[go: up one dir, main page]

WO2008089699A1 - A method and a system for authenticating a user terminal in ims network - Google Patents

A method and a system for authenticating a user terminal in ims network Download PDF

Info

Publication number
WO2008089699A1
WO2008089699A1 PCT/CN2008/070149 CN2008070149W WO2008089699A1 WO 2008089699 A1 WO2008089699 A1 WO 2008089699A1 CN 2008070149 W CN2008070149 W CN 2008070149W WO 2008089699 A1 WO2008089699 A1 WO 2008089699A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
header field
authentication
network
mode
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2008/070149
Other languages
French (fr)
Chinese (zh)
Inventor
Chengdong He
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2008089699A1 publication Critical patent/WO2008089699A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/147Signalling methods or messages providing extensions to protocols defined by standardisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration

Definitions

  • the invention belongs to the technical field of IMS (IP Multimedia Service Subsystem), and particularly relates to a technology for access terminal authentication in an IMS network.
  • IMS IP Multimedia Service Subsystem
  • IP Internet Protocol
  • 3G third generation mobile communication system
  • TISPAN Telecommunications and Internet Converged Services and Protocols for Advanced Networking, Advanced Networking Telecommunications and Internet Convergence Services and Protocols
  • 3G Third Generation mobile communication system
  • TISPAN Telecommunications and Internet Converged Services and Protocols for Advanced Networking, Advanced Networking Telecommunications and Internet Convergence Services and Protocols
  • Security is an important aspect of 3G and TISPAN considerations.
  • the IMS network is divided into an access domain and a core domain from a security perspective, and security specifications of the access domain and the core domain are respectively defined.
  • the part of the IMS network about the transport network is related to the specific access network. It may be a TISPAN/NGN (Next Generation Network) access network, a Packet Cable access network, and a Wireless Local Area Network (WLAN). Access to the network, etc.
  • TISPAN/NGN Next Generation Network
  • WLAN Wireless Local Area Network
  • TISPAN Telecommunications and Internet Converged Services and Protocols for Advanced Networking
  • AKA AKA
  • NASS-Bundled-Authentication IMS service layer authentication and access
  • Layer authentication binding NBA HTTP DIGEST
  • An embodiment of the present invention provides a method for authenticating a user terminal in an IMS network and a CSCF, so that when different access networks access the same IMS network, the CSCF can distinguish the authentication mode of the user terminal, and thus can be used for the user terminal. Perform the correct authentication process.
  • An embodiment of the present invention provides a method for authenticating a user terminal in an IMS network, and receiving a registration REGISTER message of the user terminal UE; an authentication Authorization header field and/or a private access network information P-Access in the REGISTER message
  • the -Network-Info header field determines an authentication mode of the UE; and performs an authentication process according to the determined authentication mode.
  • the embodiment of the present invention further provides a system, further comprising an authentication mode determining unit, configured to determine, according to an Authorization header field and/or a P-Access-Network-Info header field in a REGISTER message of the UE, an authentication mode of the UE .
  • FIG. 1 is a schematic block diagram of an I-CSCF in an embodiment of the present invention.
  • FIG. 2 is a flow chart of a method for authenticating a user terminal in an IMS network according to the present invention
  • FIG. 3 is a flowchart of a specific implementation manner of the embodiment of the present invention shown in FIG.
  • Figure 5 is a flow chart of the AKA authentication mode
  • Figure 7 is a flow chart of the NBA authentication mode
  • FIG. 8 is a flow chart of the HTTP DIGEST authentication method.
  • the I-CSCF after receiving the REGISTER message sent by the P-CSCF, the I-CSCF distinguishes the authentication mode according to the Authorization header field and/or the P-Access-Network-Info header field in the REGISTER message, and then Subsequent authentication processing is performed. It should be noted that the corresponding functions performed by the I-CSCF in the embodiment of the present invention may also be completed by other CSCF entities.
  • the embodiment of the invention discloses a system, which may be a CSCF (such as I-CSCF) or capable of Other entities that perform the same function.
  • the system is described in detail below by taking the I-CSCF as an example.
  • the block diagram of the I-CSCF is as shown in FIG. 1 , and includes an authentication mode determining unit 11 .
  • the I-CSCF receives the REGISTER message
  • the I-CSCF according to the Authorization header field in the message and/or Or the P-Access-Network-Info header field determines the authentication mode adopted by the UE.
  • the authentication mode determining unit 11 analyzes the REGISTER message received by the I-CSCF:
  • the I-CSCF determines that the AKA authentication mode should be used
  • the access-type parameter in the header field or the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and the authentication mode of the UE is determined to be an HTTP summary mode.
  • I -CSCF determines that 3GPP early IMS authentication mode should be adopted;
  • the I-CSCF determines that it should be used. TISPAN's NBA or HTTP DIGEST authentication method.
  • the I-CSCF After the authentication mode determining unit 11 determines the authentication mode of the UE, the I-CSCF performs subsequent authentication processing according to the determined authentication mode.
  • the foregoing I-CSCF may further include a unit for receiving a REGISTER message of the UE, where the unit provides the REGISTER message of the UE for the authentication mode determining unit 11; and may further include a determining unit according to the authentication mode. 11 The authentication method determined by the authentication method.
  • Step 21 Receive a registration REGISTER message of the user terminal UE.
  • Step 22 Determine an authentication mode of the UE according to the authentication Authorization header field and/or the private access network information P-Access-Network-Info header field in the REGISTER message.
  • the authentication mode of the UE is determined to be an authentication and key agreement AKA mode.
  • the authentication mode of the UE is the early IMS authentication Early IMS mode.
  • the access-type parameter in the P-Access-Network-Info header field indicates that the access network type is the 3GPP mobile access network, and the authentication mode of the UE is determined to be the early IMS authentication Early IMS mode.
  • the access-type parameter in the P-Access-Network-Info header field indicates the access network type is advanced network telecommunications and Internet convergence service and protocol TISPAN
  • the fixed access network determines that the authentication mode of the UE is the IMS service layer authentication of the TISPAN and the NSA mode or the HTTP summary mode of the NASS access layer authentication binding authentication.
  • the value of the integrity-protected parameter in the Authorization header field in the REGISTER message corresponds to a value other than the AKA, determining that the authentication mode of the UE is an HTTP digest mode;
  • the authentication mode of the UE is an HTTP digest mode
  • the access-type parameter in the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and then determining the UE
  • the authentication method is HTTP summary mode.
  • Step 23 Perform authentication processing according to the determined authentication manner.
  • the UE sends a REGISTER message to the P-CSCF to request registration.
  • the P-CSCF forwards the REGISTER message to the I-CSCF;
  • the I-CSCF determines the user according to the parameters in the Authorization header field or the P-Access-Network-Info header field, or the parameters in the Authorization header field and the P-Access-Network-Info header field. Terminal authentication method;
  • the I-CSCF determines that the AKA authentication mode should be used
  • the access-type parameter in the -Info header field or the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and the authentication mode of the UE is determined to be an HTTP summary mode;
  • the access-type parameter in the P-Access-Network-Info header field or the P-Access-Network-Info header field indicates the 3GPP mobile access network, and the I-CSCF determines that 3GPP early IMS authentication should be used. the way;
  • the I-CSCF determines that it should Use TISPAN's NBA or HTTP DIGEST authentication method.
  • the I-CSCF determines the authentication mode
  • the I-CSCF performs subsequent authentication processing according to the corresponding authentication mode.
  • the specific process of the authentication method is as shown in FIG. 4, and includes the following steps:
  • the UE sends a REGISTER message to the P-CSCF to request registration.
  • the P-CSCF forwards the REGISTER message to the I-CSCF, and the I-CSCF receives the REGISTER message;
  • the I-CSCF determines whether the Authorization header field exists in the message. If not, go to step 4. If yes, go to step 7;
  • I-CSCF further determines whether there is a P-Access-Network-Info header field in the REGISTER message, if yes, go to step 5, otherwise go directly to step 6;
  • the I-CSCF further determines whether the access network type indicated by the access-type in the P-Access-Network-Info header field is a 3GPP mobile access network or a TISPAN fixed access network, if it is a 3GPP mobile access network, such as 3GPP-GERAN (Global Mobile Telecommunications System GSM Edge Radio Access Network GERAN), 3GPP-UTRAN-FDD (Universal Terrestrial Radio Access Network Frequency Division Duplex) or 3GPP-UTRAN-TDD (Universal Terrestrial Radio Access Network Time Division Duplex) ), go to step 6, if it is TISPAN fixed access network, such as NASS (network attached subsystem) or DSL (digital subscriber line), go to step 9;
  • 3GPP-GERAN Global Mobile Telecommunications System GSM Edge Radio Access Network GERAN
  • 3GPP-UTRAN-FDD Universal Terrestrial Radio Access Network Frequency Division Duplex
  • 3GPP-UTRAN-TDD Universal Terrestrial Radio Access Network Time Division Duplex
  • the I-CSCF determines that the authentication mode is 3GPP Early IMS; if not, go to step 8, otherwise go to step 10;
  • the I-CSCF determines whether the access-type in the P-Access-Network-Info header field indicates that the access network type is a TISPAN fixed access network, and if yes, go to step 9, otherwise go to step 11;
  • the I-CSCF determines the NBA or HTTP DIGEST authentication mode using TISPAN.
  • the I-CSCF can further distinguish the two authentication methods as follows: If the TISPAN fixed access network type is indicated as
  • the I-CSCF determines whether the value of the integrity-protected parameter corresponds to AKA (for example, its value is "YES” or "NO"), if yes, go to step 12, otherwise go to step 11;
  • the I-CSCF processes this as another case; for example, if the value of the integrity-protected parameter in the Authorization header field in the REGISTER message corresponds to other values of the AKA, or if the Authorization in the REGISTER message No in the header field.
  • the integrity-protected parameter, and the access-type parameter in the P-Access-Network-Info header field or the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and then the UE is determined.
  • the authentication method is HTTP summary mode.
  • the I-CSCF determines that the authentication method is AKA.
  • the subsequent authentication process is performed.
  • Different authentication methods correspond to different authentication processes.
  • the specific authentication process can refer to the application process corresponding to various authentication modes.
  • the application flow corresponding to each of several authentication methods is given below.
  • the application process of the UE is the application flow corresponding to the AKA mode, and the main steps are as follows:
  • the initial key K is shared between the UE (User Terminal) and the HSS (Home Subscribe Server).
  • SM1-CM2 The user initiates a registration request SMI (SM indicates that the protocol between the two entities is a SIP message SIP Message), and the S-CSCF passes the CM1 (CM indicates a Cx interface message between the I/S-CSCF and the HSS) Cx interface Message, not the SIP protocol, but the DIAMETER protocol) requests data from the HSS.
  • SMI SIP message
  • CM1 Cx interface message between the I/S-CSCF and the HSS
  • Cx interface Message not the SIP protocol, but the DIAMETER protocol
  • the HSS generates an authentication quintuple based on the initial key K and the sequence number (SQN, Sequence Number) and delivers an S-CSCF (Serving Call Session Control Function) through the CM2, wherein the quintuple includes (random data RAND - Random Data, authentication number AUTN - Authentication Token, expected result XRES - Expected Response, integrity protection key IK - Integrity Key, encryption key CK - Ciphering Key).
  • SQN Sequence Number
  • S-CSCF Server Call Session Control Function
  • S-CSCF returns a 401 response (authentication challenge) to the user, carrying the quaternion information except XRES.
  • P-CSCF Proxy Call Session Control Function
  • the UE authenticates whether the network device is trusted according to the information such as the initial key K and the SQN, and the AUTN sent by the received network device. If the authentication is successful, the network device is trusted, and the RAND is combined. And K, produce the result RES information, the RES will be used as the key "password" for the terminal to calculate the response response process, and the result of the calculation is sent to the network in SM7 (authentication response) On the network side, the UE calculates IK and CK by itself.
  • the S-CSCF receives the response information generated by the RES in the SM9, and compares it with the result calculated by the X ES. If the two are the same, the authentication to the user is considered successful.
