WO2025094204A1

WO2025094204A1 - System and method for authenticating a user equipment

Info

Publication number: WO2025094204A1
Application number: PCT/IN2024/052163
Authority: WO
Inventors: Aayush Bhatnagar; Birendra SINGH BISHT; Harbinder PAL SINGH; Abhay Kumar; Priti Kelkar; P R Srikanth REDDY; Vivek Kumar
Original assignee: Jio Platforms Ltd
Current assignee: Jio Platforms Ltd
Priority date: 2023-11-04
Filing date: 2024-10-29
Publication date: 2025-05-08
Anticipated expiration: 2026-05-04

Abstract

The present disclosure discloses a system (108) and a method (500) for authenticating a user equipment (UE) (104) in a network (106) The method (500) includes receiving at least one registration request from the UE (104) by a network function (serving-call session control function (S-CSCF)). The method (500) includes determining whether the at least one received registration request includes an authentication identifier in an authorization header by the S-CSCF. The method (500) includes upon determining an absence of the authentication identifier in the authorization header and selecting a supported authentication identifier based on an operator policy by the S-CSCF. The method (500) includes sending an authentication request along with the selected authentication identifier to a server by the S-CSCF.

Description

SYSTEM AND METHOD FOR AUTHENTICATING A USER EQUIPMENT

RESERVATION OF RIGHTS

[0001] A portion of the disclosure of this patent document contains material, which is subject to intellectual property rights such as, but are not limited to, copyright, design, trademark, Integrated Circuit (IC) layout design, and/or trade dress protection, belonging to Jio Platforms Limited (JPL) or its affiliates (herein after referred as owner). The owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent files or records, but otherwise reserves all rights whatsoever. All rights to such intellectual property are fully reserved by the owner.

TECHNICAL FIELD

[0002] The present disclosure relates generally to the field of wireless communication systems. More particularly, the present disclosure relates to a system and a method for authenticating a user equipment (UE) in a network.

DEFINITION

[0003] As used in the present disclosure, the following terms are generally intended to have the meaning as set forth below, except to the extent that the context in which they are used to indicate otherwise.

[0004] The expression “Internet Protocol (IP) Multimedia Subsystem (IMS) network” as used hereinafter in the specification refers to a framework used for delivering multimedia services over an IP network. The IMS network provides a standardized way to deliver voice, video, and other multimedia services by integrating various types of communication and application services into a unified system. Further, the IMS network allows new person-to-person (client-to-client) as well as person-to-content (client-to-server) communications over an IP -based network. [0005] The expression “Serving Call session control function (S-CSCF)” as used hereinafter in the specification refers to a network component that is configured for managing sessions in an IMS network. The S-CSCF manages and controls the signaling and session control processes for voice and multimedia sessions. The S- CSCF handles tasks such as routing Session Initiation Protocol (SIP) messages, managing user sessions, enforcing service policies, and interacting with other IMS network elements to establish, modify, and terminate multimedia sessions.

[0006] The expression “Interrogating Call Session Control Function (I- CSCF)” as used hereinafter in the specification refers to a network component in the IMS network that performs a role of querying and routing incoming SIP requests to a relevant S-CSCF. The I-CSCF is responsible for querying the Home Subscriber Server (HSS) to retrieve user profile information and determining the relevant S- CSCF to handle the request based on the user’s profile and session requirements.

[0007] The expression “Session Initiation Protocol (SIP),” as used hereinafter in the specification refers to a signaling protocol used to create, modify, and terminate multimedia sessions in the IMS network. The SIP is responsible for establishing communication sessions between network identities and managing the flow of multimedia content.

[0008] The expression “Proxy Call Session Control Function (P-CSCF)” as used hereinafter in the specification refers to a network component in the IMS architecture that is configured to handle all SIP signaling messages from the UE and forward them to the appropriate IMS components. The P-CSCF is responsible for managing and routing SIP messages, handling registration and ensuring secure communication.

[0009] The expression “Multimedia Auth Request (MAR)” as used hereinafter in the specification refers to a command used by an Authentication Server (AS) to request authentication data from the HSS for a specific user. The MAR processing is essential for verifying the identity of users and UE in the IMS network for secured access to network services. [0010] The expression “Multimedia Authentication Answer (MAA)” as used hereinafter in the specification refers to a command used by the HSS to respond to the MAR command from the AS. The MAA may provide critical information such as authentication vectors, session identifiers, and result codes, which are essential for validating user credentials and ensuring secure access to IMS services.

BACKGROUND

[0011] The following description of related art is intended to provide background information pertaining to the field of the disclosure. This section may include certain aspects of the art that may be related to various features of the present disclosure. However, it should be appreciated that this section be used only to enhance the understanding of the reader with respect to the present disclosure, and not as admissions of prior art.

[0012] In an Internet Protocol (IP) Multimedia Subsystem (IMS) network, a user equipment (UE) can access a range of multimedia services, including voice, video, and data. To utilize these services, the UE must first register with the IMS network. When the UE initiates a service request, it uses signaling protocols such as Hypertext Transfer Protocol (HTTP), Simple Mail Transfer Protocol (SMTP), or Session Initiation Protocol (SIP). The IMS network then manages the session by handling setup, routing, and control processes to ensure the requested service is delivered accurately and efficiently.

[0013] Further, a Serving-Call Session Control Function (S-CSCF) is a primary component in the IMS network responsible for session control. The S-CSCF processes the service request sent by the UE. The IMS network receives one or more service requests simultaneously from the plurality of UEs. At times, the S-CSCF faces difficulty in handling multiple service requests simultaneously as authenticating each UE consumes more time and effort. The S-CSCF allocates a duration for each UE registration in the IMS network. Also, if the authentication fails, the time allocated for registration is misspent. The failure of the service request can be due to authentication failure, network connectivity issues, configuration problems, and S- CSCF failure. The service request failures cause service disruption, loss of IMS features that require authentication, unclear error messages that frustrate the user, and loss of trust in the network service among the users. In the traditional technique, these failures are handled manually, which increases the workload for the network operation teams, leading to higher operational costs. Moreover, handling the authentication involves the risk of unauthorized access or fraudulent activities.

[0014] Further, in conventional techniques, the S-CSCF performs one-way authentication for UE registration, which may lead to unauthorized access to the IMS network and services. The one-way authentication process involves checking the UE credential in a database. The S-CSCF permits the UE registration if the credential is found in the database. The one-way authentication process may pave way to the network attackers to spoof the S-CSCF by using the stolen data of the UE. Certain UEs in the IMS network may not send supported authentication algorithms to the S- CSCF, leading to failures in the Multimedia-Auth-Request (MAR) process. This could be due to various reasons, such as incompatible configurations or software issues.

[0015] Hence, there is a need to provide a system and method that can address the shortcomings of the existing solutions.

SUMMARY

[0016] In an exemplary embodiment, a method for authenticating a user equipment (UE) in a network is disclosed. The method includes receiving at least one request from the UE by a network function. The method includes determining, by the network function, whether the at least one received request includes an authentication identifier. The method includes upon determining an absence of the authentication identifier in the at least one received request and selecting a supported authentication identifier based on an operator policy. The method includes sending an authentication request along with the selected authentication identifier to a server by the network function. The server is configured to authenticate the UE based upon the received authentication identifier. [0017] In an embodiment, the authentication request is a multimedia-auth- request (MAR) command that is configured to request security information from the server.

[0018] In an embodiment, the method further includes sending a multimediaauthentication answer (MAA) to the network function in response to the authentication request by the server.

[0019] In an embodiment, the method further includes sending an acknowledgement message to the UE in response to the MAA by the network function.

[0020] In an embodiment, the method further includes determining and extracting one or more headers associated with the at least one received registration request by the network function.

