[go: up one dir, main page]

WO2008034377A1 - Procédé et système de consultation d'authentification - Google Patents

Procédé et système de consultation d'authentification Download PDF

Info

Publication number
WO2008034377A1
WO2008034377A1 PCT/CN2007/070572 CN2007070572W WO2008034377A1 WO 2008034377 A1 WO2008034377 A1 WO 2008034377A1 CN 2007070572 W CN2007070572 W CN 2007070572W WO 2008034377 A1 WO2008034377 A1 WO 2008034377A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
cscf
type
user
hss
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2007/070572
Other languages
English (en)
Chinese (zh)
Inventor
Bin Yu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2008034377A1 publication Critical patent/WO2008034377A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the invention relates to a Chinese patent application filed on August 29, 2006, the Chinese Patent Office, the application number is 200610127603.3, and the invention name is "an authentication negotiation method and a communication system.” Priority, the entire contents of which are incorporated herein by reference.
  • the present invention relates to the field of communication security technologies, and in particular, to an authentication negotiation method and system. Background technique
  • the terminal In the Internet Protocol Multimedia Subsystem (IMS), the terminal has various modes, the capabilities of the terminal are different, and the authentication types are different. Therefore, the IMS core network is required to support multiple authentication types. .
  • the authentication types supported by the IMS core network include IMS AKA authentication, Early IMS authentication, and HTTP Digest authentication.
  • FIG. 1 A flow chart of an authentication method in the prior art is shown in Figure 1:
  • the user terminal sends a registration message to the Interrogating Call Session Control Function (I-CSCF) through a proxy call session control unit (P-CSCF, Proxy Call Session Control Function);
  • I-CSCF Interrogating Call Session Control Function
  • P-CSCF Proxy Call Session Control Function
  • the I-CSCF sends a user status query request message to a User Subscriber Server (HSS).
  • HSS User Subscriber Server
  • the HSS feeds back the user status query response information to the I-CSCF.
  • I - CSCF selects a corresponding service call session control unit according to the response information (S -
  • CSCF Serving Call Session Control Function
  • the I-CSCF After selecting the corresponding S-CSCF, the I-CSCF sends a registration message to the S-CSCF;
  • the S-CSCF initiates an authentication vector request to the HSS after receiving the registration message.
  • the HSS selects an corresponding authentication vector
  • the HSS feeds back the selected authentication vector to the S-CSCF.
  • the S-CSCF sends an Unauthorized message to the user terminal through the I-CSCF and the P-CSCF, requesting the user to perform authentication; 113-114, the user terminal sends a registration message carrying the RES parameter to the I-CSCF through the P-CSCF;
  • I - CSCF requests the user status from the HSS and gets feedback from the HSS;
  • I - CSCF sends a registration message carrying the RES parameter to the S-CSCF;
  • the S-CSCF authenticates the user according to the RES parameter in the registration message and the locally stored RES parameter.
  • the S-CSCF After the authentication is passed, the S-CSCF sends a user registration/logout request message to the HSS.
  • the HSS feeds back a user registration/logout response message to the S-CSCF;
  • the S-CSCF feeds back the success confirmation message to the user terminal through the I-CSCF and the P-CSCF.
  • 3GPP TS 24.229 v6.9.0 specifies that the first registration message of the ISIM card user using AKA authentication (such as the registration message sent in step 101 of Figure 1) must have an Authorization header field, which will carry the user. Private identity and algorithm name.
  • 3GPP TS33.978v630 specifies that the registration message of the user using Early IMS authentication must not carry the Authorization header field, and the IMS network supporting IMS AKA authentication and Early IMS authentication determines whether the registration message carries Authorization.
  • the header field is used to determine what authentication the user expects to use.
  • the user's first registration message does not normally have an Authorization header field.
  • the user's second registration message will always have Authorization, which will carry the user's username and algorithm name.
  • TISPAN Release 1 does not specify whether the registration message of the fixed network user carries Authorization. Therefore, the user equipment that follows TISPAN Release 1 may not carry the Authorization header field when performing NASS-Bundled authentication.