  • the UE initiates registration with the IMS (IP Multimedia Core Network Subsystem) network, implements mutual authentication between the UE and the IMS network through AKA, and also completes the UE and the P-CSCF (proxy-call).
  • the session control function entity establishes an inter-security association.
  • the UE and the P-CSCF share an encryption key CK and an integrity protection key IK. These two keys will be used for secure communication channels between the UE and the P-CSCF.
  • FIG. 6 is an application flow corresponding to the Early IMS authentication mode.
  • the user terminal accesses a GPRS (General Packet Radio Service) network, a GGSN authentication user identifier (IMS International Mobile Subscriber Identity), and an MSISDN (Mobile Station International ISDN Number) through a GGSN (Gateway GPRS Support Node) to allocate a network transport layer to the user terminal.
  • Identification IP address
  • Step 1 The GGSN transmits the correspondence between the user identifier and the terminal IP address to the HSS through the "Accounting Request Start", and the HSS saves the corresponding relationship;
  • Step 2. The HSS responds by "Accounting Request Answer"; Step 3.
  • the user terminal initiates registration of the REGISTER request to the P-CSCF.
  • the P-CSCF compares the IP address of the sent-by header field in the via header field in the REGISTER message with the source IP address in the IP header of the REGISTER message. If it is inconsistent, add a received header field. Go to the via header field and fill it with the source IP address in the IP header; the P-CSCF forwards the above REGISTER request to the S-CSCF.
  • the S-CSCF queries whether the registration has been made based on the public user ID in the REGISTER request.
  • Step 4 If not registered, request the HSS to correspond to the terminal IP address corresponding to the public user ID (the correspondence between the HSS static configuration public user ID and the MSISDN, and obtain the corresponding terminal IP address through the public user identifier);
  • Step 5 The HSS returns the terminal IP address corresponding to the public user identifier.
  • Step 6 The S-CSCF checks the received source IP address of the REGISTER (if there is a received header field in the via header field, the received header field is preferentially compared, otherwise the sent-by header field in the via header field is compared), if If the IP address obtained from the HSS is the same, the authentication success message is sent to the GGSN.
  • the Early IMS access domain security mechanism is only for a specific wireless access environment, and has special requirements for the access network, and cannot guarantee user access security in other access environments.
  • Step 101 Network Attachment Subsystem (NASS) access layer attachment authentication, and a connection location function entity (Connection Location)
  • NNASS Network Attachment Subsystem
  • CLF Connection Location Function
  • Step 102 The UE sends a registration message REGISTER message to the P-CSCF, where the message carries the access operator identifier and the access user identifier.
  • Step 103 The P-CSCF determines whether a security association with the UE needs to be established by checking whether the REGISTER message includes a security negotiation parameter (for example, Security-Client). If you have this parameter, you need to create it. If you don't have this parameter, you don't need to create it. In general, Key Accounting (AKA) must have this parameter, and NASS-Bundled and Hypertext Transfer Protocol Summary (HTTP DIGEST) certainly do not have this parameter.
  • AKA Key Accounting
  • HTTP DIGEST Hypertext Transfer Protocol Summary
  • Step 104 The P-CSCF determines the CLF according to the access operator identifier in the registration message and the correspondence between the preset access carrier identifier and the CLF. Then, the P-CSCF queries the location information of the user in the CLF determined above according to the source IP address of the registration message.
  • Step 105 Since the location information corresponding to the source IP address is pre-stored in the CLF, the CLF returns corresponding location information and other information to the P-CSCF in this step.
  • Step 106 The P-CSCF sends the registration message REGISTER carrying the location information and other information obtained in the previous step to the Interrogating-Call Session Control Function (I-CSCF).
  • I-CSCF Interrogating-Call Session Control Function
  • Step 107 The I-CSCF sends a User Authorization Request (UAR) message to the User Profile (UPSF).
  • UAR User Authorization Request
  • step 108 the UPSF returns a User Authorization Answer (UAA) message.
  • UAA User Authorization Answer
  • Step 109 The I-CSCF selects a corresponding S-CSCF according to the message returned from the UPSF, that is, selects which S-CSCF processes the registration.
  • Step 110 The I-CSCF forwards the registration message REGISTER including the location information to the S-CSCF determined above.
  • the authentication request sent by the S-CSCF to the UPSF is only for requesting the authentication parameter. If there is no such parameter, the configured authentication mode needs to be queried to the UPSF, and the S-CSCF sends it to the UPSF.
  • the request is for requesting the authentication method and the corresponding authentication parameters. Since the NASS-Bundled authentication method is used here, the Integrity-Protected parameter is not included in the REGISTER message.
  • the S-CSCF sends a MAR (Multimedia Authentication Request) message to the UPSF, requesting the user's authentication vector and corresponding authentication parameters.
  • MAR Multimedia Authentication Request
  • Step 112 The UPSF checks the authentication subscription data of the user, and finds that the authentication mode of the user is the NASS-Bundled authentication mode.
  • Step 113 The UPSF sends a Multimedia Authentication Answer (MAA) message to the S-CSCF, and returns the user's authentication mode and the authentication parameter, that is, the location information.
  • MAA Multimedia Authentication Answer
  • Step 114 The S-CSCF compares the location information sent from the P-CSCF with the location information obtained from the UPSF query. If the information is consistent, the authentication succeeds. Step 115 and subsequent processes are performed, that is, the authentication succeeds is sent to the UE. If the message is inconsistent, the authentication fails, and step 115 and subsequent steps are performed, that is, the message that the authentication fails is sent to the UE.
  • Step 115 The S-CSCF sends a 2xx Auth_OK message to the I-CSCF, indicating that the authentication succeeds.
  • Step 116 The I-CSCF sends the foregoing 2xx Auth_OK message to the P-CSCF.
  • Step 117 The P-CSCF sends the foregoing 2xx Auth_OK message to the UE.
  • FIG. 8 is an application flow corresponding to the HTTP DIGEST authentication method, which includes the following steps:
  • Step 201 The UE sends a registration message to the P-CSCF.
  • Step 202 The P-CSCF determines whether a security association with the UE needs to be established by checking whether the REGISTER message includes a security negotiation parameter (for example, Security-Client). If you have this parameter, you need to create it. If you don't have this parameter, you don't need to create it. In general, Key Accounting (AKA) must have this parameter, and NASS-Bundled and Hypertext Transfer Protocol Summary (HTTP DIGEST) certainly do not have this parameter.
  • AKA Key Accounting
  • HTTP DIGEST Hypertext Transfer Protocol Summary
  • Step 203 The P-CSCF forwards the registration message REGISTER of the UE to the I-CSCF.
  • the message also carries the location information of the UE obtained by the P-CSCF from the CLF query.
  • Step 205 The I-CSCF forwards the UE registration REGISTER to the S-CSCF determined in step 204.
  • Step 206 The S-CSCF determines which authentication method is adopted by whether the Integrity-Protected parameter is included in the REGISTER message. If there is this parameter, it is definitely the AKA mode.
  • the authentication request sent by the S-CSCF to the UPSF is only for requesting the authentication parameter. If there is no such parameter, the configured authentication mode needs to be queried to the UPSF, and the S-CSCF sends it to the UPSF. The request is for requesting the authentication method and the corresponding authentication parameters. Since the HTTP DIGEST authentication method is used here, the Integrity-Protected parameter is not included in the REGISTER message.
  • the S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through the Cx-Put message, and inform the UPSF that the subsequent processing by the user is performed in the S-CSCF.
  • Step 207 The S-CSCF sends an MAR message to the UPSF, requesting the user's authentication mode and authentication data.
  • Step 208 The UPSF checks the authentication subscription data of the user, and obtains the authentication mode of the user according to the authentication subscription data as an HTTP DIGEST authentication mode, and generates an authentication vector such as nonce and an expected result (XRES) and the like.
  • Step 209 The UPSF sends a MAR message to the S-CSCF, and sends the user authentication mode information HTTP DIGEST, the authentication parameter nonce, the expected result (X ES ), and the like to the S-CSCF.
  • step 210 the S-CSCF calculates the expected result X ES .
  • Step 211 The S-CSCF obtains the authentication mode information and saves the XRES, and then sends the information to the I-CSCF.
  • the "4xx Auth-Challenge" message the Algorithm parameter in the WWW-Authenticate header of the message indicates that the HTTP DIGEST authentication method is used.
  • Step 212 the I-CSCF sends a "4xx Auth_Challenge" message to the P-CSCF, the message
  • the Algorithm parameter in the WWW-Authenticate header indicates that the HTTP DIGEST authentication method is used.
  • Step 213 The P-CSCF sends a "4xx Auth_Challenge" message to the UE.
  • Step 214 after receiving the "4xx Auth-Challenge" message, the UE finds that the Algorithm parameter indicates the HTTP DIGEST authentication mode, and re-sends the registration message REGISTER to the P-CSCF, and Carry the response (RES) for authentication.
  • the Algorithm parameter indicates the HTTP DIGEST authentication mode
  • Step 215 The P-CSCF sends a registration message REGISTER carrying the RES to the I-CSCF.
  • the -CSCF indication message informs the I-CSCF to process the S-CSCF of the registration.
  • the S-CSCF sends a message of successful authentication or authentication failure to the UE.
  • Step 217 the I-CSCF forwards the registration REGISTER to the S-CSCF determined in step 216.
  • Step 219 The S-CSCF and the UPSF update the S-CSCF indication information on the UPSF by using a Cx-Put message, and notify the UPSF that the subsequent processing by the user is performed in the S-CSCF.
  • Step 220 The S-CSCF and the UPSF obtain the subscription data information of the user by using a Cx-Pull message.
  • Step 221 The S-CSCF sends a 200 message indicating that the authentication succeeds to the I-CSCF, or a 403 Forbidden message indicating that the authentication fails. In the figure, only the 200 message when the authentication succeeds is indicated.
  • Step 222 The I-CSCF sends the foregoing message to the P-CSCF.
  • Step 223 The P-CSCF sends the foregoing message to the UE.
  • the I-CSCF needs to derive the IMPI (IMS Private User Identity) according to the IMPU (IMS Public User Identity) as follows: The URI (Uniform Resource Identifier), port number, etc. are removed as IMPI, and this is not required for other authentication methods.
  • IMPI IMS Private User Identity
  • IMPU IMS Public User Identity
  • the I-CSCF needs to perform the following S-CSCF reselection procedure: if the previous selected S-CSCF does not respond to the REGISTER message sent by the I-CSCF or sends a response message such as 3XX or 480, and the REGISTER message Without the "integrity-protected" header field, the I-CSCF performs the S-CSCF reselection process to select a new S-CSCF, which is not required for other authentication methods.
  • the registration message may contain the Authorization header field (with IMPI), it may not include the Authorization header field, which may or may not include IMPI, so that when IMPF interacts with CFX, IMPI
  • the acquisition method may be different from Early IMS.
  • the I-CSCF receives the REGISTER. After the message, it is first determined whether the Authorization header field exists in the message, and then the next step is judged according to whether or not the Authorization is present, but in the actual application, it is also possible to first determine whether the P-Access-Network-Info exists in the REGISTER message. The header field, and then according to the presence or absence of the P-Access-Network-Info header field, the next step is judged, that is, the I-CSCF judges the Authorization header field and the P-Access-Network-Info header field and its parameters. It is not limited to a specific order, and one authentication method can be uniquely determined according to one or both of the two header fields.
  • HTTP DIGEST authentication method in the foregoing specific embodiment of the present invention is a general term, which includes not only the HTTP DIGEST authentication method in the traditional sense, but also the SIP DIGEST authentication method developed based on the traditional HTTP DIGEST.
  • the I-CSCF is based on the Authorization header field of the REGISTER message and/or
  • the parameter in the P-Access-Network-Info header field determines the authentication mode of the user terminal, and can solve the problem of how the I-CSCF distinguishes various authentication modes when multiple access networks access the same IMS core network.
  • the technical solution provided by the embodiment of the present invention is also scalable, and can easily solve the problem that the I-CSCF distinguishes the new authentication when other access networks access the same IMS core network to introduce a new authentication mode. The problem with the way.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

A method and a system for authenticating a user terminal in an IMS network, the method comprises: receiving a REGISTER message of user terminal UE; determining an authentication mode according to the Authentication head domain and/or private access network information P-Access-Network-Info head domain in the REGISTER message, performing an authentication processing according to the determined authentication mode.