[0021] In another exemplary embodiment, a system for authenticating a user equipment (UE) in a network is disclosed. The system includes a network function. The network function includes a receiving unit, a memory and a processing unit. The receiving unit is configured to receive at least one request from the UE. The memory is configured to store the at least one received request. The processing unit is configured to execute instructions stored in the memory. The system further includes a determining module configured to determine whether the at least one received request includes an authentication identifier . The system further includes a selection module configured to select a supported authentication identifier based on an operator policy, upon determining an absence of the authentication identifier in the at least one received request. The system further includes a communication module configured to send an authentication request along with the selected authentication algorithm to a server. The server is configured to authenticate the UE based upon the received authentication identifier. [0022] In an embodiment, the server is configured to send a multimediaauthentication answer (MAA) to the network function in response to the authentication request.

[0023] In an embodiment, the network function is configured to send an acknowledgement message to the UE in response to the MAA.

[0024] In another exemplary embodiment, a user equipment (UE) communicatively coupled with a network is disclosed. The coupling includes steps of receiving a connection request, sending an acknowledgment of the connection request to the network and transmitting a plurality of signals in response to the connection request. The UE is connected with a system configured to authenticate the UE in the network. The system includes a network function. The network function includes a receiving unit, a memory and a processing unit. The receiving unit is configured to receive at least one request from the UE. The memory is configured to store the at least one received request. The processing unit is configured to execute instructions stored in the memory. The system further includes a determining module configured to determine whether the at least one received request includes an authentication identifier . The system further includes a selection module configured to select a supported authentication identifier based on an operator policy, upon determining an absence of the authentication identifier in the at least one received request. The system further includes a communication module configured to send an authentication request along with the selected authentication algorithm to a server. The server is configured to authenticate the UE based upon the received authentication identifier.

[0025] In an aspect, the present disclosure discloses a computer program product comprising a non-transitory computer-readable medium comprising instructions that, when executed by one or more processors, cause the one or more processors to execute a method for authenticating a user equipment (UE) in a network. The method includes receiving at least one request from the UE by a network function. The method includes determining, by the network function, whether the at least one received request includes an authentication identifier. The method includes upon determining an absence of the authentication identifier in the at least one received request and selecting a supported authentication identifier based on an operator policy. The method includes sending an authentication request along with the selected authentication identifier to a server by the network function. The server is configured to authenticate the UE based upon the received authentication identifier.

OBJECTIVES

[0026] Some of the objectives of the present disclosure, which at least one embodiment herein satisfies, are as follows:

[0027] An objective of the present disclosure is to provide a system and method for authenticating a user equipment (UE) in a network.

[0028] Another objective of the present disclosure is to provide a system and method that reduces subscriber registration failure in the network by selecting an authentication algorithm based on operator policy.

[0029] Another objective of the present disclosure is to provide a system and method for enhancing the performance of the network by enabling the authentication algorithm for smooth operation.

[0030] Yet another objective of the present disclosure is to provide a system and a method for authenticating the UE the network when the UE does not send a supported authentication algorithm to a Serving-Call Session Control Function (S- CSCF).

[0031] Still another objective of the present disclosure is to enable the S- CSCF to select the authentication algorithm for the UE based on an operator policy if the UE does not send a supported algorithm to the S-CSCF.

[0032] Other objectives and advantages of the present disclosure will be more apparent from the following description, which is not intended to limit the scope of the present disclosure. BRIEF DESCRIPTION OF THE ACCOMPANYING DRAWING

[0033] The accompanying drawings, which are incorporated herein, and constitute a part of this disclosure, illustrate exemplary embodiments of the disclosed methods and systems in which like reference numerals refer to the same parts throughout the different drawings. Components in the drawings are not necessarily to scale, emphasis instead being placed upon clearly illustrating the principles of the present disclosure. Some drawings may indicate the components using block diagrams and may not represent the internal circuitry of each component. It will be appreciated by those skilled in the art that disclosure of such drawings includes disclosure of electrical components, electronic components or circuitry commonly used to implement such components.

[0034] FIG. 1A illustrates a network architecture for implementing a system for authenticating a user equipment (UE) in a network, in accordance with an embodiment of the present disclosure.

[0035] FIG. IB illustrates an exemplary network architecture for the network, in accordance with an embodiment of the present disclosure.

[0036] FIG. 2 illustrates exemplary system architecture for authenticating the UE in the network, in accordance with an embodiment of the present disclosure.

[0037] FIG. 3 illustrates a flow diagram of a method of registering the UE, in accordance with a prior art.

[0038] FIG. 4 illustrates an exemplary flow diagram of the processing of a registration request received from the UE, in accordance with an embodiment of the present disclosure.

[0039] FIG. 5 illustrates an exemplary flow chart of a method for authenticating the UE in the network, in accordance with an embodiment of the present disclosure. [0040] FIG. 6 illustrates an exemplary computer system in which or with which the embodiments of the present disclosure may be implemented.

[0041] The foregoing shall be more apparent from the following more detailed description of the disclosure.

LIST OF REFERENCE NUMERALS

100A- Network Architecture

102- 1 , 102-2... 102-N- User(s)

104-1,104-2... 104-N- User Equipment(s)

106- Network

108- System

100B- Exemplary Network Architecture

110- Proxy-Call Session Control Function (P-CSCF)

120- Interrogating-Call Session Control Function (I-CSCF)

130- Serving-Call Session Control Function (S-CSCF)

140- Home Subscriber Server (HSS)

150- Authentication Server (AS)

200- Block Diagram

202- Receiving unit

204- Memory

206- Interface(s)

208- Processing unit 210- Determining module

212- Selection module

214- Communication module

216- Database

300- Flow diagram (Prior Art)

400- Flow diagram

500- Flow chart

600- Computer system

610- External storage device

620- Bus

630- Main memory

640- Read-only memory

650- Mass storage device

660- Communication port(s)

670- Processor

DETAILED DESCRIPTION

[0042] In the following description, for the purposes of explanation, various specific details are set forth in order to provide a thorough understanding of embodiments of the present disclosure. It will be apparent, however, that embodiments of the present disclosure may be practiced without these specific details. Several features described hereafter can each be used independently of one another or with any combination of other features. An individual feature may not address any of the problems discussed above or might address only some of the problems discussed above. Some of the problems discussed above might not be fully addressed by any of the features described herein. Example embodiments of the present disclosure are described below, as illustrated in various drawings in which like reference numerals refer to the same parts throughout the different drawings.

[0043] The ensuing description provides exemplary embodiments only, and is not intended to limit the scope, applicability, or configuration of the disclosure. Rather, the ensuing description of the exemplary embodiments will provide those skilled in the art with an enabling description for implementing an exemplary embodiment. It should be understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the disclosure as set forth.

[0044] Specific details are given in the following description to provide a thorough understanding of the embodiments. However, it will be understood by one of ordinary skill in the art that the embodiments may be practiced without these specific details. For example, circuits, systems, networks, processes, and other components may be shown as components in block diagram form in order not to obscure the embodiments in unnecessary detail. In other instances, well-known circuits, processes, algorithms, structures, and techniques may be shown without unnecessary detail in order to avoid obscuring the embodiments.

[0045] Also, it is noted that individual embodiments may be described as a process that is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed but could have additional steps not included in a figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination can correspond to a return of the function to the calling function or the main function. [0046] The word “exemplary” and/or “demonstrative” is used herein to mean serving as an example, instance, or illustration. For the avoidance of doubt, the subject matter disclosed herein is not limited by such examples. In addition, any aspect or design described herein as “exemplary” and/or “demonstrative” is not necessarily to be construed as preferred or advantageous over other aspects or designs, nor is it meant to preclude equivalent exemplary structures and techniques known to those of ordinary skill in the art. Furthermore, to the extent that the terms “includes,” “has,” “contains,” and other similar words are used in either the detailed description or the claims, such terms are intended to be inclusive like the term “comprising” as an open transition word without precluding any additional or other elements.