  • the invention provides an authentication negotiation method and a communication system using the same, which is used for improving the identification The accuracy of the weight type determination.
  • the present invention provides an authentication negotiation method, including:
  • the home subscriber server HSS receives the extended authentication vector request MAR message sent by the S-CSCF;
  • the HSS determines, according to the received MAR message, that the S-CSCF needs to obtain an authentication type
  • the HSS reads the authentication type of the user subscription, and selects an authentication type from the authentication type subscribed by the user according to the authentication type that the S-CSCF needs to obtain and provides the authentication type to the S-CSCF.
  • a home subscriber server provided by the present invention includes:
  • Receiving unit receiving an extended authentication vector request MAR message sent by the serving call session control unit S-CSCF;
  • the determining unit determines, according to the received MAR message, that the S-CSCF needs to obtain an authentication type
  • the obtaining unit reads the authentication type signed by the user and the corresponding authentication data
  • a selecting unit selecting an authentication type from the authentication types subscribed by the user according to the authentication type that the S-CSCF needs to acquire;
  • a sending unit sending the selected authentication type and its corresponding authentication data to the S
  • the present invention provides a system with an authentication negotiation function, including: a home subscriber server HSS and a service call session control unit S-CSCF;
  • a serving call session control unit S-CSCF transmitting an extended authentication vector request MAR message
  • the home subscriber server HSS is configured to read an authentication type of the user subscription, and select an authentication type in the authentication type of the user subscription;
  • the home subscriber server HSS receives the extended authentication vector request MAR message sent by the S-CSCF, and selects an authentication type that is subscribed by the user according to the authentication type information carried by the extended MAR message.
  • Type of authentication
  • the home subscriber server HSS sends the selected authentication type and its corresponding authentication data Send to the service call session control unit S - CSCF;
  • the service call session control unit authenticates the user according to the received authentication data.
  • the service call session control unit S-CSCF cannot determine the authentication type
  • the home subscriber server stores the subscriber's subscription data and the authentication data, and the S-CSCF negotiates with the home subscriber server.
  • the home subscriber server selects an authentication type from the authentication type subscribed by the user according to the authentication type that the S-CSCF needs to acquire, and provides the authentication type to the S-CSCF, and the home subscriber server sends the authentication type to the S-CSCF, so Determining the authentication type by the home subscriber server can improve the accuracy of the authentication type determination.
  • FIG. 3 is a detailed flowchart of an authentication negotiation method in an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a system in an embodiment of the present invention. detailed description
  • the embodiment of the invention provides an authentication negotiation method and a communication system using the method, which are used for improving the accuracy of the authentication type determination.
  • the overall process of the authentication negotiation method provided by the embodiment of the present invention is as follows: 201. Read an authentication type;
  • the HSS reads the authentication type when the user signs the contract from the local data.
  • the HSS queries the authentication type with the highest priority among the authentication types read. If the MAR message carries multiple authentication types, the HSS needs to query the authentication type with the highest priority from the intersection of the set and the authentication type set that the user subscribes to.
  • the authentication data includes an authentication type.
  • the S-CSCF performs authentication according to the received authentication data.
  • the detailed process of the authentication negotiation method provided by the embodiment of the present invention is as follows:
  • the user terminal sends a registration message to the P-CSCF, and the P-CSCF forwards the received registration message to the I-CSCF, and the I-CSCF sends a user registration status query request message to the HSS, and the HSS feeds the user registration status query to the I-CSCF.
  • the I-CSCF selects the S-CSCF based on the obtained User Registration Status Query Response message and sends a registration message to the S-CSCF.