Description

一种 IMS网络中对用户终端鉴权的方法及系统 本申请要求于 2007 年 1 月 23 日提交中国专利局、 申请号为 200710073023.5、 发明名称为"一种 IMS网络中区分用户终端鉴权方式的方法 及 I-CSCF"的中国专利申请的优先权, 其全部内容通过引用结合在本申请中。  Method and system for authenticating user terminal in IMS network The application claims to be submitted to the Chinese Patent Office on January 23, 2007, the application number is 200710073023.5, and the invention name is "an authentication method for distinguishing user terminals in an IMS network. The priority of the method and the Chinese patent application of the I-CSCF, the entire contents of which are incorporated herein by reference.

技术领域 Technical field

本发明属于 IMS ( IP多媒体业务子系统)技术领域, 尤其涉及 IMS网络 中接入终端鉴权的技术。  The invention belongs to the technical field of IMS (IP Multimedia Service Subsystem), and particularly relates to a technology for access terminal authentication in an IMS network.

背景技术 Background technique

IP ( Internet Protocol , 因特网协议 ) 多媒体子系统作为固定和移动网络的 核心会话控制层, 已经成为技术发展的一个方向, 第三代移动通信系统(3G ) 以及 TISPAN( Telecommunications and Internet Converged Services and Protocols for Advanced Networking, 先进网络的电信和互联网融合业务和协议 )标准中 定义了很多 IMS相关的规范, 包括网络架构、 接口、 协议等各个方面, 其中 安全是 3G及 TISPAN考虑的一个重要方面。 现有的规范中从安全的角度将 IMS网络划分为接入域和核心网域,并分别定义了接入域和核心网域的安全规 范。  IP (Internet Protocol) The multimedia subsystem, as the core session control layer of fixed and mobile networks, has become a direction of technological development, the third generation mobile communication system (3G) and TISPAN (Telecommunications and Internet Converged Services and Protocols for Advanced Networking, Advanced Networking Telecommunications and Internet Convergence Services and Protocols) defines many IMS-related specifications, including network architecture, interfaces, protocols, etc. Security is an important aspect of 3G and TISPAN considerations. In the existing specification, the IMS network is divided into an access domain and a core domain from a security perspective, and security specifications of the access domain and the core domain are respectively defined.

IMS网络中关于传输网络(Transport )的部分与具体的接入网络有关, 有 可能为 TISPAN/NGN (下一代网络)接入网络, 分组电缆网 (Packet Cable ) 接入网络, 无线局域网 (WLAN )接入网络等。  The part of the IMS network about the transport network (Transport) is related to the specific access network. It may be a TISPAN/NGN (Next Generation Network) access network, a Packet Cable access network, and a Wireless Local Area Network (WLAN). Access to the network, etc.

目前 3GPP ( The Third Generation Partnership Project, 第三代移动通信系 统) 中支持的鉴权方式是 AKA ( Authentication and Key Agreement, 认证与 密钥协商 )和 Early IMS (早期 IMS认证 ) 。  Currently, the authentication methods supported by 3GPP (The Third Generation Partnership Project) are AKA (Authentication and Key Agreement) and Early IMS (early IMS authentication).

目前 TISPAN ( Telecommunications and Internet Converged Services and Protocols for Advanced Networking先进网络的电信和互联网融合业务和协议 ) 网络中支持的鉴权方式分别是: AKA、 NASS-Bundled-Authentication (IMS业 务层鉴权和接入层鉴权绑定 NBA)和 HTTP DIGEST。  Currently, the authentication methods supported by TISPAN (Telecommunications and Internet Converged Services and Protocols for Advanced Networking) are: AKA, NASS-Bundled-Authentication (IMS service layer authentication and access) Layer authentication binding NBA) and HTTP DIGEST.

发明人在实现本发明过程中发现,目前没有不同接入网同时接入到同一个 IMS核心网的解决方案。 发明内容 In the process of implementing the present invention, the inventors have found that there is currently no solution for different access networks to simultaneously access the same IMS core network. Summary of the invention

本发明实施例提供一种 IMS网络中对用户终端鉴权的方法及 CSCF,使得 当不同接入网接入到同一个 IMS网络时, CSCF能够区分用户终端的鉴权方式, 进而可以对用户终端进行正确的鉴权处理。  An embodiment of the present invention provides a method for authenticating a user terminal in an IMS network and a CSCF, so that when different access networks access the same IMS network, the CSCF can distinguish the authentication mode of the user terminal, and thus can be used for the user terminal. Perform the correct authentication process.

本发明实施例提供一种 IMS 网络中对用户终端鉴权的方法, 接收用户终 端 UE 的注册 REGISTER 消息; 居所述 REGISTER 消息中的鉴权 Authorization头域和 /或私有接入网络信息 P-Access-Network-Info头域确定所 述 UE的鉴权方式; 根据所确定的鉴权方式进行鉴权处理。  An embodiment of the present invention provides a method for authenticating a user terminal in an IMS network, and receiving a registration REGISTER message of the user terminal UE; an authentication Authorization header field and/or a private access network information P-Access in the REGISTER message The -Network-Info header field determines an authentication mode of the UE; and performs an authentication process according to the determined authentication mode.

本发明实施例还提供一种系统, 还包括鉴权方式判断单元, 用于根据 UE 的 REGISTER消息中的 Authorization头域和 /或 P-Access-Network-Info头域确 定所述 UE的鉴权方式。  The embodiment of the present invention further provides a system, further comprising an authentication mode determining unit, configured to determine, according to an Authorization header field and/or a P-Access-Network-Info header field in a REGISTER message of the UE, an authentication mode of the UE .

附图说明 DRAWINGS

图 1是本发明实施例中的 I-CSCF的原理框图;  1 is a schematic block diagram of an I-CSCF in an embodiment of the present invention;

图 2是本发明 IMS网络中对用户终端鉴权的方法实施例流程图; 图 3是图 2所示本发明实施例的一种具体实施方式的流程图;  2 is a flow chart of a method for authenticating a user terminal in an IMS network according to the present invention; FIG. 3 is a flowchart of a specific implementation manner of the embodiment of the present invention shown in FIG.

图 4为本发明具体实施方式中 I-CSCF具体判断的流程图;  4 is a flowchart of specific judgment of an I-CSCF according to an embodiment of the present invention;

图 5是 AKA鉴权方式的流程图;  Figure 5 is a flow chart of the AKA authentication mode;

图 6是 Early IMS鉴权方式的流程图;  6 is a flowchart of an Early IMS authentication mode;

图 7是 NBA鉴权方式的流程图;  Figure 7 is a flow chart of the NBA authentication mode;

图 8是 HTTP DIGEST鉴权方式的流程图。  Figure 8 is a flow chart of the HTTP DIGEST authentication method.

具体实施方式 detailed description

在本发明实施例中, 当 I-CSCF收到 P-CSCF发送的 REGISTER消息后, 才艮据 REGISTER消息中的 Authorization头域和 /或 P- Access-Network-Info头域 区分鉴权方式, 然后进行后续的鉴权处理。 需要说明的是, 本发明实施例中由 I-CSCF完成的相应功能还可以由其他 CSCF实体来完成。  In the embodiment of the present invention, after receiving the REGISTER message sent by the P-CSCF, the I-CSCF distinguishes the authentication mode according to the Authorization header field and/or the P-Access-Network-Info header field in the REGISTER message, and then Subsequent authentication processing is performed. It should be noted that the corresponding functions performed by the I-CSCF in the embodiment of the present invention may also be completed by other CSCF entities.

为了使本发明实施例的目的、技术方案及优点更加清楚明白, 以下结合附 图及实施例, 对本发明进行进一步详细说明。 应当理解, 此处所描述的具体实 施例仅仅用以解释本发明, 并不用于限定本发明。  In order to make the objects, technical solutions and advantages of the embodiments of the present invention more comprehensible, the present invention will be further described in detail with reference to the accompanying drawings. It is understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

本发明实施例公开了一种系统, 该系统可以是 CSCF (如 I-CSCF )或能够 完成相同功能的其它实体。 下面以 I-CSCF 为例详细介绍所述系统。 所述的 I-CSCF的原理框图如图 1所示, 包括鉴权方式判断单元 11 , 该鉴权方式判断 单元 11在 I-CSCF收到 REGISTER消息后, 根据该消息中的 Authorization头 域和 /或 P-Access-Network-Info头域判断 UE采用的鉴权方式, 具体来说, 鉴 权方式判断单元 11对 I-CSCF接收到的 REGISTER消息进行分析: The embodiment of the invention discloses a system, which may be a CSCF (such as I-CSCF) or capable of Other entities that perform the same function. The system is described in detail below by taking the I-CSCF as an example. The block diagram of the I-CSCF is as shown in FIG. 1 , and includes an authentication mode determining unit 11 . After the I-CSCF receives the REGISTER message, the I-CSCF according to the Authorization header field in the message and/or Or the P-Access-Network-Info header field determines the authentication mode adopted by the UE. Specifically, the authentication mode determining unit 11 analyzes the REGISTER message received by the I-CSCF:

如果该 REGISTER消息中的 Authorization头域中有 integrity-protected(完 整性保护)参数,并且其值与 AKA的方式对应,则 I-CSCF确定应该采用 AKA 鉴权方式;  If the Authorization header field in the REGISTER message has an integrity-protected parameter and its value corresponds to the AKA mode, the I-CSCF determines that the AKA authentication mode should be used;

如果 REGISTER消息中的 Authorization头域中 integrity-protected参数的 值对应 AKA以外的其他值 ,或者 ,如果所述 REGISTER消息中的 Authorization 头域中没有 integrity-protected参数,并且没有 P- Access-Network-Info头域或者 P-Access-Network-Info头域中的 access-type参数表示接入网类型为电缆 Cable 接入网, 则确定所述 UE的鉴权方式为 HTTP摘要方式;  If the value of the integrity-protected parameter in the Authorization header field in the REGISTER message corresponds to a value other than AKA, or if there is no integrity-protected parameter in the Authorization header field in the REGISTER message, and there is no P-Access-Network-Info The access-type parameter in the header field or the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and the authentication mode of the UE is determined to be an HTTP summary mode.

如果 REGISTER 消 息中没有 Authorization 头域, 并且没有 P-Access-Network-Info头域或者 P- Access-Network-Info 头域中的 access-type (接入类型 )参数表示 3GPP移动接入网, 则 I-CSCF判断出应该采用 3GPP early IMS鉴权方式;  If there is no Authorization header field in the REGISTER message, and there is no P-Access-Network-Info header field or the access-type parameter in the P-Access-Network-Info header field indicates 3GPP mobile access network, then I -CSCF determines that 3GPP early IMS authentication mode should be adopted;

如果 REGISTER消息的 Authorization头域中没有 integrity-protected参数 或者没有 Authorization头域,并且 P-Access-Network-Info头域中的 access-type 参数表示 TISPAN固定接入网, 则 I-CSCF判断出应该采用 TISPAN的 NBA 或者 HTTP DIGEST鉴权方式。  If there is no integrity-protected parameter in the Authorization header field of the REGISTER message or there is no Authorization header field, and the access-type parameter in the P-Access-Network-Info header field indicates the TISPAN fixed access network, the I-CSCF determines that it should be used. TISPAN's NBA or HTTP DIGEST authentication method.

鉴权方式判断单元 11确定 UE的鉴权方式后, I-CSCF将根据所确定的鉴 权方式进行后续的鉴权处理。  After the authentication mode determining unit 11 determines the authentication mode of the UE, the I-CSCF performs subsequent authentication processing according to the determined authentication mode.

需要说明的是, 上述 I-CSCF中还可以包括用于接收 UE的 REGISTER消 息的单元, 该单元为鉴权方式判断单元 11提供 UE的 REGISTER消息; 以及 还可以包括用于根据鉴权方式判断单元 11所确定的鉴权方式进行鉴权处理的 单元。  It should be noted that, the foregoing I-CSCF may further include a unit for receiving a REGISTER message of the UE, where the unit provides the REGISTER message of the UE for the authentication mode determining unit 11; and may further include a determining unit according to the authentication mode. 11 The authentication method determined by the authentication method.

请参阅图 2,其为本发明一种 IMS网络中对用户终端鉴权的方法实施例流 程图。 步骤 21: 接收用户终端 UE的注册 REGISTER消息。 Please refer to FIG. 2 , which is a flowchart of an embodiment of a method for authenticating a user terminal in an IMS network according to the present invention. Step 21: Receive a registration REGISTER message of the user terminal UE.

步骤 22: 据所述 REGISTER消息中的鉴权 Authorization头域和 /或私有 接入网络信息 P-Access-Network-Info头域确定所述 UE的鉴权方式。  Step 22: Determine an authentication mode of the UE according to the authentication Authorization header field and/or the private access network information P-Access-Network-Info header field in the REGISTER message.