[0047] Reference throughout this specification to “one embodiment” or “an embodiment” or “an instance” or “one instance” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present disclosure. Thus, the appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

[0048] The terminology used herein is to describe particular embodiments only and is not intended to be limiting the disclosure. As used herein, the singular forms “a”, “an”, and “the” are intended to include the plural forms as well, unless the context indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising,” when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term “and/or” includes any combinations of one or more of the associated listed items. It should be noted that the terms “mobile device”, “user equipment”, “user device”, “communication device”, “device” and similar terms are used interchangeably for the purpose of describing the invention. These terms are not intended to limit the scope of the invention or imply any specific functionality or limitations on the described embodiments. The use of these terms is solely for convenience and clarity of description. The invention is not limited to any particular type of device or equipment, and it should be understood that other equivalent terms or variations thereof may be used interchangeably without departing from the scope of the invention as defined herein.

[0049] As used herein, an “electronic device”, or “portable electronic device”, or “user device” or “communication device” or “user equipment” or “device” refers to any electrical, electronic, electromechanical and computing device. The user device is capable of receiving and/or transmitting one or parameters, performing function/s, communicating with other user devices and transmitting data to the other user devices. The user equipment may have a processor, a display, a memory, a battery and an input-means such as a hard keypad and/or a soft keypad. The user equipment may be capable of operating on any radio access technology including but not limited to IP-enabled communication, Zig Bee, Bluetooth, Bluetooth Low Energy, Near Field Communication, Z-Wave, Wi-Fi, Wi-Fi direct, etc. For instance, the user equipment may include, but not limited to, a mobile phone, smartphone, virtual reality (VR) devices, augmented reality (AR) devices, laptop, a general- purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other device as may be obvious to a person skilled in the art for implementation of the features of the present disclosure.

[0050] Further, the user device may also comprise a “processor” or “processing unit” includes processing unit, wherein processor refers to any logic circuitry for processing instructions. The processor may be a general-purpose processor, a special purpose processor, a conventional processor, a digital signal processor, a plurality of microprocessors, one or more microprocessors in association with a DSP core, a controller, a microcontroller, Application Specific Integrated Circuits, Field Programmable Gate Array circuits, any other type of integrated circuits, etc. The processor may perform signal coding data processing, input/output processing, and/or any other functionality that enables the working of the system according to the present disclosure. More specifically, the processor is a hardware processor.

[0051] Wireless communication technology has rapidly evolved over the past few decades. The first generation of wireless communication technology was analog, offering only voice services. Further, text messaging and data services became possible when the second-generation (2G) technology was introduced. The third generation (3G) technology marked the introduction of high-speed internet access, mobile video calling, and location-based services. The fourth generation (4G) technology revolutionized the wireless communication with faster data speeds, improved network coverage, and security. Currently, fifth generation (5G) technology is being deployed, offering significantly faster data speeds, lower latency, and the ability to connect many devices simultaneously. Further, 6G successor to 5G is expected to provide significantly high data speed with reduced latency, which may offer improved connectivity for a vast number of devices concurrently. The capabilities of 6G enable new types of applications and services, such as advanced augmented reality (AR) and virtual reality (VR), holographic communications, and more immersive digital experiences. These advancements represent a significant leap forward from previous generations, enabling enhanced mobile broadband, improved Internet of Things (loT) connectivity, and more efficient use of network resources. The sixth generation (6G) technology promises to build upon these advancements, pushing the boundaries of wireless communication even further. While the 5G technology is still being rolled out globally, research and development into the 6G are rapidly progressing, with the aim of revolutionizing the way of connection and interaction with technology.

[0052] As portable electronic devices and wireless technologies continue to improve and grow in popularity, the advancing wireless technologies for data transfer are also expected to evolve and replace the older generations of technologies. In the field of wireless data communications, the dynamic advancement of various generations of cellular technology is also seen. The development, in this respect, has been incremental in the order of second generation (2G), third generation (3G), fourth generation (4G), fifth generation (5G), sixth generation (6G) and more such generations are expected to continue in the forthcoming time.

[0053] Radio Access Technology (RAT) refers to the technology used by mobile devices/ user equipment (UE) to connect to a cellular network. It refers to the specific protocol and standards that govern the way devices communicate with base stations, which are responsible for providing the wireless connection. Further, each RAT has its own set of protocols and standards for communication, which define the frequency bands, modulation techniques, and other parameters used for transmitting and receiving data. Examples of RATs include GSM (Global System for Mobile Communications), CDMA (Code Division Multiple Access), UMTS (Universal Mobile Telecommunications System), LTE (Long-Term Evolution), 5G, 6G and like. The choice of RAT depends on a variety of factors, including the network infrastructure, the available spectrum, and the mobile device's/device's capabilities. Mobile devices often support multiple RATs, allowing them to connect to different types of networks and provide optimal performance based on the available network resources.

[0054] While considerable emphasis has been placed herein on the components and component parts of the preferred embodiments, it will be appreciated that many embodiments can be made and that many changes can be made in the preferred embodiments without departing from the principles of the disclosure. These and other changes in the preferred embodiment as well as other embodiments of the disclosure will be apparent to those skilled in the art from the disclosure herein, whereby it is to be distinctly understood that the foregoing descriptive matter is to be interpreted merely as illustrative of the disclosure and not as a limitation.

[0055] An Internet Protocol (IP) Multimedia Subsystem (IMS) network is a framework designed to facilitate the delivery of multimedia services over IP networks. The IMS network provides a standardized architecture for integrating various types of multimedia communication, such as voice, video, and text, into a cohesive system. The IMS network includes several key components: a Call Session Control Function (CSCF), which manages the setup, modification, and maintenance of multimedia sessions; a Home Subscriber Server (HSS), which stores user profiles and authentication information; and an Application Server (AS), which hosts and executes the multimedia services and applications. Additionally, a Media Resource Function (MRF) provides media-related services, such as mixing and conferencing, while a Serving-Call Session Control Function (S-CSCF) routes requests and ensures the correct handling of sessions based on user profiles. By leveraging these components, IMS enables seamless integration and delivery of multimedia services across diverse networks, improving user experience and service flexibility.

[0056] The S-CSCF is a primary node in the IMS network responsible for session control. The S-CSCF processes the service request sent by the UE. The IMS network receives one or more service requests simultaneously from the plurality of UEs. At times, the S-CSCF faces difficulty in handling multiple service requests at the same time, as authenticating each of the UE consumes more time and effort. The S-CSCF allocates a duration for each UE registration in the IMS network. Also, if the authentication fails, the time allocated for registration is misspent. The failure of the service request can be due to authentication failure, network connectivity issues, configuration problems, and S-CSCF failure. The service request failures cause service disruption, loss of IMS features that require authentication, unclear error messages that frustrate the user, and loss of trust in the network service among the users. The failure in authentication disables the user from accessing the IMS services such as video calls, voice calls, and messaging.

[0057] In the conventional technique, the UE may initiate the registration request towards the S-CSCF. The S-CSCF performs the authentication process on the received service request. The authentication process is a one-way authentication process that is performed at the S-CSCF. The one-way authentication process verification of the user identity and UE does not perform a mutual authentication with the S-CSCF. The S-CSCF performs one-way authentication by validating the UE’s credentials against its authentication database. In case the S-CSCF finds the credentials in the database the UE is registered with the IMS network. Otherwise, the S-CSCF rejects the UE registration. The absence of mutual authentication makes the UE vulnerable to man-in-the-middle attacks or phishing, leading to unauthorized access or data breaches.

[0058] The present disclosure aims to overcome the above-mentioned and other existing problems in this field of technology by enabling S-CSCF to select an authentication algorithm based on an operator policy if the UE does not send a supported authentication algorithm to the S-CSCF.

[0059] The various embodiments throughout the disclosure will be explained in more detail with reference to FIG. 1 A - FIG. 6.