  • step 302 determine whether the S-CSCF can determine the authentication type, if yes, then go to step 307, if not, then go to step 303;
  • the first registration message due to the IMS AKA authentication, the first registration message must be carried
  • the registration message of the user in the Early IMS authentication must not carry the Authorization header field, and the registration message of the user in the HTTP Digest authentication and NASS Bundled authentication may have the Authorization header field, or may not Therefore, S-CSCF may not be able to determine the type of authentication the user needs to perform.
  • the S-CSCF when the S-CSCF cannot determine the authentication type, it is required to obtain the authentication type from the HSS.
  • the extended authentication vector request message (MAR, Multimedia Auth Request) is sent to the HSS through the S-CSCF to implement the request.
  • MAR Multimedia Auth Request
  • the attribute of the AVP SIP-Authentication- Scheme in the MAR message is changed to an optional attribute. If the parameter is carried, it indicates that the S-CSCF can determine the authentication type, and the HSS is not required to perform the authentication type selection. If the parameter is carried, it indicates that the S-CSCF cannot determine the authentication type, and the HSS needs to select the authentication data corresponding to the authentication type and deliver it.
  • Extended AVP The value of SIP-Authentication-Scheme, one possible value is "Unknown” (ie "unknown"), and the attribute of AVP: SIP-Authentication-Scheme is still mandatory. This requires both HSS and S-CSCF to understand the meaning of "Unknown”, that is, if the value is "Unknown", it means that S-CSCF cannot determine the authentication type.
  • the S-CSCF After the MAR message is extended according to any of the above two extension manners, the S-CSCF sends the MAR message to the HSS, and the HSS determines, according to the received MAR message, that the S-CSCF needs to obtain the authentication type.
  • the S-CSCF can confirm the scope of the user authentication according to the registration message of the user, for example, the S-CSCF can determine that the user can only use the Early IMS authentication or the HTTP Digest authentication, and it is impossible to use the IMS AKA.
  • the S-CSCF may carry a set of possible authentication types in the MAR message, indicating that the HSS may select in the intersection of the set of authentication types and the set of authentication types supported by the user, further improving the authentication selection. The accuracy.
  • the specific MAR message extension can be implemented in the following three ways:
  • the SIP-Authentication- Scheme appears multiple times. If multiple parameters are carried, it indicates that the S-CSCF determines that the authentication type that the user may use is multiple.
  • the HSS needs to be supported according to the user.
  • the authentication type is selected within the range, and the authentication data corresponding to the selected authentication type is delivered.
  • the number of authentication types that the user may adopt is multiple, the number of authentication types that the user may adopt by the HSS is indicated by carrying a plurality of the elements.
  • a new AVP may be extended for the MAR message, and the 'M' position of the AVP is set to 0, and multiple new AVPs are carried to achieve multiple authentication types. purpose. This way, the original MAR message can be omitted, and the HSS that is not compatible with the new AVP can ignore the AVP.
  • the extension method is to add an AVP with the same structure as AVP: SIP-Auth-Data-Item, for example, named Extended-SIP-Auth-Data-Item, and the AVP can appear multiple times.
  • This element can appear multiple times when the S-CSCF is able to determine the data protocol authentication data item
  • the number of authentication types that the user may adopt is multiple, the number of authentication types that the user may adopt by the HSS is indicated by carrying a plurality of the elements.
  • the HSS since the authentication type and authentication data supported by the user are all stored in the HSS by signing, the HSS knows which authentication mode the user supports. When the S-CSCF is unable to obtain the user's authentication type by registering the message, the HSS obtains all the authentication types supported by the locally stored user.
  • the HSS queries the authentication type with the highest priority among all the authentication types supported by the user. If the user supports only one type of authentication, the authentication type has the highest priority.
  • the HSS needs to select from the set and the intersection of all sets of authentication types supported by the user.
  • the priority can be specified by the user when signing up, or by the HSS, and is valid for all users. If this priority is specified by the HSS, one possible priority is ranked according to the strength of the authentication algorithm, from high to low, IMS AKA authentication, Early IMS authentication, and HTTP Digest authentication.