具体而言, 如果所述 REGISTER 消息中有 Authorization 头域, 并且其 integrity-protected参数值与 AKA的方式对应, 则确定所述 UE的鉴权方式为 认证与密钥协商 AKA方式。  Specifically, if the REGISTER message has an Authorization header field, and the integrity-protected parameter value corresponds to the AKA mode, the authentication mode of the UE is determined to be an authentication and key agreement AKA mode.

如果所述 REGISTER 消息中没有 Authorization 头域, 并且没有 P-Access-Network-Info头域,则确定所述 UE的鉴权方式为早期 IMS认证 Early IMS方式。  If there is no Authorization header field in the REGISTER message, and there is no P-Access-Network-Info header field, it is determined that the authentication mode of the UE is the early IMS authentication Early IMS mode.

如果所述 REGISTER 消息中没有 Authorization 头域, 并且所述 If there is no Authorization header field in the REGISTER message, and

P-Access-Network-Info头域中的 access-type参数表示接入网类型为 3GPP移动 接入网, 则确定所述 UE的鉴权方式为早期 IMS认证 Early IMS方式。 The access-type parameter in the P-Access-Network-Info header field indicates that the access network type is the 3GPP mobile access network, and the authentication mode of the UE is determined to be the early IMS authentication Early IMS mode.

如果所述 REGISTER消息中的 Authorization头域中没有 integrity-protected 参数, 并且 P- Access-Network-Info头域中的 access-type参数表示接入网类型 为先进网络的电信和互联网融合业务和协议 TISPAN固定接入网 ,则确定所述 UE的鉴权方式为 TISPAN的 IMS业务层鉴权和 NASS接入层鉴权绑定鉴权 NBA方式或者 HTTP摘要方式。  If there is no integrity-protected parameter in the Authorization header field in the REGISTER message, and the access-type parameter in the P-Access-Network-Info header field indicates the access network type is advanced network telecommunications and Internet convergence service and protocol TISPAN The fixed access network determines that the authentication mode of the UE is the IMS service layer authentication of the TISPAN and the NSA mode or the HTTP summary mode of the NASS access layer authentication binding authentication.

如果所述 REGISTER消息中的 Authorization头域中 integrity-protected参 数的值对应 AKA以外的其他值, 则确定所述 UE的鉴权方式为 HTTP摘要方 式;  If the value of the integrity-protected parameter in the Authorization header field in the REGISTER message corresponds to a value other than the AKA, determining that the authentication mode of the UE is an HTTP digest mode;

如果所述 REGISTER消息中的 Authorization头域中没有 integrity-protected 参数, 并且没有 P-Access-Network-Info头域, 则确定所述 UE的鉴权方式为 HTTP摘要方式;  If there is no integrity-protected parameter in the Authorization header field in the REGISTER message, and there is no P-Access-Network-Info header field, it is determined that the authentication mode of the UE is an HTTP digest mode;

如果所述 REGISTER消息中的 Authorization头域中没有 integrity-protected 参数 , P- Access-Network-Info头域中的 access-type参数表示接入网类型为电缆 Cable接入网, 则确定所述 UE的鉴权方式为 HTTP摘要方式。  If there is no integrity-protected parameter in the Authorization header field in the REGISTER message, the access-type parameter in the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and then determining the UE The authentication method is HTTP summary mode.

如果所述 REGISTER 消 息中没有 Authorization 头域, 并且 P- Access-Network-Info头域中的 access-type参数表示接入网类型为 TISPAN固 定接入网, 则确定所述 UE的鉴权方式为 NBA方式。 步骤 23: 根据所确定的鉴权方式进行鉴权处理。 If there is no Authorization header field in the REGISTER message, and the access-type parameter in the P-Access-Network-Info header field indicates that the access network type is a TISPAN fixed access network, it is determined that the authentication mode of the UE is NBA. the way. Step 23: Perform authentication processing according to the determined authentication manner.

为了更清楚的揭示上述 IMS 网络中对用户终端鉴权的方法实施例, 下面 给出该实施例的一种具体实施方式。 该具体实施方式的基本流程图如图 3 所 示, 具体包括如下步骤:  In order to more clearly disclose the method embodiment for authenticating the user terminal in the above IMS network, a specific implementation manner of this embodiment is given below. The basic flow chart of this embodiment is shown in FIG. 3, and specifically includes the following steps:

1、 UE向 P-CSCF发送 REGISTER消息, 请求注册;  1. The UE sends a REGISTER message to the P-CSCF to request registration.

2、 P-CSCF将该 REGISTER消息转发到 I-CSCF;  2. The P-CSCF forwards the REGISTER message to the I-CSCF;

3、 I-CSCF接收该 REGISTER消息后, 根据其中的 Authorization头域或 P-Access-Network-Info 头域中 的参数 , 或者 Authorization 头域和 P-Access-Network-Info头域中的参数判断用户终端的鉴权方式;  3. After receiving the REGISTER message, the I-CSCF determines the user according to the parameters in the Authorization header field or the P-Access-Network-Info header field, or the parameters in the Authorization header field and the P-Access-Network-Info header field. Terminal authentication method;

具体来说, 判断的依据如下:  Specifically, the basis for the judgment is as follows:

如果该 REGISTER消息中的 Authorization头域中有 integrity-protected(完 整性保护)参数,并且其值与 AKA的方式对应,则 I-CSCF确定应该采用 AKA 鉴权方式;  If the Authorization header field in the REGISTER message has an integrity-protected parameter and its value corresponds to the AKA mode, the I-CSCF determines that the AKA authentication mode should be used;

如果所述 REGISTER消息中的 Authorization头域中 integrity-protected参 数的值对应 AKA 以外的其他值, 或者, 如果所述 REGISTER 消息中的 Authorization 头 域 中 没 有 integrity-protected 参数 , 并 且 没 有 P-Access-Network-Info头域或者 P- Access-Network-Info 头域中的 access-type 参数表示接入网类型为电缆 Cable接入网,则确定所述 UE的鉴权方式为 HTTP 摘要方式;  If the value of the integrity-protected parameter in the Authorization header field in the REGISTER message corresponds to a value other than AKA, or if there is no integrity-protected parameter in the Authorization header field in the REGISTER message, and there is no P-Access-Network The access-type parameter in the -Info header field or the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and the authentication mode of the UE is determined to be an HTTP summary mode;

如果 REGISTER 消 息中没有 Authorization 头域, 并且没有 If there is no Authorization header field in the REGISTER message, and there is no

P- Access-Network-Info头域或者 P- Access-Network-Info 头域中的 access-type (接入类型 )参数表示 3GPP移动接入网, 则 I-CSCF判断出应该采用 3GPP early IMS鉴权方式; The access-type parameter in the P-Access-Network-Info header field or the P-Access-Network-Info header field indicates the 3GPP mobile access network, and the I-CSCF determines that 3GPP early IMS authentication should be used. the way;

如果 REGISTER消息中的 Authorization头域中没有 integrity-protected参 数或者没有 Authorization 头域, 并且 P- Access-Network-Info 头域中的 access-type参数表示 TISPAN固定接入网,则 I-CSCF判断出应该采用 TISPAN 的 NBA或者 HTTP DIGEST鉴权方式。  If there is no integrity-protected parameter in the Authorization header field in the REGISTER message or there is no Authorization header field, and the access-type parameter in the P-Access-Network-Info header field indicates the TISPAN fixed access network, the I-CSCF determines that it should Use TISPAN's NBA or HTTP DIGEST authentication method.

4、 I-CSCF判断出鉴权方式后,根据相应的鉴权方式进行后续的鉴权处理。 在图 3所示本发明具体实施方式中, I-CSCF收到 REGISTER消息后, 根 据 Authorization和 P-Access-Network-Info头域中的参数判断鉴权方式的具体流 程如图 4所示, 包括如下的步骤: 4. After the I-CSCF determines the authentication mode, the I-CSCF performs subsequent authentication processing according to the corresponding authentication mode. In the specific embodiment of the present invention shown in FIG. 3, after the I-CSCF receives the REGISTER message, the root According to the authorization flow and the parameters in the P-Access-Network-Info header field, the specific process of the authentication method is as shown in FIG. 4, and includes the following steps:

1、 UE向 P-CSCF发送 REGISTER消息, 请求注册;  1. The UE sends a REGISTER message to the P-CSCF to request registration.

2、 P-CSCF将该 REGISTER消息转发到 I-CSCF, I-CSCF接收 REGISTER 消息;  2. The P-CSCF forwards the REGISTER message to the I-CSCF, and the I-CSCF receives the REGISTER message;

3、 I-CSCF接收该 REGISTER消息后 ,判断该消息中是否存在 Authorization 头域, 如果没有, 转步骤 4, 如果有, 转步骤 7;  3. After receiving the REGISTER message, the I-CSCF determines whether the Authorization header field exists in the message. If not, go to step 4. If yes, go to step 7;

4 、 I-CSCF 进一 步 判 断 该 REGISTER 消 息 中 是否 存在 P-Access-Network-Info头域, 如果有, 转步骤 5, 否则直接转步骤 6;  4, I-CSCF further determines whether there is a P-Access-Network-Info header field in the REGISTER message, if yes, go to step 5, otherwise go directly to step 6;

5、 I-CSCF进一步判断该 P-Access-Network-Info头域中的 access-type表示 的接入网类型为 3GPP移动接入网还是 TISPAN固定接入网, 如果是 3GPP移 动接入网, 如 3GPP-GERAN (全球移动通讯系统 GSM 边缘无线接入网 GERAN ) 、 3GPP-UTRAN-FDD (通用陆地无线接入网频分双工) 或者 3GPP-UTRAN-TDD (通用陆地无线接入网时分双工) , 转步骤 6 , 如果是 TISPAN固定接入网, 如 NASS (网络附着子系统)或者 DSL (数字用户线), 转步骤 9;  5. The I-CSCF further determines whether the access network type indicated by the access-type in the P-Access-Network-Info header field is a 3GPP mobile access network or a TISPAN fixed access network, if it is a 3GPP mobile access network, such as 3GPP-GERAN (Global Mobile Telecommunications System GSM Edge Radio Access Network GERAN), 3GPP-UTRAN-FDD (Universal Terrestrial Radio Access Network Frequency Division Duplex) or 3GPP-UTRAN-TDD (Universal Terrestrial Radio Access Network Time Division Duplex) ), go to step 6, if it is TISPAN fixed access network, such as NASS (network attached subsystem) or DSL (digital subscriber line), go to step 9;

6、 I-CSCF确定鉴权方式为 3GPP Early IMS; 没有, 转步骤 8, 否则转步骤 10;  6. The I-CSCF determines that the authentication mode is 3GPP Early IMS; if not, go to step 8, otherwise go to step 10;

8、 I-CSCF判断 P-Access-Network-Info头域中的 access-type是否表示接入 网类型为 TISPAN固定接入网, 如果是, 转步骤 9, 否则转步骤 11;  8. The I-CSCF determines whether the access-type in the P-Access-Network-Info header field indicates that the access network type is a TISPAN fixed access network, and if yes, go to step 9, otherwise go to step 11;

9、 I-CSCF确定采用 TISPAN的 NBA或者 HTTP DIGEST鉴权方式, I-CSCF 还可以进一步区分这两种鉴权方式如下:如果 TISPAN固定接入网类型表示为 9. The I-CSCF determines the NBA or HTTP DIGEST authentication mode using TISPAN. The I-CSCF can further distinguish the two authentication methods as follows: If the TISPAN fixed access network type is indicated as

NASS, 则采用 NBA鉴权方式, 否则采用 HTTP DIGEST鉴权方式; NASS, the NBA authentication method is adopted, otherwise the HTTP DIGEST authentication method is adopted;

10、 I-CSCF判断 integrity-protected参数的值是否与 AKA对应(例如其值 为 "YES"或者" NO" ) , 如果是, 转步骤 12, 否则转步骤 11;  10. The I-CSCF determines whether the value of the integrity-protected parameter corresponds to AKA (for example, its value is "YES" or "NO"), if yes, go to step 12, otherwise go to step 11;

11、 I-CSCF将此作为其它情况处理; 例如, 如果所述 REGISTER消息中 的 Authorization头域中 integrity-protected参数的值对应 AKA以夕卜的其他值, 或者, 如果所述 REGISTER 消息中的 Authorization 头域中没有 integrity-protected 参数 , 并且没有 P- Access-Network-Info 头域或者 P-Access-Network-Info头域中的 access-type参数表示接入网类型为电缆 Cable 接入网, 则确定所述 UE的鉴权方式为 HTTP摘要方式。 11. The I-CSCF processes this as another case; for example, if the value of the integrity-protected parameter in the Authorization header field in the REGISTER message corresponds to other values of the AKA, or if the Authorization in the REGISTER message No in the header field The integrity-protected parameter, and the access-type parameter in the P-Access-Network-Info header field or the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and then the UE is determined. The authentication method is HTTP summary mode.