[0060] FIG. 1A illustrates a network architecture (100A) for implementing a system for authenticating a user equipment (UE) (104) in a network, in accordance with an embodiment of the present disclosure.

[0061] As illustrated in FIG. 1A, the network architecture (100 A) may include one or more user equipments (UEs) (104-1, 104-2... 104-N) associated with one or more users (102-1, 102-2... 102-N) in an environment. A person of ordinary skill in the art will understand that one or more users (102-1, 102-2... 102-N) may collectively referred to as the users (102). Similarly, a person of ordinary skill in the art will understand that one or more UEs (104-1, 104-2... 104-N) may be collectively referred to as the UE (104). Although only three UEs (104) are depicted in FIG. 1A, however, any number of the UE (104) may be included without departing from the scope of the ongoing description.

[0062] In an embodiment, the UE (104) may include smart devices operating in a smart environment, for example, an Internet of Things (loT) system. In such an embodiment, the UE (104) may include, but is not limited to, smartphones, smart watches, smart sensors (e.g., mechanical, thermal, electrical, magnetic, etc.), networked appliances, networked peripheral devices, networked lighting system, communication devices, networked vehicle accessories, networked vehicular devices, smart accessories, tablets, smart television (TV), computers, smart security system, smart home system, other devices for monitoring or interacting with or for the users (102) and/or entities, or any combination thereof. A person of ordinary skill in the art will appreciate that the UE (104) may include, but not limited to, intelligent, multisensing, network-connected devices, which may integrate seamlessly with each other and/or with a central server or a cloud-computing system or any other device that is network-connected.

[0063] Additionally, in some embodiments, the UE (104) may include, but is not limited to, a handheld wireless communication device (e.g., a mobile phone, a smartphone, a tablet device, and so on), a wearable computer device (e.g., a headmounted display computer device, a head-mounted camera device, a wristwatch computer device, and so on), a Global Positioning System (GPS) device, a laptop computer, a tablet computer, or another type of portable computer, a media playing device, a portable gaming system, and/or any other type of computer device with wireless communication capabilities, and the like. In an embodiment, the UE (104) may include, but is not limited to, any electrical, electronic, electromechanical, or equipment, or a combination of one or more of the above devices, such as virtual reality (VR) devices, augmented reality (AR) devices, laptop, a general-purpose computer, desktop, personal digital assistant, tablet computer, mainframe computer, or any other computing device, wherein the UE (104) may include one or more inbuilt or externally coupled accessories including, but not limited to, a visual aid device such as a camera, an audio aid, a microphone, a keyboard, and input devices for receiving input from the user (102) or the entity such as touchpad, touch-enabled screen, electronic pen, and the like. A person of ordinary skill in the art will appreciate that the UE (104) may not be restricted to the mentioned devices and various other devices may be used.

[0064] Referring to FIG. 1A, the UE (104) may communicate with the system (108) through a network (for example an Internet Protocol (IP) Multimedia Subsystem (IMS) ) (106) for sending or receiving various types of data. In an embodiment, the network (106) may include at least one of a fifth generation (5G) network, sixth generation (6G) network, or the like. The network (106) may enable the UE (104) to communicate with other devices in the network architecture (100 A) and/or with the system (108). The network (106) may include a wireless card or some other transceiver connection to facilitate this communication. In another embodiment, the network (106) may be implemented as, or include any of a variety of different communication technologies such as a wide area network (WAN), a local area network (LAN), a wireless network, a mobile network, a Virtual Private Network (VPN), the Internet, the Public Switched Telephone Network (PSTN), or the like.

[0065] In an embodiment, the network (106) may include, by way of example but not limitation, at least a portion of one or more networks having one or more nodes that transmit, receive, forward, generate, buffer, store, route, switch, process, or a combination thereof, etc. one or more messages, packets, signals, waves, voltage or current levels, some combination thereof, or so forth. The network (106) may also include, by way of example but not limitation, one or more of a wireless network, a wired network, an internet, an intranet, a public network, a private network, a packet- switched network, a circuit-switched network, an ad hoc network, an infrastructure network, a cable network, a cellular network, a satellite network, a fiber optic network, or some combination thereof.

[0066] In an embodiment, the UE (104) is communicatively coupled with the network (106). The network (106) may receive a connection request from the UE (104). The network (106) may send an acknowledgment of the connection request to the UE (104). The UE (104) may transmit a plurality of signals in response to the connection request.

[0067] Although FIG. 1A shows exemplary components of the network architecture (100A), in other embodiments, the network architecture (100 A) may include fewer components, different components, differently arranged components, or additional functional components than depicted in FIG. 1A. Additionally, or alternatively, one or more components of the network architecture (100 A) may perform functions described as being performed by one or more other components of the network architecture (100 A).

[0068] Referring to FIG. IB, an exemplary network architecture (100B) for the IMS network is described, in accordance with an embodiment of the present disclosure.

[0069] In an embodiment, the IMS network may be a framework for delivering multimedia communications services such as voice, video, and text messages over IP networks. The IMS network may enable secure and reliable multimedia communications between the plurality of UEs (104). The IMS network may provide a unified infrastructure and common mechanism for controlling, manipulating, routing, and managing sessions. For example, the user makes a voice call using the UE. The user dials a phone number on the UE. The UE may send a call request to the IMS network. The call request may reach the various components of the IMS network, such as a Proxy-Call Session Control Function (P-CSCF) (110), an Interrogating-Call Session Control Function (I-CSCF) (120), and a Serving-Call Session Control Function (S-CSCF) (130).

[0070] As shown in FIG. IB, the network architecture (100B) includes the UE) (104) and various IMS network functions (nodes) such as the P-CSCF (110), the I-CSCF (120), the S-CSCF (130), and a server (140). In an example, the server (140) is a Home Subscriber Server (HSS) (140). The UE (104) may be any device used by an end user to access multimedia services through the IMS network. In an aspect, the P-CSCF (110), the I-CSCF (120), the S-CSCF (130), and the HSS (140) may be nodes of the IMS control layer (responsible for handling the signaling, session control, and service management that enable various communication services such as voice, video, and messaging). In an implementation, the network architecture (100B) further includes an Authentication Server (AS) (150).

[0071] The IMS (114) is configured to deliver multimedia communications services such as voice, video and text messaging over IP networks and thus is configured to interface with another network node. For example, the IMS (114) includes three layers: an application layer, a control layer, and a transport layer with standardized interfaces to promote scalability, flexibility, and extensibility. The IMS (114) enables secure and reliable multimedia communications between diverse devices across diverse networks. The IMS (114) incorporates session initiation protocol (SIP) for session control signaling. The IMS (114) may perform various operations such as registration of UE (104), session establishment, session management, and session termination.

[0072] The control layer (also called an IMS core) is primarily responsible for handling (routing) SIP traffic as a signaling mechanism of choice for public communications network infrastructures.

[0073] The P-CSCF (110) is a critical node within the IMS network architecture, serving as the initial contact point for the UE in the session initiation process. The P-CSCF (110) primarily functions as a proxy that routes SIP messages between the UE and other network elements. The P-CSCF (110) performs various responsibilities, including handling incoming and outgoing SIP requests, managing session establishment, and providing initial filtering and routing of requests to ensure they reach the appropriate network elements. Additionally, the P-CSCF (110) enforces policies related to session control, authentication, and security by applying relevant rules and procedures before forwarding requests to the next node in the network. The P-CSCF (110) functions as a proxy server for the user equipment. All SIP signaling traffic to and from the user equipment go through the P-CSCF (110). The P-CSCF (110) validates and then forwards requests from the user equipment and then processes and forwards the responses to the user equipment.

