim 1 is characterized in that among the described step a, and the IMS system is issued to UE with RAND and is: S_CSCF is issued to UE by agent call State Control function P_CSCF with RAND;
Among the step c, described terminal user identification module returns to the IMS system with RES by UE and is: terminal user identification module sends to UE with RES, and UE sends to S_CSCF with described RES by P_CSCF again.
8, method according to claim 7 is characterized in that, consistency protection and privacy protection are enabled by described system; Further comprise Kc in the described tlv triple;
Described step a further comprises: the S_CSCF in the IMS system is converted to CK and IK with the Kc in the tlv triple, and described CK and IK are sent to P_CSCF;
Described step c further comprises: terminal user identification module calculating K c, and described Kc is uploaded to UE;
This method further comprises: the Kc that UE uploads terminal user identification module is converted to IK and CK; UE and P_CSCF with described IK and CK as the key in the subsequent session.
9, method according to claim 7 is characterized in that, consistency protection and privacy protection are enabled by described system;
Described step a further comprises: the S_CSCF in the IMS system directly sends to P_CSCF with the Kc in the tlv triple;
Described step c further comprises: terminal user identification module calculating K c, and described Kc is uploaded to UE;
This method further comprises: the Kc that P_CSCF and UE receive self is converted to CK and IK; UE and P_CSCF and with described IK and CK as the key in the subsequent session.
10, according to Claim 8 or 9 described methods, it is characterized in that described terminal user identification module is the USIM module;
Among the step c, described terminal user identification module calculating K c further comprises: the USIM module is not after basis receives that AUTN determines that needs are converted to tlv triple with five-tuple, calculate IK and CK according to RAND, and IK and CK are converted to Kc, afterwards described Kc is sent to UE.
CNB2004100848426A 2004-09-30 2004-09-30 Method for Authenticating Terminal User Identity Module in IP Multimedia Subsystem Expired - Fee Related CN100384120C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2004100848426A CN100384120C (en) 2004-09-30 2004-09-30 Method for Authenticating Terminal User Identity Module in IP Multimedia Subsystem

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2004100848426A CN100384120C (en) 2004-09-30 2004-09-30 Method for Authenticating Terminal User Identity Module in IP Multimedia Subsystem

Publications (2)

Publication Number Publication Date
CN1756428A true CN1756428A (en) 2006-04-05
CN100384120C CN100384120C (en) 2008-04-23

Family

ID=36689283

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2004100848426A Expired - Fee Related CN100384120C (en) 2004-09-30 2004-09-30 Method for Authenticating Terminal User Identity Module in IP Multimedia Subsystem

Country Status (1)

Country Link
CN (1) CN100384120C (en)