12、 I-CSCF确定鉴权方式为 AKA。  12. The I-CSCF determines that the authentication method is AKA.

I-CSCF按照上述的流程确定鉴权方式后, 进行后续的鉴权处理流程。 不同的鉴权方式对应着不同的鉴权处理,具体的鉴权处理步骤可以参考各 种鉴权方式对应的应用流程。 下面给出几种鉴权方式各自对应的应用流程。  After the I-CSCF determines the authentication mode according to the above process, the subsequent authentication process is performed. Different authentication methods correspond to different authentication processes. The specific authentication process can refer to the application process corresponding to various authentication modes. The application flow corresponding to each of several authentication methods is given below.

请参阅图 5, 其为 UE的鉴权方式是 AKA方式对应的应用流程, 主要包 括如下的步骤:  Referring to FIG. 5, the application process of the UE is the application flow corresponding to the AKA mode, and the main steps are as follows:

1、 初始密钥 K在 UE (用户终端)与 HSS ( Home Subscribe Server, 归属 用户服务器) 间共享。  1. The initial key K is shared between the UE (User Terminal) and the HSS (Home Subscribe Server).

2、 ( SM1-CM2 )用户发起注册请求 SMI ( SM表示两个实体之间的协 议是 SIP消息 SIP Message ) , S-CSCF通过 CM1 ( CM表示 I/S-CSCF和 HSS 之间的 Cx接口消息 Cx interface Message, 不是 SIP协议, 而是 DIAMETER 协议) 向 HSS请求数据。 HSS基于初始密钥 K及序列号 (SQN, Sequence Number ) 产生鉴权五元组并通过 CM2 下发 S-CSCF ( Serving Call Session Control Function, 服务 -呼叫会话控制功能实体) , 其中五元组包括(随机 数据 RAND - Random Data, 鉴权序号 AUTN - Authentication Token, 期望结 果 XRES - Expected Response, 完整性保护密钥 IK - Integrity Key, 加密密钥 CK - Ciphering Key ) 。  2. (SM1-CM2) The user initiates a registration request SMI (SM indicates that the protocol between the two entities is a SIP message SIP Message), and the S-CSCF passes the CM1 (CM indicates a Cx interface message between the I/S-CSCF and the HSS) Cx interface Message, not the SIP protocol, but the DIAMETER protocol) requests data from the HSS. The HSS generates an authentication quintuple based on the initial key K and the sequence number (SQN, Sequence Number) and delivers an S-CSCF (Serving Call Session Control Function) through the CM2, wherein the quintuple includes (random data RAND - Random Data, authentication number AUTN - Authentication Token, expected result XRES - Expected Response, integrity protection key IK - Integrity Key, encryption key CK - Ciphering Key).

3、 (SM4—SM5) S - CSCF向用户返回 401响应(认证挑战),携带除 XRES 夕卜的四元组信息。  3. (SM4-SM5) The S-CSCF returns a 401 response (authentication challenge) to the user, carrying the quaternion information except XRES.

4、 (SM6)P-CSCF ( Proxy Call Session Control Function, 代理 -呼叫^舌 控制功能实体)保存 IK, CK信息, 将(RAND, AUTN )信息在 401响应中 传给 UE。  4. (SM6) P-CSCF (Proxy Call Session Control Function) saves IK, CK information, and transmits (RAND, AUTN) information to the UE in the 401 response.

5、 (SM7-SM9) UE依据初始密钥 K及 SQN等信息, 结合收到的网络设备 下发的 AUTN, 对网络设备是否可信进行认证, 如验证通过, 网络设备可信, 则结合 RAND和 K, 产生结果 RES信息, RES将被当作密钥 "password"用于 终端计算响应 response的过程, 计算的结果在 SM7 (认证响应 ) 中发送给网 络侧, 同时 UE自行计算出 IK、 CK。 5. (SM7-SM9) The UE authenticates whether the network device is trusted according to the information such as the initial key K and the SQN, and the AUTN sent by the received network device. If the authentication is successful, the network device is trusted, and the RAND is combined. And K, produce the result RES information, the RES will be used as the key "password" for the terminal to calculate the response response process, and the result of the calculation is sent to the network in SM7 (authentication response) On the network side, the UE calculates IK and CK by itself.

6、 S-CSCF在 SM9中接收到由 RES生成的 response信息,与其依据 X ES 计算后的结果相比较, 如果两者相同, 认为对用户的认证成功。  6. The S-CSCF receives the response information generated by the RES in the SM9, and compares it with the result calculated by the X ES. If the two are the same, the authentication to the user is considered successful.

由以上流程可见: UE向 IMS ( IP Multimedia Core Network Subsystem, IP 多媒体业务子系统)网络发起注册, 通过 AKA实现了 UE和 IMS网络间的双 向认证, 同时也完成 UE和 P-CSCF (代理 -呼叫会话控制功能实体) 间安全 联盟的建立, UE和 P-CSCF之间共享了加密密钥 CK和完整性保护密钥 IK, 这两个密钥将用于在 UE与 P-CSCF间安全通信通道的建立。  It can be seen from the above process that the UE initiates registration with the IMS (IP Multimedia Core Network Subsystem) network, implements mutual authentication between the UE and the IMS network through AKA, and also completes the UE and the P-CSCF (proxy-call). The session control function entity) establishes an inter-security association. The UE and the P-CSCF share an encryption key CK and an integrity protection key IK. These two keys will be used for secure communication channels between the UE and the P-CSCF. The establishment of.

请参阅图 6 , 其为 Early IMS鉴权方式对应的应用流程。 其中, 用户终端 通过 GGSN (网关 GPRS支持节点 )接入 GPRS (通用分组无线业务 ) 网络, GGSN认证用户标识 IMS 国际移动用户标识)和 MSISDN(移动台国际 ISDN 号码) , 为用户终端分配网络传输层标识(IP地址) 。  Please refer to FIG. 6 , which is an application flow corresponding to the Early IMS authentication mode. The user terminal accesses a GPRS (General Packet Radio Service) network, a GGSN authentication user identifier (IMS International Mobile Subscriber Identity), and an MSISDN (Mobile Station International ISDN Number) through a GGSN (Gateway GPRS Support Node) to allocate a network transport layer to the user terminal. Identification (IP address).

步骤 1、 GGSN通过" Accounting Request Start (计费请求开始 ) "将用户标 识和终端 IP地址对应关系传送到 HSS , HSS保存该对应关系;  Step 1: The GGSN transmits the correspondence between the user identifier and the terminal IP address to the HSS through the "Accounting Request Start", and the HSS saves the corresponding relationship;

步骤 2、 HSS通过" Accounting Request Answer (计费请求应答) "响应; 步骤 3、 用户终端发起注册 REGISTER请求到 P-CSCF。 P-CSCF 比较 REGISTER 消息中的 via 头域中的 sent-by (发送) 头域的 IP 地址是否与 REGISTER 消息所在 IP 头中的源 IP地址一致, 如果不一致, 则增加一个 received (接收) 头域到 via头域中, 并填充为 IP头中的源 IP地址; P-CSCF 转发上述 REGISTER请求到 S-CSCF。 S-CSCF依据 REGISTER请求中的公有 用户标识, 查询是否已注册;  Step 2. The HSS responds by "Accounting Request Answer"; Step 3. The user terminal initiates registration of the REGISTER request to the P-CSCF. The P-CSCF compares the IP address of the sent-by header field in the via header field in the REGISTER message with the source IP address in the IP header of the REGISTER message. If it is inconsistent, add a received header field. Go to the via header field and fill it with the source IP address in the IP header; the P-CSCF forwards the above REGISTER request to the S-CSCF. The S-CSCF queries whether the registration has been made based on the public user ID in the REGISTER request.

步骤 4、 如未注册, 向 HSS请求公有用户标识对应的终端 IP地址(HSS 静态配置公有用户标识与 MSISDN的对应关系, 此时可通过公有用户标识获 得对应的终端 IP地址) ;  Step 4: If not registered, request the HSS to correspond to the terminal IP address corresponding to the public user ID (the correspondence between the HSS static configuration public user ID and the MSISDN, and obtain the corresponding terminal IP address through the public user identifier);

步骤 5、 HSS返回公有用户标识对应的终端 IP地址;  Step 5: The HSS returns the terminal IP address corresponding to the public user identifier.

步骤 6、 S-CSCF检查收到的 REGISTER的终端源 IP地址 (如果 via头域中 有 received头域, 则优先比较 received头域, 否则比较 via头域中的 sent-by头 域), 如果与从 HSS获得的 IP地址相同, 则通过认证, 向 GGSN发送 200鉴 权成功消息。 Early IMS接入域安全机制只针对特定的无线接入环境, 而且对接入网有 特殊要求, 不能保证其他接入环境下的用户接入安全。 Step 6. The S-CSCF checks the received source IP address of the REGISTER (if there is a received header field in the via header field, the received header field is preferentially compared, otherwise the sent-by header field in the via header field is compared), if If the IP address obtained from the HSS is the same, the authentication success message is sent to the GGSN. The Early IMS access domain security mechanism is only for a specific wireless access environment, and has special requirements for the access network, and cannot guarantee user access security in other access environments.

请参阅图 7, 其为 NBA鉴权方式对应的应用流程, 具体包括如下的步骤: 步骤 101, 网络附着子系统(NASS, Network Attachment Subsystem )接 入层附着认证, 在连接位置功能实体( Connection Location Function, CLF )上 记录用户终端 (UE ) 的位置信息。  Referring to FIG. 7, which is an application flow corresponding to the NBA authentication mode, the method includes the following steps: Step 101: Network Attachment Subsystem (NASS) access layer attachment authentication, and a connection location function entity (Connection Location) The location information of the user terminal (UE) is recorded on the Function, CLF).

步骤 102, UE向 P-CSCF发送注册报文 REGISTER消息, 该报文携带有 接入运营商标识及接入用户标识。  Step 102: The UE sends a registration message REGISTER message to the P-CSCF, where the message carries the access operator identifier and the access user identifier.

步骤 103,P-CSCF通过检查 REGISTER消息中是否包含安全协商参数(例 如 Security-Client )来判断是否需要建立和 UE之间的安全联盟。 如果有此参 数,则需要建立,如果没有此参数,则不需要建立。一般来说,密钥协商( AKA ) 的情况肯定有此参数, 而 NASS-Bundled 和超文本传输协议摘要 ( HTTP DIGEST ) 的情况肯定没有此参数。  Step 103: The P-CSCF determines whether a security association with the UE needs to be established by checking whether the REGISTER message includes a security negotiation parameter (for example, Security-Client). If you have this parameter, you need to create it. If you don't have this parameter, you don't need to create it. In general, Key Accounting (AKA) must have this parameter, and NASS-Bundled and Hypertext Transfer Protocol Summary (HTTP DIGEST) certainly do not have this parameter.

步骤 104, P-CSCF根据注册报文中的接入运营商标识以及预先设置的接 入运营商标识与 CLF之间的对应关系确定 CLF。 然后, P-CSCF根据注册报文 的源 IP地址, 在上面确定的 CLF中查询用户的位置信息。  Step 104: The P-CSCF determines the CLF according to the access operator identifier in the registration message and the correspondence between the preset access carrier identifier and the CLF. Then, the P-CSCF queries the location information of the user in the CLF determined above according to the source IP address of the registration message.

步骤 105, 由于 CLF中预先保存了与源 IP地址对应的位置信息, 因此在 本步骤中 CLF向 P-CSCF返回相应的位置信息及其他信息。  Step 105: Since the location information corresponding to the source IP address is pre-stored in the CLF, the CLF returns corresponding location information and other information to the P-CSCF in this step.