[0074] The I-CSCF (120) operates as an intermediary node in the IMS network, playing a pivotal role in determining the appropriate S-CSCF (130) for the given session request. When a SIP request is received, the I-CSCF (120) interrogates its internal databases and queries other network components to identify the correct S- CSCF (130) that should handle the request. The I-CSCF (120) is responsible for routing requests to the correct S-CSCF (130), facilitating load balancing and ensuring optimal distribution of session handling duties across the network. The I-CSCF (120) also handles user location and registration information, contributing to efficient session management and network resource utilization. The LCSCF (120) obtains the request for the address of S-CSCF (130) from the HSS (140) during a registration request and provides it to the P-CSCF (110) for subsequent multimedia requests.

[0075] The S-CSCF (130) is a central component in the IMS network responsible for managing the overall session control and application services for users. The S-CSCF (130) performs critical functions, including the authentication and authorization of incoming SIP requests, session establishment, modification, and termination. The S-CSCF (130) is configured to conduct registration and session control for the registered users. The S-CSCF (130) functions as a registrar and enables the network location information of the UE (104) to be available at the HSS (140). The S-CSCF (130) may originate and terminate a session on behalf of a requesting endpoint. The S-CSCF (130) maintains a user session state and handles service-specific logic, such as applying user profiles, enforcing service policies, and interacting with other network elements to provide advanced multimedia services. The S-CSCF (130) ensures that session control operations are executed according to the user's subscription and network policies, thus playing a vital role in maintaining the integrity and quality of communication services within the IMS network.

[0076] The HSS (140) is a database within the IMS, serving as the central repository for subscriber-related information and network user profiles. The HSS (140) stores and manages critical data, including user authentication credentials, subscription details, service profiles, and user preferences. The HSS (140) facilitates authentication and authorization processes by providing the necessary subscriber data to various network elements such as the S-CSCF (130). The HSS (140) is responsible for ensuring that user requests are processed in accordance with their subscription entitlements and network policies, thus maintaining the integrity and security of the network services. [0077] The AS (150) is configured to handle authentication requests, verify the legitimacy of user credentials, and ensure that only authorized users gain access to network services. The AS (150) interacts with the HSS (140) to retrieve and validate authentication information, such as passwords or cryptographic keys, as part of the authentication process. The Authentication Server (150) employs various algorithms and protocols to securely verify user identity, protect against unauthorized access, and support secure communication within the network. The AS ( 150) is configured to verify the identity of users and ensure that the users are authorized to access the network services. The AS (150) may be responsible for handling authentication requests, validating credentials, and supporting secure access to IMS services.

[0078] In an operative aspect, the UE (104) may initiate and receive multimedia sessions. The UE (104) may send Session Initiation Protocol (SIP) signaling messages, which are used to set up and control multimedia sessions, to the P-CSCF (110). The I-CSCF (120) selects the appropriate S-CSCF (130) for the incoming session of the UE (104). The S-CSCF (130) executes the role of session control, user profile handling, authentication/authorization, service invocation, session routing, and IMS registration. The S-CSCF (130) also facilitates interworking between the IMS network and other networks, allowing seamless communication between IMS users and users on non-IMS networks. The HSS (140) may include a database (not shown in FIG. IB) that may include subscriber-related information like user profiles, authentication data, and service-related information. The HSS (140), thus, becomes a hub for user-related information within the IMS network. The AS (150) hosts specific applications and services like value-added services, such as voicemail, multimedia messaging, and presence services. These services interact with the core IMS components to provide additional features to the UE (104). Although, a single UE (104), P-CSCF (110), I-CSCF (120), S-CSCF (130), HSS (140) and AS (150) are shown in FIG. IB, it is understood that more than one aforesaid entity may be deployed in the expanding IMS network. [0079] In an aspect, the session initiation process in the IMS network involves several steps to establish a session (such as a voice or video call), listed as:

• at first step, the user initiates a communication session using a multimedia application. For instance, a user might place a voice call or start a video chat.

• The application sends a SIP INVITE message to the network. This message is directed to the S-CSCF, which is configured for routing the request.

• The S-CSCF, based on the user's profile information stored in the HSS, determines the appropriate AS and/or other network entities to handle the session setup.

• The AS verifies the user's credentials and permissions through the HSS to ensure they are authorized to initiate the session. This step involves checking user profiles, subscription details, and possibly applying policy rules.

• The Application Server processes the session request and may interact with the user or perform additional operations. The S-CSCF and AS negotiate the session parameters, including media types, codecs, and other session attributes.

• Once the session parameters are agreed upon, the S-CSCF sends an OK response to the originating user’s application, indicating that the session can be established. This response includes session details, such as media capabilities and network addresses.

• After receiving the response, the UE acknowledges the response with an ACK message. The session is established, and the media streams (voice, video, etc.) begin to flow between the users. [0080] FIG. 2 illustrates exemplary system architecture (200) for authenticating the UE in the IMS network, in accordance with an embodiment of the present disclosure.

[0081] Referring to FIG. 2, in an embodiment, the system (108) may include a receiving unit (202), a memory (204), a plurality of interface(s) (206), a processing unit (208) and a database (216). In an aspect, the system (108) may be embedded with the S-CSCF (130). In an aspect, the S-CSCF (130) may include the receiving unit (202), the memory (204), the plurality of interface(s) (206) and the processing unit (208).

[0082] The receiving unit (202) may be configured to receive at least one request from the UE (104) over the IMS network (106). In an example, the at least one request may include a registration request which allow the UE to connect to the network. In an example, the at least one request may include a session establishment request used to initiate multimedia sessions such as voice or video calls. In an example, the at least one request may include a service subscription request for accessing specific services such as messaging or presence information. Additionally, the at least one request may include a session modification request to adjust ongoing sessions. In an example, the at least one request may include a termination request to end a session. In another example, the at least one request may include a deregistration requests when the UE no longer needs access to the network. For example, the at least one request may include a service discovery requests used to identify available services within the IMS framework. In an aspect, the UE (104) sends the at least one registration request to a base station in the IMS network (106). The base station may transmit the at least one registration request to the receiving unit (202) (network element) (S-CSCF (130)). In an example, the registration request may be performed using a Session Initiation Protocol (SIP) REGISTER message/SIP request. In an aspect, the SIP request may be a specific type of message used within IP -based communication systems. The SIP is a protocol widely employed for establishing, modifying, and terminating multimedia sessions, including voice and video calls over the Internet. The SIP requests are part of the signalling process that coordinates these multimedia sessions, handling aspects such as call initiation, session management, and termination. The SIP request provides the system (108) with essential details required to manage and control the communication session, facilitating smooth and efficient interaction between the involved parties.

[0083] The at least one registration request may include one or more headers. The one or more headers include but are not limited to, a Request URI (Uniform Resource Identifier) header, a “From” header, a “To” header, a “Call- ID” header, a “CSeq” header, a “Via” header, a “Max-Forwards” header, and an “authorization” header. For example, the “To” header may comprise an address of record whose registration is to be created, queried, or modified. The “To” header may be represented as “To: display name”. The display name may represent the username. The user may use the SIP REGISTER message to register the UE (104) with the IMS network (106). The UE registration may inform the network (106) about the current location of the user (102) and IMS available services.

[0084] In an embodiment, the processing unit (208) may be implemented as a combination of hardware and programming (for example, programmable instructions) to implement one or more functionalities of the processing unit (208). In the examples described herein, such combinations of hardware and programming may be implemented in several different ways. For example, the programming for the processing unit (208) may be processor-executable instructions stored on a non- transitory machine -readable storage medium and the hardware for the processing unit (208) may comprise a processing resource (for example, one or more processors), to execute such instructions. In the present examples, the machine -readable storage medium may store instructions that, when executed by the processing resource, implement the processing unit (208). In such examples, the system may comprise the machine-readable storage medium storing the instructions and the processing resource to execute the instructions, or the machine -readable storage medium may be separate but accessible to the system and the processing resource. In other examples, the processing unit (208) may be implemented by electronic circuitry. [0085] In an exemplary embodiment, the processing unit (208) may include one or more engines/components selected from any of a determining module (210), a selection module (212) and a communication module (214).