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101083838A (en) * 2007-06-29 2007-12-05 中兴通讯股份有限公司 HTTP abstract authentication method in IP multimedia subsystem
WO2009062415A1 (en) * 2007-11-14 2009-05-22 Huawei Technologies Co., Ltd. An authentication method for request message and the apparatus thereof
CN101068196B (en) * 2006-05-01 2010-05-12 中兴通讯股份有限公司 A service access control method for bluetooth mobile phone access to bluetooth gateway
CN101106457B (en) * 2006-07-10 2010-05-12 华为技术有限公司 Method for Determining User Terminal Authentication Mode in IP Multimedia Subsystem Network
CN101466096B (en) * 2007-12-17 2010-07-21 大唐移动通信设备有限公司 Method and system for triggering synchronous failure of authentication process
CN101854630A (en) * 2010-05-25 2010-10-06 中兴通讯股份有限公司 A method, system and user equipment for realizing card authentication
CN102056171A (en) * 2009-11-10 2011-05-11 中国移动通信集团公司 Method, system and device for authentication of user card roaming in different networks
CN102378174A (en) * 2010-08-25 2012-03-14 大唐移动通信设备有限公司 Access method, device and system of user terminal of SIM (Subscriber Identity Module) card
CN101247630B (en) * 2007-02-14 2012-05-09 中国移动通信集团公司 System and method for implementing multimedia broadcasting service cryptographic key negotiation
CN101662768B (en) * 2008-08-28 2013-06-19 阿尔卡特朗讯公司 Authenticating method and equipment based on user identification module of personal handy phone system
CN103581153A (en) * 2012-08-08 2014-02-12 中国移动通信集团公司 Encryption method and device in system of Internet of Things
CN103581154A (en) * 2012-08-08 2014-02-12 中国移动通信集团公司 Authentication method and device in system of Internet of Things
CN101467471B (en) * 2006-06-09 2016-09-28 西门子公司 Multi-registration method for multi-mode communication terminal equipment
CN106657034A (en) * 2016-12-02 2017-05-10 中国联合网络通信集团有限公司 Service authentication method and authentication capability opening server
CN107005842A (en) * 2014-12-02 2017-08-01 华为技术有限公司 Authentication method, related device and system in a wireless communication network
CN110858969A (en) * 2018-08-23 2020-03-03 刘高峰 Client registration method, device and system
CN115022878A (en) * 2022-08-08 2022-09-06 中国电子科技集团公司第三十研究所 Method, apparatus and medium for takeover of selected VoLTE users

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
FI20000760A0 (en) * 2000-03-31 2000-03-31 Nokia Corp Authentication in a packet data network
US6859651B2 (en) * 2002-03-28 2005-02-22 Nokia Corporation Method and system for re-authentication in IP multimedia core network system (IMS)
US7269730B2 (en) * 2002-04-18 2007-09-11 Nokia Corporation Method and apparatus for providing peer authentication for an internet key exchange
DE10223248A1 (en) * 2002-05-22 2003-12-04 Siemens Ag Method for registering a communication terminal
DE50205145D1 (en) * 2002-06-07 2006-01-05 Siemens Ag METHOD AND DEVICE FOR AUTHENTICATING A PARTICIPANT TO USE SERVICES ON A WIRELESS LAN (WLAN)
CN1239009C (en) * 2002-08-07 2006-01-25 华为技术有限公司 Quick abstract identification method for IP multimedia domain user's call