步骤 106, P-CSCF将携带上一步骤中查询得到的位置信息及其他信息的 注册报文 REGISTER发送给询问 -呼叫会话控制功能实体( Interrogating-Call Session Control Function, I-CSCF ) 。  Step 106: The P-CSCF sends the registration message REGISTER carrying the location information and other information obtained in the previous step to the Interrogating-Call Session Control Function (I-CSCF).

步骤 107, I-CSCF向用户数据库( UPSF, User Profile server Function )发 送用户授权请求(UAR, User Authorization Request ) 消息。  Step 107: The I-CSCF sends a User Authorization Request (UAR) message to the User Profile (UPSF).

步骤 108, UPSF返回用户授权应答 ( UAA , User Authorization Answer ) 消息。  In step 108, the UPSF returns a User Authorization Answer (UAA) message.

步骤 109, I-CSCF根据从 UPSF返回的消息选择相应的 S-CSCF, 即选择 由哪个 S-CSCF处理该注册 文。  Step 109: The I-CSCF selects a corresponding S-CSCF according to the message returned from the UPSF, that is, selects which S-CSCF processes the registration.

步骤 110, I-CSCF将包括上述位置信息的注册报文 REGISTER转发给上 面确定的 S-CSCF。 步骤 111, S-CSCF通过 REGISTER消息中是否包含 Integrity-Protected (完 整性保护)参数来判断是哪种认证方式。如果有此参数, 则肯定是 AKA方式, S-CSCF发给 UPSF的鉴权请求只是为了请求鉴权参数; 如果没有此参数, 则 需要向 UPSF查询配置的鉴权方式, S-CSCF发给 UPSF的请求是为了请求鉴 权方式和相应的鉴权参数。 由于这里采用 NASS-Bundled 鉴权方式, 所以 REGISTER消息中不包含 Integrity-Protected参数。 S-CSCF向 UPSF发送多媒 体鉴权请求(MAR, Multimedia Authentication Request ) 消息, 请求用户的鉴 权向量和相应的鉴权参数。 Step 110: The I-CSCF forwards the registration message REGISTER including the location information to the S-CSCF determined above. Step 111: The S-CSCF determines which authentication mode is determined by whether the Integrity-Protected parameter is included in the REGISTER message. If there is this parameter, it is definitely the AKA mode. The authentication request sent by the S-CSCF to the UPSF is only for requesting the authentication parameter. If there is no such parameter, the configured authentication mode needs to be queried to the UPSF, and the S-CSCF sends it to the UPSF. The request is for requesting the authentication method and the corresponding authentication parameters. Since the NASS-Bundled authentication method is used here, the Integrity-Protected parameter is not included in the REGISTER message. The S-CSCF sends a MAR (Multimedia Authentication Request) message to the UPSF, requesting the user's authentication vector and corresponding authentication parameters.

步骤 112, UPSF检查用户的鉴权签约数据, 发现该用户的鉴权方式是 NASS-Bundled鉴权方式。  Step 112: The UPSF checks the authentication subscription data of the user, and finds that the authentication mode of the user is the NASS-Bundled authentication mode.

步骤 113 , UPSF 向 S-CSCF发送多媒体鉴权应答(MAA, Multimedia Authentication Answer ) 消息, 返回用户的鉴权方式和鉴权参数即位置信息。  Step 113: The UPSF sends a Multimedia Authentication Answer (MAA) message to the S-CSCF, and returns the user's authentication mode and the authentication parameter, that is, the location information.

步骤 114, S-CSCF比较从 P-CSCF传来的位置信息与从 UPSF查询得到 的位置信息, 如果一致, 则说明鉴权成功, 执行步骤 115及其后续流程, 即向 UE发送鉴权成功的消息; 如果不一致, 则说明鉴权失败, 执行步骤 115及其 后续步骤, 即向 UE发送鉴权失败的消息。  Step 114: The S-CSCF compares the location information sent from the P-CSCF with the location information obtained from the UPSF query. If the information is consistent, the authentication succeeds. Step 115 and subsequent processes are performed, that is, the authentication succeeds is sent to the UE. If the message is inconsistent, the authentication fails, and step 115 and subsequent steps are performed, that is, the message that the authentication fails is sent to the UE.

步骤 115, S-CSCF向 I-CSCF发送 2xx Auth— OK消息 , 表示鉴权成功。 步骤 116, I-CSCF将上述 2xx Auth— OK消息发送给 P-CSCF。  Step 115: The S-CSCF sends a 2xx Auth_OK message to the I-CSCF, indicating that the authentication succeeds. Step 116: The I-CSCF sends the foregoing 2xx Auth_OK message to the P-CSCF.

步骤 117, P-CSCF将上述 2xx Auth— OK消息发送给 UE。  Step 117: The P-CSCF sends the foregoing 2xx Auth_OK message to the UE.

请参阅图 8 , 其为 HTTP DIGEST鉴权方式对应的应用流程 , 具体包括如 下的步骤:  Please refer to FIG. 8 , which is an application flow corresponding to the HTTP DIGEST authentication method, which includes the following steps:

步骤 201 , UE向 P-CSCF发送注册报文 REGISTER^  Step 201: The UE sends a registration message to the P-CSCF. REGISTER^

步骤 202,P-CSCF通过检查 REGISTER消息中是否包含安全协商参数(例 如 Security-Client )来判断是否需要建立和 UE之间的安全联盟。 如果有此参 数,则需要建立,如果没有此参数,则不需要建立。一般来说,密钥协商( AKA ) 的情况肯定有此参数, 而 NASS-Bundled 和超文本传输协议摘要 ( HTTP DIGEST ) 的情况肯定没有此参数。  Step 202: The P-CSCF determines whether a security association with the UE needs to be established by checking whether the REGISTER message includes a security negotiation parameter (for example, Security-Client). If you have this parameter, you need to create it. If you don't have this parameter, you don't need to create it. In general, Key Accounting (AKA) must have this parameter, and NASS-Bundled and Hypertext Transfer Protocol Summary (HTTP DIGEST) certainly do not have this parameter.

步骤 203 , P-CSCF将 UE的注册报文 REGISTER转发给 I-CSCF。 该报文 中还携带了 P-CSCF从 CLF查询得到的 UE的位置信息。 步骤 204, I-CSCF跟 UPSF之间通过 Cx-Selection-Info消息选择相应的 S-CSCF, 即 I-CSCF向 UPSF发出请求, 查找 UPSF中的用户属性来确定由哪 个 S-CSCF处理该注册 文。 Step 203: The P-CSCF forwards the registration message REGISTER of the UE to the I-CSCF. The message also carries the location information of the UE obtained by the P-CSCF from the CLF query. Step 204: The I-CSCF and the UPSF select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the UPSF to find the user attribute in the UPSF to determine which S-CSCF processes the registration file. .

步骤 205, I-CSCF将 UE的注册 ^艮文 REGISTER转发给步骤 204中所确 定的 S-CSCF。  Step 205: The I-CSCF forwards the UE registration REGISTER to the S-CSCF determined in step 204.

步骤 206 , S-CSCF通过 REGISTER消息中是否包含 Integrity-Protected参 数来判断是哪种认证方式。 如果有此参数, 则肯定是 AKA方式, S-CSCF发 给 UPSF的鉴权请求只是为了请求鉴权参数;如果没有此参数,则需要向 UPSF 查询配置的鉴权方式, S-CSCF发给 UPSF的请求是为了请求鉴权方式和相应 的鉴权参数。 由于这里采用 HTTP DIGEST鉴权方式,所以 REGISTER消息中 不包含 Integrity-Protected参数。 S-CSCF与 UPSF之间通过 Cx-Put消息 , 更新 UPSF上的 S-CSCF指示信息, 告知 UPSF该用户后续的处理在本 S-CSCF进 行。  Step 206: The S-CSCF determines which authentication method is adopted by whether the Integrity-Protected parameter is included in the REGISTER message. If there is this parameter, it is definitely the AKA mode. The authentication request sent by the S-CSCF to the UPSF is only for requesting the authentication parameter. If there is no such parameter, the configured authentication mode needs to be queried to the UPSF, and the S-CSCF sends it to the UPSF. The request is for requesting the authentication method and the corresponding authentication parameters. Since the HTTP DIGEST authentication method is used here, the Integrity-Protected parameter is not included in the REGISTER message. The S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through the Cx-Put message, and inform the UPSF that the subsequent processing by the user is performed in the S-CSCF.

步骤 207, S-CSCF向 UPSF发送 MAR消息,请求该用户的鉴权方式和鉴 权数据。  Step 207: The S-CSCF sends an MAR message to the UPSF, requesting the user's authentication mode and authentication data.

步骤 208, UPSF检查用户的鉴权签约数据, 根据鉴权签约数据得到该用 户的鉴权方式是 HTTP DIGEST鉴权方式,并产生例如 nonce等鉴权向量以及 期望结果(XRES )等等。  Step 208: The UPSF checks the authentication subscription data of the user, and obtains the authentication mode of the user according to the authentication subscription data as an HTTP DIGEST authentication mode, and generates an authentication vector such as nonce and an expected result (XRES) and the like.

步骤 209, UPSF向 S-CSCF发送 MAR消息, 将该用户的鉴权方式信息 HTTP DIGEST以及鉴权参数 nonce、 期望结果(X ES )等发送给 S-CSCF。  Step 209: The UPSF sends a MAR message to the S-CSCF, and sends the user authentication mode information HTTP DIGEST, the authentication parameter nonce, the expected result (X ES ), and the like to the S-CSCF.

步骤 210, S-CSCF计算期望结果 X ES。  In step 210, the S-CSCF calculates the expected result X ES .

步骤 211, S-CSCF得到鉴权方式信息并保存 XRES, 然后向 I-CSCF发送 Step 211: The S-CSCF obtains the authentication mode information and saves the XRES, and then sends the information to the I-CSCF.

"4xx Auth— Challenge"消息,该消息的 WWW- Authenticate头中 Algorithm参数 表示采用 HTTP DIGEST鉴权方式。 The "4xx Auth-Challenge" message, the Algorithm parameter in the WWW-Authenticate header of the message indicates that the HTTP DIGEST authentication method is used.

步骤 212, I-CSCF将" 4xx Auth— Challenge"消息发送给 P-CSCF, 该消息的 Step 212, the I-CSCF sends a "4xx Auth_Challenge" message to the P-CSCF, the message

WWW-Authenticate头中 Algorithm参数表示采用 HTTP DIGEST鉴权方式。 The Algorithm parameter in the WWW-Authenticate header indicates that the HTTP DIGEST authentication method is used.

步骤 213, P-CSCF将" 4xx Auth— Challenge"消息发送给 UE。  Step 213: The P-CSCF sends a "4xx Auth_Challenge" message to the UE.

步骤 214, UE接收到 "4xx Auth— Challenge"消息后, 发现 Algorithm参数 表示 HTTP DIGEST鉴权方式, 重新向 P-CSCF发送注册报文 REGISTER, 并 携带用于鉴权的响应 (RES ) 。 Step 214, after receiving the "4xx Auth-Challenge" message, the UE finds that the Algorithm parameter indicates the HTTP DIGEST authentication mode, and re-sends the registration message REGISTER to the P-CSCF, and Carry the response (RES) for authentication.

步骤 215, P-CSCF将携带 RES的注册报文 REGISTER发送给 I-CSCF。 步骤 216, I-CSCF与 UPSF之间通过 Cx-Query确定该 UE注册报文给哪 个 S-CSCF处理, 即 I-CSCF向 UPSF查询该注册 ^艮文给哪个 S-CSCF处理, UPSF 保存的 S-CSCF指示信息告知 I-CSCF处理该注册 文的 S-CSCF。 在以下步骤中, S-CSCF将鉴权成功或鉴权失败的消息发送给 UE。  Step 215: The P-CSCF sends a registration message REGISTER carrying the RES to the I-CSCF. Step 216: The I-CSCF and the UPSF determine, by the Cx-Query, which S-CSCF the UE registration message is sent to, that is, the I-CSCF queries the UPSF for the S-CSCF to process the registration message, and the SSF saves the S. The -CSCF indication message informs the I-CSCF to process the S-CSCF of the registration. In the following steps, the S-CSCF sends a message of successful authentication or authentication failure to the UE.