[0086] In an embodiment, the determining module (210) may receive the at least one registration request from the receiving unit (202). The determining module (210) may be configured to determine whether the at least one received registration request includes an authentication identifier in the authorization header. The authentication header is a structured parameter used in SIP to indicate that authentication is required. In an aspect, the authorization header may use at least one authorization algorithm to authenticate requests and responses. The authentication header in SIP specifies the credentials required for authentication and indicates the authentication algorithm that should be used. In an aspect, the authentication identifier may be an authentication algorithm. For example, the authentication algorithm may be an authentication and key agreement (AKA) algorithm. The AKA algorithm ensures that a user's identity is verified and that both parties (the user and the network or service provider) agree on a shared encryption key to protect the data exchanged.

[0087] In an embodiment, the at least one registration request is the REGISTER request. The S-CSCF checks for the presence of an authorization header in the REGISTER request, and, if the authorization header is present, The S-CSCF checks further for the presence of an "integrity-protected" flag within the authorization header. In an example, the "integrity-protected" flag may represent the authentication algorithm.

[0088] Upon receipt of the REGISTER request with the "integrity-protected" header field parameter in the Authorization header field set to "tls (Transport Layer Security Spending", "tls-yes", "ip-assoc -pending", or "ip-assoc-yes", the S-CSCF shall identify the user by the public user identity as received in the “To” header field and the private user identity as received in the Authorization header field of the REGISTER request, and if the maximum number of simultaneously registration flows allowed for the related public user identity for the used UE (i.e. linked to the same private user identity and instance ID) is reached, then the S-CSCF shall reject the REGISTER by generating a 403 (Forbidden) response. If not, the S-CSCF shall continue with the rest of the procedures related to the registration of the UE with the network.

[0089] The authorization algorithm may be employed to secure credentials without sending passwords in plaintext. The authorization algorithm may include a Message Digest-5 (MD5) algorithm, Secure Hash Algorithm-256 (SHA-256) algorithm, SHA-1, Hash-based Message Authentication Code (HMAC), Rivest Shamir Adleman (RSA) algorithm. The authorization algorithm is used to enhance security by including a session-specific data. The authentication header may include, among other data, an authentication string field, called "nonce". The nonce may be a fully free random string that, together with a secret provided by the user (e.g.: a combination of user-name and password), will be used by the terminal to authenticate the user. For example, the nonce is a one-time use token used for preventing replay attacks. The client nonce may be a random value generated to add uniqueness. The authentication header may include a nonce, a nonce count. The nonce count is a counter to keep track of the number of requests with the same nonce.

[0090] In an exemplary aspect, when the UE (104) initiates the registration request (REGISTER request) to the IMS network (106), the registration request includes the authentication header having the authorization algorithm. The authorization algorithm may be the SHA-1 algorithm. The SHA-1 algorithm may be used to ensure the authenticity of messages and to verify the identity of users within the IMS network (106). The IMS network (106) may generate a random challenge (the nonce) and send it to the UE (104). The nonce may be a unique number that can be used only once in the UE (104) registration process. The nonce is used during the authentication process to ensure that each authentication request is unique and fresh. The UE (104) may hash the challenge (nonce) and send the hashed response back to the IMS network (106). The IMS network (106) may verify the received response matches with the generated challenge. [0091] In an aspect, the determining module (210) may be configured to determine the presence of the authentication algorithm (authentication identifier) in the authorization header by parsing the registration request to identify and extract the authentication algorithm, if present. If the authentication algorithm is found, the determining module (210) may extract the authentication algorithm. For example, the determining module (210) may parse the registration request by fetching one or more headers, such as a CSeq, a Via, a Max-Forward, and the authorization header. Each header fetched from the registration request may be stored in the memory. The registration request is sent to HSS (140) via the communication module for UE (104) registration. Conversely, if the authentication algorithm is absent, the system (108) may be configured to initiate the selection module (212) as an alternative configuration.

[0092] In one aspect, the authorization header enables the UE (104) to confirm its identity with the HSS (140). The authorization header may ensure secure communication and access control in the IMS network. The authorization header may comprise a scheme. The scheme may specify an authentication scheme such as a Digest, a Bearer, etc. For example, the digest may include a username, a realm, the nonce, a URI, a response and the authentication algorithm. The realm may be a specific protected area or domain. The realm may be represented as “example.com”. The nonce may be a unique string generated each time the response is sent. For example, the nonce may be represented as nonce = "dcd098a08e6bfe8e8e9d2c0dlale4efld”.

[0093] Upon determining the absence of the authentication algorithm in the authorization header, the selection module (212) may be configured to select a supported authentication algorithm (identifier) based on an operator policy. In an aspect, the operator policy may include rules, guidelines, and procedures established by a telecommunication operator or service provider to manage, secure, and optimize the IMS network. The operator policy may involve procedures for verifying user identities and authorizing access to IMS services. The procedure involves managing credentials, authentication protocols and authorization rules. For example, the operator policy may include a service access, a quality of service and an authentication. The quality of service may include allocating network resources according to the UE subscription plan and service requirements managed through a network function. The selection module (212) may select the authentication algorithm according to the UE (104). The selection module (212) may be configured to make decisions about the supported authentication algorithm based on the user preferences. For example, the user preferences may include a media type, an encoding technique, a language, a transport mechanism, and a specific session feature. The supported authentication algorithm may include the MD5 algorithm, Extensible Authentication Protocol - Authentication and Key Agreement (EAP-AKA), Extensible Authentication Protocol - Pre-Shared Key (EAP-PSK), and Open Authorization (OAuth).

[0094] Further, the communication module (214) may be configured to send an authentication request and the selected authentication algorithm to the HSS (140). In an aspect, the authentication request may be a multimedia-auth-request (MAR) command. The MAR command may be used to request authentication specifically for multimedia services. In an aspect, the MAR command may include a session ID, a user identity, a multimedia session detail, and authentication details. For example, the multimedia-session details may include details such as a media type and a coderdecoder (codec). The multimedia-session detail may be represented as Multimedia- Session-Details: {Media-type: “Audio”, Codec: “G.114”}. The authentication details may include a requested-access-level resource, and a requested-resource. For example, the type of access requested may be full, partial, or limited. The authentication details may be represented as Requested- Access-Level: “Full”; Requested-Resources: {Resource-Type: “video-conference”, Resource-Id:

“resour ce5678”}.

[0095] In one aspect, the multimedia-auth-request (MAR) command may be indicated by the Command-Code field set to 303 and the ‘R’ bit set in the Command Flags field. A Diameter Multimedia client sends the MAR command to a Diameter Multimedia server to request security information. [0096] In an exemplary aspect, message format of the MAR command may be:

< Multimedia-Auth-Request > ::= < Diameter Header: 303, REQ, PXY, 16777216 >

< Session-Id >

{ Vendor-Specific- Application-Id }

{ Auth-Session-State }

{ Origin-Host }

{ Origin-Realm }

{ Destination-Realm }

[ Destination-Host ]

{ User-Name }

[0097] In an aspect, the HSS (140) may be configured to authenticate the UE based on the received authentication algorithm. The HSS (140) may be configured to authenticate and authorize the users requesting to connect with the IMS network. The authentication and authorization process involves analyzing the received request, which includes the authentication algorithm. The HSS (140) may be configured to verify the user credentials by applying the authentication algorithm and enabling IMS network services for the requested UE (104). For example, the IMS network (106) may send a message to the UE (104) with a secret key during the registration process. The UE (104) may perform hashing using the authorization algorithm. The UE (104) may send the hashed response to the HSS (140). The hashed response may comprise the generated random number. The HSS (140) may have stored the generated random number in the memory. The HSS (140) may compare the hashed response with the generated random number if both matches the UE (104) registration is successful. Otherwise, the HSS (140) may deny the IMS network access to the UE (104). [0098] The HSS (140) may send a multimedia-authentication answer (MAA) to the system (108) in response to the request received from UE (104). The MAA may include a session ID, a result code, an origin-host, an origin-realm, and a multimedia-Auth-status. The MAA is used as a response to MAR command. The MAA provides necessary authorization information that indicates the outcome of the request. The MAA response is essential for managing and securing multimedia services in the IMS network.