  • the HSS sends the queried authentication type with the highest priority to the S_CSCF.
  • the S-CSCF performs authentication according to the received authentication type.
  • the communication system used in the embodiment of the present invention includes: a home subscriber server 404 and a service call session control unit 405; the home subscriber server 404 is configured to read the subscription authentication type, and the read authentication Querying the highest priority authentication type in the right type, and sending the highest priority authentication type to the service call session control unit 405; the service call session control unit 405 performs the user according to the received authentication type. Authentication.
  • the system further includes: a proxy call session control unit 402, an inquiry call session control unit 403, and a user terminal 401; the user terminal 401 sends a registration message to the proxy call session control unit 402; the proxy call session control unit 402 Receiving the registration message sent by the user terminal 401 and forwarding the registration message to the inquiry call session control unit 403; the inquiry call session control unit 403 sends a user registration status inquiry request message to the home user server 404 according to the received registration message.
  • the embodiment of the invention further provides a home subscriber server, including:
  • Receiving unit receiving an extended authentication vector request MAR message sent by the serving call session control unit S-CSCF;
  • the determining unit determines, according to the received MAR message, that the S-CSCF needs to obtain an authentication type
  • the obtaining unit reads the authentication type signed by the user and the corresponding authentication data
  • a selecting unit selecting an authentication type from the authentication types subscribed by the user according to the authentication type that the S-CSCF needs to acquire;
  • a sending unit sending the selected authentication type and its corresponding authentication data to the S
  • the home subscriber server stores the subscriber's subscription data and the authentication data, and the S-CSCF negotiates with the home subscriber server, and the home subscriber server obtains the authentication type according to the S-CSCF.
  • the authentication type selected by the user is selected and provided to the S-CSCF, and the home subscriber server sends the authentication type to the S-CSCF, so determining the authentication type by the home subscriber server can improve the accuracy of the authentication type determination.
  • the home subscriber server sends the highest priority authentication type to the serving call session control unit according to the preset priority level, so the accuracy of the authentication can be improved.
  • the priority can be set by the home user server, or can be set by the user according to actual needs, so the flexibility of obtaining the authentication type is improved.
  • the serving call session control unit can request the home subscriber server to obtain the authentication type in a variety of ways, thereby improving the flexibility of adaptation of the present invention.
  • the program can be implemented by instructing related hardware, and the program can be stored in a computer readable storage medium, such as a ROM/RAM, a magnetic disk, a compact disk, or the like. Alternatively, they may be fabricated into individual integrated circuit modules, or a plurality of units or steps thereof may be fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Cette invention concerne un procédé de consultation d'authentification. Selon ce procédé, la commande de session d'appel de service (S-CSCF) demande le type d'authentification au HSS lorsqu'elle ne peut pas le déterminer, le serveur utilisateur domestique (HSS) reçoit la Demande d'Authentification Multimedia étendue (MAR) transmise par la S-CSCF; le HSS évalue le type d'authentification requis par la S-CSCF d'après la MAR; le HSS lit le type d'authentification signé par un utilisateur, le HSS fournit le type d'authentification qu'il choisit à partir du type d'authentification signé par l'utilisateur selon le type d'authentification requis par la S-CSCF. Cette invention concerne également un système de consultation d'authentification et un serveur utilisateur domestique. Le mode de réalisation décrit dans cette invention permet d'améliorer l'exactitude et la souplesse de l'évaluation du type d'authentification.
PCT/CN2007/070572 2006-08-29 2007-08-28 Procédé et système de consultation d'authentification Ceased WO2008034377A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610127603.3 2006-08-29
CN200610127603A CN100591012C (zh) 2006-08-29 2006-08-29 一种鉴权协商方法及一种通讯系统