步骤 217, I-CSCF将注册 ^艮文 REGISTER转发给步骤 216确定的 S-CSCF。 步骤 218, S-CSCF比较从 UPSF获得的 X ES和 UE发送过来的 RES, 当两者一致时, 说明鉴权成功, 当两者不一致时, 说明鉴权失败。  Step 217, the I-CSCF forwards the registration REGISTER to the S-CSCF determined in step 216. Step 218: The S-CSCF compares the X ES obtained from the UPSF with the RES sent by the UE. When the two are consistent, the authentication succeeds. When the two are inconsistent, the authentication fails.

步骤 219,S-CSCF与 UPSF之间通过 Cx-Put消息,更新 UPSF上的 S-CSCF 指示信息, 告知 UPSF该用户后续的处理在本 S-CSCF进行。  Step 219: The S-CSCF and the UPSF update the S-CSCF indication information on the UPSF by using a Cx-Put message, and notify the UPSF that the subsequent processing by the user is performed in the S-CSCF.

步骤 220, S-CSCF与 UPSF通过 Cx-Pull消息获取用户的签约数据信息。 步骤 221, S-CSCF向 I-CSCF发送表示鉴权成功的 200消息, 或者表示鉴 权失败的 403 Forbidden消息。 在图中仅以鉴权成功时的 200消息表示。  Step 220: The S-CSCF and the UPSF obtain the subscription data information of the user by using a Cx-Pull message. Step 221: The S-CSCF sends a 200 message indicating that the authentication succeeds to the I-CSCF, or a 403 Forbidden message indicating that the authentication fails. In the figure, only the 200 message when the authentication succeeds is indicated.

步骤 222, I-CSCF将上述消息发送给 P-CSCF。  Step 222: The I-CSCF sends the foregoing message to the P-CSCF.

步骤 223 , P-CSCF将上述消息发送给 UE。  Step 223: The P-CSCF sends the foregoing message to the UE.

从上述各种鉴权方式的应用流程可以看出: 对于 Early IMS 方式来说, I-CSCF需要根据 IMPU ( IMS公有用户标识)按如下方式推导出 IMPI ( IMS 私有用户标识) : 将 IMPU前面的 URI (统一资源标识符) 、 端口号等去掉, 作为 IMPI, 而对于其他的鉴权方式并不需要这样作。 对于 AKA方式来说, I-CSCF需要执行如下 S-CSCF重新选择的过程: 如果前一个选择的 S-CSCF 不响应 I-CSCF发送的 REGISTER消息或者发送 3XX或者 480等响应消息, 并且 REGISTER消息中不包含" integrity-protected"头域,则 I-CSCF执行 S-CSCF 重选过程选择一个新的 S-CSCF, 而对于其他的鉴权方式则不需要这样作。 对 于 NBA/HTTP DIGEST, 由于注册消息中可能包含 Authorization头域(带有 IMPI ) , 也可能不包括 Authorization头域, 即可能包括 IMPI, 也可能不包括 IMPI, 这样和 UPSF通过 Cx交互时, IMPI的获取方式就可能和 Early IMS不 一样。  It can be seen from the application flow of the above various authentication methods: For the Early IMS mode, the I-CSCF needs to derive the IMPI (IMS Private User Identity) according to the IMPU (IMS Public User Identity) as follows: The URI (Uniform Resource Identifier), port number, etc. are removed as IMPI, and this is not required for other authentication methods. For the AKA method, the I-CSCF needs to perform the following S-CSCF reselection procedure: if the previous selected S-CSCF does not respond to the REGISTER message sent by the I-CSCF or sends a response message such as 3XX or 480, and the REGISTER message Without the "integrity-protected" header field, the I-CSCF performs the S-CSCF reselection process to select a new S-CSCF, which is not required for other authentication methods. For NBA/HTTP DIGEST, since the registration message may contain the Authorization header field (with IMPI), it may not include the Authorization header field, which may or may not include IMPI, so that when IMPF interacts with CFX, IMPI The acquisition method may be different from Early IMS.

需要说明的是, 在前述本发明具体实施方式中, I-CSCF接收 REGISTER 消息后, 首先判断该消息中是否存在 Authorization 头域, 然后根据是 Authorization 的有无进行下一步的判断, 但在实际的应用中, 也可以先判断 REGISTER 消息中是否存在 P- Access-Network-Info 头域, 然后根据 P-Access-Network-Info 头域的有无进行下一步的判断, 也即是说, I-CSCF对 Authorization头域和 P-Access-Network-Info头域及其参数的判断并不局限于具 体的顺序, 根据两个头域之一或者两种结合能够唯一确定一种鉴权方式即可。 此外, 前述本发明具体实施方式中的 HTTP DIGEST鉴权方式是一个统称, 其 不但包括传统意义上的 HTTP DIGEST鉴权方式, 还包括基于传统 HTTP DIGEST发展起来的 SIP DIGEST鉴权方式。 It should be noted that, in the foregoing specific embodiment of the present invention, the I-CSCF receives the REGISTER. After the message, it is first determined whether the Authorization header field exists in the message, and then the next step is judged according to whether or not the Authorization is present, but in the actual application, it is also possible to first determine whether the P-Access-Network-Info exists in the REGISTER message. The header field, and then according to the presence or absence of the P-Access-Network-Info header field, the next step is judged, that is, the I-CSCF judges the Authorization header field and the P-Access-Network-Info header field and its parameters. It is not limited to a specific order, and one authentication method can be uniquely determined according to one or both of the two header fields. In addition, the HTTP DIGEST authentication method in the foregoing specific embodiment of the present invention is a general term, which includes not only the HTTP DIGEST authentication method in the traditional sense, but also the SIP DIGEST authentication method developed based on the traditional HTTP DIGEST.

如上所述, I-CSCF 根据 REGISTER 消息的 Authorization 头域和 /或 As mentioned above, the I-CSCF is based on the Authorization header field of the REGISTER message and/or

P-Access-Network-Info头域中的参数判断用户终端的鉴权方式, 可以解决多种 接入网接入同一个 IMS核心网时, I-CSCF如何区分各种鉴权方式的问题; 同 时,本发明实施例提供的技术方案同时也具备可扩展性,可以很容易解决未来 其他的接入网接入同一个 IMS核心网引入新的鉴权方式时, I-CSCF如何区分 新的鉴权方式的问题。 The parameter in the P-Access-Network-Info header field determines the authentication mode of the user terminal, and can solve the problem of how the I-CSCF distinguishes various authentication modes when multiple access networks access the same IMS core network. The technical solution provided by the embodiment of the present invention is also scalable, and can easily solve the problem that the I-CSCF distinguishes the new authentication when other access networks access the same IMS core network to introduce a new authentication mode. The problem with the way.

本领域普通技术人员可以理解实现上述方法实施例中的全部或部分步骤 是可以通过程序来指令相关的硬件来完成,所述的程序可以存储于一计算机可 读存储介质中, 所述的存储介质, 如: ROM/RAM、 磁碟、 光盘等。  A person skilled in the art may understand that all or part of the steps in implementing the above method embodiments may be completed by a program instructing related hardware, and the program may be stored in a computer readable storage medium, the storage medium Such as: ROM / RAM, disk, CD, etc.

以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡在本发 明的精神和原则之内所作的任何修改、等同替换和改进等, 均应包含在本发明 的保护范围之内。  The above is only the preferred embodiment of the present invention, and is not intended to limit the present invention. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the protection of the present invention. Within the scope.