[0099] In one aspect, the multimedia-authentication answer (MAA) command is sent by a server in response to the Multimedia-Auth-Request command. The Experimental-Result AVP (attribute-value pair) may contain one of the result code values, supported by all Diameter. In the Cx (HSS - CSCF) registration procedure, Multimedia-Auth-Request/ Answer (MAR/MAA) is intended for multimedia servers in order to request security information from HSS. This function is similar to D interface Authentication vector downloading function.

[00100] The system (108) may send an acknowledgement message to the UE in response to the MAA. The system (108) may be the S-CSCF (130). In an aspect, the MAA may be sent to the S-CSCF (130) in response to the MAR command. In an aspect, the system (108) may send the acknowledgement message to the UE (104). The acknowledgement message may include a result code such as a 403 error, a 200 OK, 407, etc. For example, the “403 error” may indicate a forbidden request.: The “200 OK” code indicates that the request has been successfully processed. For instance, after sending an INVITE to start a session, receiving a 200 OK response means the session setup has been approved, and the session can proceed. The “403 Forbidden” code signifies that the request was understood by the server but is being refused due to authorization issues. For example, this might occur if the user does not have the necessary permissions, or the requested action violates the server's policies. The “407 code” indicates that the proxy server requires authentication before it can process the request. The client needs to provide valid credentials to proceed. The “404 Not Found” code means that the requested resource or user could not be found. For example, if a SIP INVITE is sent to a user who does not exist, a 404 Not Found response would be returned.

[00101] In an example, the acknowledgement message is 200 OK. The S- CSCF returns a SIP 200 OK to the UE, indicating that the registration has been successfully completed.

[00102] In an embodiment, the memory (112) may be configured to store one or more computer-readable instructions or routines in a non-transitory computer readable storage medium, which may be fetched and executed to create or share data packets over a network service. The memory (112) may include any non-transitory storage device including, for example, volatile memory such as random-access memory (RAM), or non-volatile memory such as erasable programmable read only memory (EPROM), flash memory, and the like.

[00103] In an embodiment, the interface(s) (114) may include a variety of interfaces, for example, interfaces for data input and output devices (RO), storage devices, and the like. The interface(s) (114) may facilitate communication through the system (108). The interface(s) (114) may also provide a communication pathway for one or more components of the system (108). Examples of such components include, but are not limited to, the processing unit (208) and a database (216). In an embodiment, the database 216 comprises data that may be either stored or generated as a result of functionalities implemented by any of the components of the system (108).

[00104] FIG. 3 illustrates a flow diagram of a method (300) of registering the UE, in accordance with the prior art.

[00105] In an aspect, the entities that carry out the flow diagram (300) include the UE (104), the P-CSCF (110), the I-CSCF (120), the S-CSCF(130), and the HSS (140). [00106] At step (302) of the flow diagram (300), the UE (104) initiates the process by sending a register request to the P-CSCF (110). This step marks the beginning of the registration procedure, where the UE seeks to establish its presence in the IMS network.

[00107] At step (304) of the flow diagram (300), upon receiving the register request from the UE (104), the P-CSCF (110) forwards this request to the I-CSCF (120). The P-CSCF acts as an intermediary, ensuring the request is passed to the next node for further processing.

[00108] At step (306) of the flow diagram (300), the I-CSCF (120) processes the register request and subsequently forwards it to the S-CSCF (130). During this step, the S-CSCF (130) examines the register request and determines that the UE (104) has not included the required authorization algorithm in the authorization header.

[00109] At step (308) of the flow diagram (300), the S-CSCF (130) sends the Multimedia- Auth-Request (MAR) command to the HSS (140). In an aspect, since the UE (104) did not send the supported algorithm, the S-CSCF (130) may send the Multimedia- Auth-Request command without specifying the authorization algorithm.

[00110] At step (310) of the flow diagram (300), the HSS (140) processes the MAR command and generates a response. The generated response may be the Multimedia- Authentication Answer (MAA). The HSS (140) may transmit the MAA response to the S-CSCF (130). The MAA indicates that the authentication request failed due to the absence of the supported algorithm in the UE’s request.

[00111] At step (312) of the flow diagram (300), the S-CSCF (130) then sends an Error 403 message to the I-CSCF (120). This error message signifies that the request was unsuccessful due to the missing authorization algorithm.

[00112] At step (314) of the flow diagram (300), the I-CSCF (120) may forward the Error 403 message to the P-CSCF (110). This action continues the process of conveying the error through the network hierarchy. [00113] At step (316) of the flow diagram (300), the P-CSCF (110) delivers the Error 403 message to the UE (104). The error message is intended to inform the UE that the registration request was denied.

[00114] In an aspect, the Error 403 message is interpreted as a forbidden error. Specifically, the HSS (140) communicates via the Error 403 message that the registration request could not be processed due to the absence of the required authorization algorithm in the request. Consequently, the request must be corrected and resubmitted with the appropriate authorization information.

[00115] Referring to FIG. 3, the REGISTER request may comprise one or more headers, such as an authentication header field. Upon receipt of the REGISTER request, the S-CSCF shall determine which authentication mechanism applies based on the contents of the REGISTER request and the authentication mechanism assigned in the HSS. If the UE is considered authenticated, and if the "integrity -protected" header field parameter in the Authorization header field is set to the value "tls- pending" or "tls-yes", then the S-CSCF shall associate the registration with the local state of "tlsprotected". In an aspect, the header field parameter may include a "username" header field parameter, a "realm" header field parameter, "uri" header field parameter, a "nonce" header field parameter, and a "response" header field parameter. The "username" header field parameter may be set to the value of the private user identity. The "realm" header field parameter may be set to the domain name of the home network. The "uri" header field parameter may be set to the SIP URI of the domain name of the home network. The "nonce" header field parameter may be set to an empty value. The "response" header field parameter may be set to an empty value;

[00116] For Unprotected REGISTER, when performing SIP digest, the S- CSCF receives a REGISTER request with a non-empty response parameter in the Authorization header, the S-CSCF shall follow the protected REGISTER procedures. If the user needs to be reauthenticated and the REGISTER includes the Authorization header with a digest response, the S-CSCF shall proceed with the authentication procedures as described for the initial REGISTER and include the stale field with a value TRUE in the WWW- Authenticate header. Further, if the REGISTER request does not contain an Authorization header field, and the P-Access-Network-Info header field indicates it is received from an access other than standard and containing the "network provided" header field parameter, the S-CSCF shall send an authentication request for the user to the HSS indicating that the authentication scheme is unknown. Further, the S-CSCF creates and sends the 200 (OK) response for the REGISTER request.

[00117] As illustrated in FIG. 3, since the UE (104) did not send a supported authentication algorithm to the S-CSCF (130), the Multimedia- Auth-Request failed for the UE (104). As a result, registration for the UE (104) also fails.

[00118] FIG. 4 illustrates an exemplary flow diagram (400) of the processing of the registration request received from the UE, in accordance with an embodiment of the present disclosure.

[00119] At Step (402) of the flow diagram (400), the UE (104) initiates the registration process by sending the registration request to the P-CSCF (110).

[00120] At Step (404), the P-CSCF (110) receives the registration request from the UE (104). Subsequently, the P-CSCF (110) performs the action of forwarding the received registration request to the I-CSCF (120). This forwarding step serves as a relay function, ensuring that the registration request continues to the next processing node in the IMS network hierarchy.