Publications (1)

Publication Number Publication Date
WO2008034377A1 true WO2008034377A1 (fr) 2008-03-27

Family

ID=37722223

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/070572 Ceased WO2008034377A1 (fr) 2006-08-29 2007-08-28 Procédé et système de consultation d'authentification

Country Status (2)

Country Link
CN (1) CN100591012C (fr)
WO (1) WO2008034377A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100591012C (zh) * 2006-08-29 2010-02-17 华为技术有限公司 一种鉴权协商方法及一种通讯系统
CN112953718B (zh) * 2019-11-26 2024-05-28 中国移动通信集团安徽有限公司 Ims网络用户的鉴权方法及装置、呼叫会话控制功能实体

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003075596A1 (fr) * 2002-03-07 2003-09-12 Nokia Corporation Attribution d'une s-cscf a un abonne
US20060030320A1 (en) * 2004-08-03 2006-02-09 Nokia Corporation User registration in a communication system
CN1753363A (zh) * 2004-09-23 2006-03-29 华为技术有限公司 网络侧选择鉴权方式的方法
CN1801815A (zh) * 2005-08-08 2006-07-12 华为技术有限公司 一种实现初始因特网协议多媒体子系统注册的方法
CN1913438A (zh) * 2006-08-29 2007-02-14 华为技术有限公司 一种鉴权协商方法及一种通讯系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003075596A1 (fr) * 2002-03-07 2003-09-12 Nokia Corporation Attribution d'une s-cscf a un abonne
US20060030320A1 (en) * 2004-08-03 2006-02-09 Nokia Corporation User registration in a communication system
CN1753363A (zh) * 2004-09-23 2006-03-29 华为技术有限公司 网络侧选择鉴权方式的方法
CN1801815A (zh) * 2005-08-08 2006-07-12 华为技术有限公司 一种实现初始因特网协议多媒体子系统注册的方法
CN1913438A (zh) * 2006-08-29 2007-02-14 华为技术有限公司 一种鉴权协商方法及一种通讯系统

Also Published As

Publication number Publication date
CN100591012C (zh) 2010-02-17
CN1913438A (zh) 2007-02-14

Similar Documents

Publication Publication Date Title
USRE47773E1 (en) Method for implementing IP multimedia subsystem registration
CN1647490B (zh) 通信系统和方法
EP2452485B1 (fr) Procédés et appareil pour initier une fourniture de données d'abonné dans un serveur d'abonné résidentiel (hss) d'un réseau de sous-système multimédia ip
JP6330916B2 (ja) webRTCのためのシステム及び方法
WO2006047925A1 (fr) Procede permettant de selectionner le mode d'authentification cote reseau
EP1414212A1 (fr) Methode et système pour l'authentification des usagers dans un système de télécommunication
WO2007003140A1 (fr) Procede d'authentification de sous-systeme multimedia sous protocole ip
CN101480013B (zh) 用于提供对附着于网络注册装置的媒体资源的访问的技术
US12267674B2 (en) Method for supporting authentication of a user equipment in an internet multimedia subsystem (IMS) communication network
WO2006136097A1 (fr) Procédé pour traiter une anomalie lors de la procédure d'inscription d'un utilisateur
WO2008025280A1 (fr) Procédé et système d'authentification
US20110093933A1 (en) Authentication in a communications network
CN102598645B (zh) Ip多媒体子系统网络中的紧急信令
WO2006125359A1 (fr) Procede d'implementation de la securite de domaine d'acces d'un sous-systeme multimedia ip
EP2790426B1 (fr) Méthode et système pour permettre à un serveur mandataire d'authentification et d'agrégation la routage des messages XCAP vers un serveur d'application IMS
CN100395976C (zh) 一种因特网协议多媒体子系统的鉴权方法
WO2008034377A1 (fr) Procédé et système de consultation d'authentification
WO2008089699A1 (fr) Procédé et système d'authentification d'un terminal utilisateur dans un réseau ims
JP2012010051A (ja) Ims認証制御システム及びims認証制御方法
CN101083838B (zh) Ip多媒体子系统中的http摘要鉴权方法
CN101106457B (zh) Ip多媒体子系统网络中确定用户终端鉴权方式的方法
CN101001145B (zh) 支持非ip多媒体业务子系统终端漫游的认证方法
CN100433913C (zh) 在ip多媒体子系统中实现注册的方法
CN100388662C (zh) 一种防止具有3g能力用户使用过渡鉴权方式的方法
CN102055754B (zh) 一种无卡硬终端的初始化方法、系统和设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07801004

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07801004

Country of ref document: EP

Kind code of ref document: A1