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101068196B (en) * 2006-05-01 2010-05-12 中兴通讯股份有限公司 A service access control method for bluetooth mobile phone access to bluetooth gateway
CN101467471B (en) * 2006-06-09 2016-09-28 西门子公司 Multi-registration method for multi-mode communication terminal equipment
CN101106457B (en) * 2006-07-10 2010-05-12 华为技术有限公司 Method for Determining User Terminal Authentication Mode in IP Multimedia Subsystem Network
CN101247630B (en) * 2007-02-14 2012-05-09 中国移动通信集团公司 System and method for implementing multimedia broadcasting service cryptographic key negotiation
CN101083838A (en) * 2007-06-29 2007-12-05 中兴通讯股份有限公司 HTTP abstract authentication method in IP multimedia subsystem
CN101163010B (en) * 2007-11-14 2010-12-08 华为软件技术有限公司 Authentication method and related equipment for request message
WO2009062415A1 (en) * 2007-11-14 2009-05-22 Huawei Technologies Co., Ltd. An authentication method for request message and the apparatus thereof
US9641324B2 (en) 2007-11-14 2017-05-02 Huawei Technologies Co., Ltd. Method and device for authenticating request message
CN101466096B (en) * 2007-12-17 2010-07-21 大唐移动通信设备有限公司 Method and system for triggering synchronous failure of authentication process
CN101662768B (en) * 2008-08-28 2013-06-19 阿尔卡特朗讯公司 Authenticating method and equipment based on user identification module of personal handy phone system
CN102056171A (en) * 2009-11-10 2011-05-11 中国移动通信集团公司 Method, system and device for authentication of user card roaming in different networks
CN101854630A (en) * 2010-05-25 2010-10-06 中兴通讯股份有限公司 A method, system and user equipment for realizing card authentication
WO2011147258A1 (en) * 2010-05-25 2011-12-01 中兴通讯股份有限公司 Card authenticating method, system and user equipment
CN102378174A (en) * 2010-08-25 2012-03-14 大唐移动通信设备有限公司 Access method, device and system of user terminal of SIM (Subscriber Identity Module) card
CN103581153A (en) * 2012-08-08 2014-02-12 中国移动通信集团公司 Encryption method and device in system of Internet of Things
CN103581154B (en) * 2012-08-08 2017-01-25 中国移动通信集团公司 Authentication method and device in system of Internet of Things
CN103581154A (en) * 2012-08-08 2014-02-12 中国移动通信集团公司 Authentication method and device in system of Internet of Things
CN107005842A (en) * 2014-12-02 2017-08-01 华为技术有限公司 Authentication method, related device and system in a wireless communication network
CN107005842B (en) * 2014-12-02 2019-12-24 华为技术有限公司 Authentication method, related device and system in a wireless communication network
CN106657034A (en) * 2016-12-02 2017-05-10 中国联合网络通信集团有限公司 Service authentication method and authentication capability opening server
CN106657034B (en) * 2016-12-02 2020-09-25 中国联合网络通信集团有限公司 A service authentication method and authentication capability opening server
CN110858969A (en) * 2018-08-23 2020-03-03 刘高峰 Client registration method, device and system
CN115022878A (en) * 2022-08-08 2022-09-06 中国电子科技集团公司第三十研究所 Method, apparatus and medium for takeover of selected VoLTE users
CN115022878B (en) * 2022-08-08 2022-11-11 中国电子科技集团公司第三十研究所 Method, apparatus and medium for takeover of selected VoLTE user

Also Published As

Publication number Publication date
CN100384120C (en) 2008-04-23

Similar Documents

Publication Publication Date Title
CN100428848C (en) A method for performing IP multimedia domain authentication on a terminal user identity module
CN1310476C (en) Method for building session connection to wireless local network user
CN1756428A (en) Method for carrying out authentication for terminal user identification module in IP multimedia subsystem
CN1859093A (en) Method for verifying user terminal in IP multimedia subsystem
CN101946455B (en) One-pass authentication mechanism and system for heterogeneous networks
CN1801815A (en) Method for realizing initial Internet protocol multimedia subsystem registration
CN1969580A (en) Security in a mobile communications system
CN1957581A (en) Subscriber identities
CN1902978A (en) Context Transfer in Communication Networks Containing Multiple Heterogeneous Access Networks
CN1852323A (en) Treatment of correlative information of user access in a core network subsystem
WO2007121663A1 (en) A system, device and method for a mobile user equipment (ue) in circuit switching networks to access ims
CN1674497A (en) Certification method for WLAN terminal switching in mobile network
CN108307296B (en) System and method for providing differentiated services to user equipment in international locations
CN1610319A (en) Analytic switch-in processing method for selecting business in radio local area network
CN1848994A (en) Method for realizing right discrimination of microwave cut-in global interoperating system
CN1283062C (en) Cut-in identification realizing method for wireless local network
CN1662092A (en) Access authentication method and equipment in data packet network at high speed
CN1658547A (en) Crytographic keys distribution method
CN101030854A (en) Method and apparatus for inter-verifying network between multi-medium sub-systems
CN1870812A (en) Method for selecting safety mechanism of IP multimedia subsystem acess field
CN1878103A (en) Method for WiMAX network accessing Internet protocol multimedia subdomain
CN1294722C (en) Method of selecting right identification mode at network side
CN101662475B (en) Authentication method of accessing WAPI terminal into IMS network, system thereof and terminal thereof
CN1801706A (en) Network authentication system and method for IP multimedia subsystem
CN1773904A (en) Universal safety grade consulting method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20080423

CF01 Termination of patent right due to non-payment of annual fee