Claims

权 利 要 求 Rights request 1、 一种 IMS网络中对用户终端鉴权的方法, 其特征在于, 包括: 接收用户终端 UE的注册 REGISTER消息;  A method for authenticating a user terminal in an IMS network, the method comprising: receiving a registration REGISTER message of a user terminal UE; 根据所述 REGISTER消息中的鉴权 Authorization头域和 /或私有接入网络 信息 P-Access-Network-Info头域确定所述 UE的鉴权方式;  Determining an authentication mode of the UE according to the authentication Authorization header field and/or the private access network information P-Access-Network-Info header field in the REGISTER message; 根据所确定的鉴权方式进行鉴权处理。  The authentication process is performed according to the determined authentication mode. 2、 根据权利要求 1所述的方法, 其特征在于, 所述根据 REGISTER消息 中的 Authorization头域和 /或 P-Access-Network-Info头域确定所述 UE的鉴权 方式包括:  The method according to claim 1, wherein the determining the authentication mode of the UE according to the Authorization header field and/or the P-Access-Network-Info header field in the REGISTER message includes: 如果所述 REGISTER 消 息中有 Authorization 头域, 并且其 integrity-protected参数值与 AKA的方式对应, 则确定所述 UE的鉴权方式为 认证与密钥协商 AKA方式。  If there is an Authorization header field in the REGISTER message, and the integrity-protected parameter value corresponds to the AKA mode, the authentication mode of the UE is determined to be an authentication and key agreement AKA mode. 3、 根据权利要求 1所述的方法, 其特征在于, 所述根据 REGISTER消息 中的 Authorization头域和 /或 P- Access-Network-Info头域确定所述 UE的鉴权 方式包括:  The method according to claim 1, wherein the determining the authentication mode of the UE according to the Authorization header field and/or the P-Access-Network-Info header field in the REGISTER message includes: 如果所述 REGISTER 消息中没有 Authorization 头域, 并且没有 P- Access-Network-Info头域,则确定所述 UE的鉴权方式为早期 IMS认证 Early IMS方式;  If there is no Authorization header field in the REGISTER message, and there is no P-Access-Network-Info header field, it is determined that the authentication mode of the UE is an early IMS authentication Early IMS mode; 如果所述 REGISTER 消息中没有 Authorization 头域, 并且所述 P-Access-Network-Info头域中的 access-type参数表示接入网类型为 3 GPP移动 接入网, 则确定所述 UE的鉴权方式为早期 IMS认证 Early IMS方式。  If there is no Authorization header field in the REGISTER message, and the access-type parameter in the P-Access-Network-Info header field indicates that the access network type is a 3GPP mobile access network, then the UE is determined to be authenticated. The method is Early IMS authentication Early IMS mode. 4、 根据权利要求 1所述的方法, 其特征在于, 所述根据 REGISTER消息 中的 Authorization头域和 /或 P-Access-Network-Info头域确定所述 UE的鉴权 方式包括:  The method according to claim 1, wherein the determining the authentication mode of the UE according to the Authorization header field and/or the P-Access-Network-Info header field in the REGISTER message includes: 如果所述 REGISTER消息中的 Authorization头域中没有 integrity-protected 参数, 并且 P- Access-Network-Info头域中的 access-type参数表示接入网类型 为先进网络的电信和互联网融合业务和协议 TISPAN固定接入网,则确定所述 UE的鉴权方式为 TISPAN的 IMS业务层鉴权和 NASS接入层鉴权绑定鉴权 NBA方式或者 HTTP摘要方式。 If there is no integrity-protected parameter in the Authorization header field in the REGISTER message, and the access-type parameter in the P-Access-Network-Info header field indicates the access network type is advanced network telecommunications and Internet convergence service and protocol TISPAN The fixed access network determines that the authentication mode of the UE is the IMS service layer authentication of the TISPAN and the NSA mode or the HTTP summary mode of the NASS access layer authentication binding authentication. 5、 根据权利要求 1所述的方法, 其特征在于, 所述根据 REGISTER消息 中的 Authorization头域和 /或 P-Access-Network-Info头域确定所述 UE的鉴权 方式包括: The method according to claim 1, wherein the determining the authentication mode of the UE according to the Authorization header field and/or the P-Access-Network-Info header field in the REGISTER message includes: 如果所述 REGISTER消息中的 Authorization头域中 integrity-protected参 数的值对应 AKA以外的其他值 , 则确定所述 UE的鉴权方式为 HTTP摘要方 式;  If the value of the integrity-protected parameter in the Authorization header field in the REGISTER message corresponds to a value other than AKA, determining that the authentication mode of the UE is an HTTP digest mode; 如果所述 REGISTER消息中的 Authorization头域中没有 integrity-protected 参数, 并且没有 P-Access-Network-Info头域, 则确定所述 UE的鉴权方式为 HTTP摘要方式;  If there is no integrity-protected parameter in the Authorization header field in the REGISTER message, and there is no P-Access-Network-Info header field, it is determined that the authentication mode of the UE is an HTTP digest mode; 如果所述 REGISTER消息中的 Authorization头域中没有 integrity-protected 参数, P- Access-Network-Info头域中的 access-type参数表示接入网类型为电缆 Cable接入网, 则确定所述 UE的鉴权方式为 HTTP摘要方式。  If there is no integrity-protected parameter in the Authorization header field in the REGISTER message, the access-type parameter in the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and then determining the UE The authentication method is HTTP summary mode. 6、 根据权利要求 1所述的方法, 其特征在于, 所述根据 REGISTER消息 中的 Authorization头域和 /或 P-Access-Network-Info头域确定所述 UE的鉴权 方式包括:  The method according to claim 1, wherein the determining the authentication mode of the UE according to the Authorization header field and/or the P-Access-Network-Info header field in the REGISTER message includes: 如果所述 REGISTER 消 息中没有 Authorization 头域, 并且 P- Access-Network-Info头域中的 access-type参数表示接入网类型为 TISPAN固 定接入网, 则确定所述 UE的鉴权方式为 NBA方式。  If there is no Authorization header field in the REGISTER message, and the access-type parameter in the P-Access-Network-Info header field indicates that the access network type is a TISPAN fixed access network, it is determined that the authentication mode of the UE is NBA. the way. 7、 根据权利要求 1所述的方法, 其特征在于, 所述权利要求 1中各步骤 的执行主体具体是: 查询-呼叫会话控制功能实体 I-CSCF。  The method according to claim 1, wherein the execution subject of each step in claim 1 is specifically: a query-call session control function entity I-CSCF. 8、 一种系统, 其特征在于, 还包括鉴权方式判断单元, 用于根据 UE的 REGISTER消息中的 Authorization头域和 /或 P-Access-Network-Info头域确定 所述 UE的鉴权方式。  A system, further comprising: an authentication mode determining unit, configured to determine, according to an Authorization header field and/or a P-Access-Network-Info header field in a REGISTER message of the UE, an authentication mode of the UE . 9、 根据权利要求 8所述的系统, 其特征在于, 所述鉴权方式判断单元包 括:  The system according to claim 8, wherein the authentication mode determining unit comprises: 用于在所述 REGISTER 消息中有 Authorization 头域, 并且其 integrity-protected参数值与 AKA的方式对应时, 确定所述 UE的鉴权方式为 认证与密钥协商 AKA方式的单元。  When the Authorization header field is included in the REGISTER message, and the integrity-protected parameter value corresponds to the AKA mode, the authentication mode of the UE is determined to be a unit of the authentication and key agreement AKA mode. 10、根据权利要求 8所述的系统, 其特征在于, 所述鉴权方式判断单元包 括: The system according to claim 8, wherein the authentication mode determination unit package Includes: 用于在所述 REGISTER 消息中没有 Authorization 头域, 并且没有 P-Access-Network-Info头域时,确定所述 UE的鉴权方式为早期 IMS认证 Early IMS 方式; 或者在所述 REGISTER 消息中没有 Authorization 头域 , P-Access-Network-Info头域中的 access-type参数表示接入网类型为 3 GPP移动 接入网时, 确定所述 UE的鉴权方式为早期 IMS认证 Early IMS方式的单元。  And when there is no Authorization header field in the REGISTER message, and there is no P-Access-Network-Info header field, determining that the authentication mode of the UE is an early IMS authentication Early IMS mode; or not in the REGISTER message Authorization header field, the access-type parameter in the P-Access-Network-Info header field indicates that when the access network type is 3GPP mobile access network, the authentication mode of the UE is determined to be an early IMS authentication Early IMS mode unit. . 11、根据权利要求 8所述的系统, 其特征在于, 所述鉴权方式判断单元包 括:  The system according to claim 8, wherein the authentication mode determining unit comprises: 用 于在所述 REGISTER 消 息中 的 Authorization 头域中没有 integrity-protected参数,并且 P- Access-Network-Info头域中的 access-type参数 表示 TISPAN固定接入网时, 确定所述 UE的鉴权方式为 TISPAN的 NBA方 式或者 HTTP摘要方式的单元。  Determining the authentication of the UE when there is no integrity-protected parameter in the Authorization header field in the REGISTER message, and the access-type parameter in the P-Access-Network-Info header field indicates the TISPAN fixed access network The mode is the NBA mode of TISPAN or the unit of HTTP summary mode. 12、根据权利要求 8所述的系统, 其特征在于, 所述鉴权方式判断单元包 括:  The system according to claim 8, wherein the authentication mode determining unit comprises: 用于在所述 REGISTER 消息中没有 Authorization 头域, 并且 Used to have no Authorization header field in the REGISTER message, and P-Access-Network-Info头域中的 access-type参数表示 TISPAN固定接入网时, 确定所述 UE的鉴权方式为 TISPAN的 NBA方式的单元。 The access-type parameter in the P-Access-Network-Info header field indicates that the TISPAN fixed access network determines the NBA mode of the UE's authentication mode as TISPAN. 13、根据权利要求 8所述的系统, 其特征在于, 所述鉴权方式判断单元包 括:  The system according to claim 8, wherein the authentication mode determining unit comprises: 用于在所述 REGISTER消息中的 Authorization头域中 integrity-protected 参数的值对应 AKA以外的其他值时, 确定所述 UE的鉴权方式为 HTTP摘要 方式; 或者在所述 REGISTER 消息中的 Authorization 头域中没有 integrity-protected参数、 并且没有 P- Access-Network-Info 头域时, 确定所述 UE 的鉴权方式为 HTTP 摘要方式; 或者在所述 REGISTER 消息中的 Authorization头域中没有 integrity-protected参数、 并且 P- Access-Network-Info 头域中的 access-type参数表示接入网类型为电缆 Cable接入网时, 确定所述 UE的鉴权方式为 HTTP摘要方式的单元。  When the value of the integrity-protected parameter in the Authorization header field in the REGISTER message corresponds to a value other than the AKA, determining that the authentication mode of the UE is an HTTP digest mode; or an Authorization header in the REGISTER message If there is no integrity-protected parameter in the domain, and there is no P-Access-Network-Info header field, it is determined that the authentication mode of the UE is HTTP summary mode; or there is no integrity-protected in the Authorization header field in the REGISTER message. The parameter and the access-type parameter in the P-Access-Network-Info header field indicate that the access network type is a cable cable access network, and the authentication mode of the UE is determined to be a unit of the HTTP digest mode. 14、 根据权利要求 8至 13中任一项所述的系统, 其特征在于, 所述系统 具体为呼叫会话控制功能实体 CSCF。 The system according to any one of claims 8 to 13, characterized in that the system is specifically a call session control function entity CSCF. 15、 根据权利要求 14所述的系统, 其特征在于, 所述 CSCF具体为查询 -呼叫会话控制功能实体 I-CSCF。 The system according to claim 14, wherein the CSCF is specifically a query-call session control function entity I-CSCF. 16、 根据权利要求 8至 13中任一项所述的系统, 其特征在于, 还包括: 用于接收用户终端 UE的 REGISTER消息的单元, 该单元为所述鉴权方 式判断单元提供 UE的 REGISTER消息; 以及  The system according to any one of claims 8 to 13, further comprising: means for receiving a REGISTER message of the user terminal UE, the unit providing the REGISTER of the UE for the authentication mode determining unit Message; and 用于根据所述鉴权方式判断单元所确定的鉴权方式进行鉴权处理的单元。  A unit for performing an authentication process according to the authentication mode determined by the authentication mode determining unit.
PCT/CN2008/070149 2007-01-23 2008-01-21 A method and a system for authenticating a user terminal in ims network Ceased WO2008089699A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007100730235A CN101232707B (en) 2007-01-23 2007-01-23 Method for distinguishing subscriber terminal authority identifying type in IMS network and I-CSCF
CN200710073023.5 2007-01-23

Publications (1)

Publication Number Publication Date
WO2008089699A1 true WO2008089699A1 (en) 2008-07-31

Family

ID=39644139

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070149 Ceased WO2008089699A1 (en) 2007-01-23 2008-01-21 A method and a system for authenticating a user terminal in ims network

Country Status (2)

Country Link
CN (1) CN101232707B (en)
WO (1) WO2008089699A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104683347A (en) * 2015-03-12 2015-06-03 东北大学 Signaling interaction method and trusted authentication system for carrying out trusted communication on basis of IMS (Information Management System)
WO2022247938A1 (en) * 2021-05-28 2022-12-01 华为技术有限公司 Terminal device registration method, related device, system, and storage medium

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102917342B (en) * 2008-09-28 2015-11-25 华为技术有限公司 User equipment action information Notification Method, system and network element device, server
CN101815296A (en) * 2009-02-23 2010-08-25 华为技术有限公司 Method, device and system for performing access authentication
CN104066073B (en) * 2014-06-30 2017-08-25 中国联合网络通信集团有限公司 The processing method and system of a kind of speech business

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040043756A1 (en) * 2002-09-03 2004-03-04 Tao Haukka Method and system for authentication in IP multimedia core network system (IMS)
EP1414212A1 (en) * 2002-10-22 2004-04-28 Telefonaktiebolaget L M Ericsson (Publ) Method and system for authenticating users in a telecommunication system
CN1893352A (en) * 2005-07-05 2007-01-10 华为技术有限公司 Authority-identifying method of internet protocol multi-media sub-system
CN101043744A (en) * 2006-03-21 2007-09-26 华为技术有限公司 Method for user terminal accessing authentication in IMS network

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040043756A1 (en) * 2002-09-03 2004-03-04 Tao Haukka Method and system for authentication in IP multimedia core network system (IMS)
EP1414212A1 (en) * 2002-10-22 2004-04-28 Telefonaktiebolaget L M Ericsson (Publ) Method and system for authenticating users in a telecommunication system
CN1893352A (en) * 2005-07-05 2007-01-10 华为技术有限公司 Authority-identifying method of internet protocol multi-media sub-system
CN101043744A (en) * 2006-03-21 2007-09-26 华为技术有限公司 Method for user terminal accessing authentication in IMS network

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104683347A (en) * 2015-03-12 2015-06-03 东北大学 Signaling interaction method and trusted authentication system for carrying out trusted communication on basis of IMS (Information Management System)
CN104683347B (en) * 2015-03-12 2017-10-17 东北大学 The signaling interaction method and authentic authentication system of trusted communications are carried out based on IMS
WO2022247938A1 (en) * 2021-05-28 2022-12-01 华为技术有限公司 Terminal device registration method, related device, system, and storage medium

Also Published As

Publication number Publication date
CN101232707A (en) 2008-07-30
CN101232707B (en) 2012-03-21

Similar Documents

Publication Publication Date Title
EP1879324B1 (en) A method for authenticating user terminal in ip multimedia sub-system
CN1327681C (en) Method for realizing initial Internet protocol multimedia subsystem registration
CN101043744B (en) Method for user terminal accessing authentication in IMS network
US8959343B2 (en) Authentication system, method and device
WO2011079522A1 (en) Authentication method, system and device
CN101151869B (en) Internet protocol multimedia subsystem authorization method
WO2008025280A1 (en) A method and system of authentication
WO2011038691A1 (en) Authentication method and device
CN100461942C (en) Selection Method of Security Mechanism in Access Domain of IP Multimedia Subsystem
WO2007098660A1 (en) An authentication method and system between network entities in ip multimedia subsystem
WO2008089699A1 (en) A method and a system for authenticating a user terminal in ims network
WO2006072209A1 (en) A method for agreeing upon the key in the ip multimedia sub-system
CN101662475B (en) Authentication method of accessing WAPI terminal into IMS network, system thereof and terminal thereof
CN102111379A (en) Authentication system, method and device
CN100395976C (en) An Authentication Method for Internet Protocol Multimedia Subsystem
CN102065069A (en) Method and system for authenticating identity and device
CN100561909C (en) A TLS-based IP Multimedia Subsystem Access Security Protection Method
WO2013037251A1 (en) Authentication method and system for ue in ils network in ims network
CN101106457A (en) Method for Determining User Terminal Authentication Mode in IP Multimedia Subsystem Network
WO2006072219A1 (en) An ip multimedia subsystem network authentication system and the method thereof
CN101001145B (en) Authentication method for supporting terminal roaming of non-IP multimedia service subsystem
CN102082769B (en) Authentication system, device and method for IMS terminal when obtaining non-IMS service
CN100372329C (en) A registration method, agent device and registration system
WO2009074063A1 (en) A method and apparatus for deciding the authorization pattern for ue to access ims
WO2006133624A1 (en) A method for registering at the internet protocol multimedia subsystem

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700806

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08700806

Country of ref document: EP

Kind code of ref document: A1