[00121] Step (406) includes forwarding, by the I-CSCF (120), the registration request to the S-CSCF (130). In an implementation, upon receiving the registration request, the S-CSCF (130) may determine that the UE (104) has not sent the supported algorithm in an authorization header. The S-CSCF (130) selects an authentication algorithm based on an operator policy on behalf of the UE (104).

[00122] Step (408) includes sending, by the S-CSCF (130), the MAR command to the HSS (140). In an aspect, the S-CSCF (130) sends the MAR command along with the authentication algorithm selected based on the operator policy.

[00123] At Step (410), in response to receiving the MAR command, sending, by the HSS (140) processes the request and generates the MAA. The MAA is then sent back to the S-CSCF (130), indicating that the authentication request has been successfully processed. The MAA confirms that the MAR command was successful, thereby allowing the registration process to proceed.

[00124] At Step (412), following the receipt of the MAA from the HSS (140), the S-CSCF (130) sends a Message 200 OK to the I-CSCF (120). In an aspect, the Message 200 OK may be a successful message. For example, the HSS (140) sends a 200 OK message to the UE (104) via the S-CSCF (130). For example, the 200 OK message indicates the request is processed, and UE (104) is successfully registered in the IMS network. The message 200 OK indicates that the registration request has been successfully processed and authenticated, and the registration process can move forward.

[00125] At Step (414), the I-CSCF (120) receives the Message 200 OK from the S-CSCF (130) and forwards this message to the P-CSCF (110). This forwarding step continues the process of communicating the successful registration status through the IMS network.

[00126] At Step (416), the P-CSCF (110) receives the Message 200 OK from the I-CSCF (120) and subsequently delivers this message to the UE (104). This final step completes the registration process by informing the UE that its registration request has been successfully processed and approved.

[00127] As illustrated in FIG. 4, since the UE (104) did not send a supported authentication algorithm to the S-CSCF (130), the S-CSCF (130) selected the authentication algorithm based on the operator policy on behalf of the UE (104). The S-CSCF (130) sends the MAR along with the selected authentication algorithm to the HSS (140). Accordingly, the registration of the UE (104) is successful, and UE (104) is authenticated.

[00128] FIG. 5 illustrates an exemplary flow chart of a method (500) for authenticating the UE in the IMS network, in accordance with an embodiment of the present disclosure.

[00129] At step 502, the method (500) includes receiving the at least one request from the UE by the network function. In an example, the network function is the S-CSCF (130). In an example, the at least one request may include a registration request which allows the UE to connect to the network. In an example, the at least one request may include a session establishment request used to initiate multimedia sessions such as voice or video calls. In an example, the at least one request may include a service subscription request for accessing specific services such as messaging or presence information. Additionally, the at least one request may include a session modification request to adjust ongoing sessions. In an example, the at least one request may include a termination request to end a session. In another example, the at least one request may include a deregistration requests when the UE no longer needs access to the network. For example, the at least one request may include a service discovery requests used to identify available services within the IMS framework. The received registration request may be a SIP request. In an aspect, the at least one registration request (REGISTER request) comprises one or more headers. The one or more headers may include a Request URI, a From, a To, a Call-ID, a CSeq, a Via, a Max-Forwards and an authorization header. For example, the request URI indicated a destination domain of the REGISTER request.

[00130] At step 504, the method (500) includes determining, by the S-CSCF (130), whether the at least one received registration request includes an authentication identifier in the authorization header . In an example, the authentication identifier may include the authentication algorithm. In an example, the authentication identifier may incorporate details about the authentication algorithm used, providing a clear reference for validating user credentials. In an aspect, the S-CSCF (130) may determine which authentication algorithm to apply based on the received registration request. The S-CSCF (130) may analyze the received registration request to identify and extract the authentication header. The authentication header may include the authentication algorithm such as MD5 algorithm, SHA-1, HMAC, and RS A. For example, the MD5 algorithm is used for authenticating messages and digital signatures. The MD5 algorithm based on a hash function verifies that a file sent matches with the file received. The MD5 algorithm converts data into a string of 32 characters. For example, “lion” may be converted to a string as 904c2dc0dcf05f2b69c4287040cfcf41 using the hash function.

[00131] At step 506, the method (500) includes upon determining the absence of the authentication algorithm in the authorization header, a supported authentication algorithm based on an operator policy may be selected by the S-CSCF (130). The operator policy may include polices for verifying user identities and authorizing access to multimedia services. The operator policy may be established by the network operator or a network administrator to manage and control various aspects of multimedia services, such as user access, service delivery, quality of service and resource management. The operator policy in the IMS network may include a service access and provisioning policy, a quality of service (QoS) policy, a resource management policy, and a security policy. For example, an operator may set the policy based on the configuration of the UE (104) and the user preferences. The configuration of the UE (104) may include a device OS, a device ID, a SIP setting, and an authentication setting. For example, the SIP settings may include a SIP port, a SIP URI, a SIP server address, and an outbound proxy. The user preferences may include a service preference, a notification preference, and a privacy and security preference.

[00132] At step 508, the method (500) includes sending an authentication request along with the selected authentication algorithm to the HSS (140) by the S- CSCF (130). In an aspect, the authentication request may be the MAR command. The MAR command may include an authentication token, a user credential, a session ID, a timestamp, and an authentication algorithm. Based on the received authentication algorithm, the HSS (140) may authenticate the UE (104).

[00133] In an aspect, the HSS (140) may send the MAA response to the S- CSCF (130). Further, the HSS (140) may send the acknowledgement message to the UE (104) in response to the MAA. For example, the MAA response sent to the S- CSCF may include a session ID, a result code, an origin-host, an origin-realm, and a username. The HSS (140) may send the acknowledgement message to the UE with a result code such as 403, 401,407, 200, etc. For example, the result code 200 indicates that the request is successfully processed, and the UE (104) is registered in the IMS network.

[00134] In some embodiment, UE (104) may be communicatively coupled with a network. The coupling includes steps of receiving a connection request, sending an acknowledgment of connection request to the network and transmitting a plurality of signals in response to the connection request. The UE is connected to a system configured to authenticate the UE in the IMS network. The system includes a network function (serving-call session control function (S-CSCF)). The S-CSCF includes a receiving unit, a memory and a processing unit. The receiving unit is configured to receive at least one request from the UE. The memory is configured to store the at least one received registration request. The processing unit is configured to execute instructions stored in the memory. The system includes a determining module configured to determine whether the at least one received request includes an authentication identifier . The system further includes a selection module configured to select a supported authentication identifier based on an operator policy upon determining an absence of the authentication algorithm in the received request. The system further includes a communication module configured to send an authentication request along with the selected authentication identifier to a server.

[00135] In an exemplary aspect, the ABNF (Augmented Backus-Naur Form) for the authorization may be used as follows,

Authorization Authorization" HCOLON credentials credentials = ("Digest" LWS digest-response) / other-response digest-response = dig-resp *(COMMA dig-resp) dig-resp = username / realm / nonce / digest-uri / dresponse / algorithm / cnonce / opaque / message-qop/ nonce-count / auth-param username = "username" EQUAL username -value username-value = quoted-string digest-uri = "uri" EQUAL LDQUOT digest-uri- value RDQUOT digest-uri-value = rquest-uri ; Equal to request-uri as specified by HTTP/1.1 message-qop = "qop" EQUAL qop-value cnonce = "cnonce" EQUAL cnonce-value cnonce-value = nonce-value nonce-count = "nc" EQUAL nc-value nc-value = 8LHEX dresponse = "response" EQUAL request-digest request-digest = LDQUOT 32LHEX RDQUOT auth-param = auth-param-name EQUAL ( token / quoted-string ) auth-param-name = token other-response = auth-scheme LWS auth-param* (COMMA auth-param) auth-scheme = token

The existing systems specifies handling for auth-param attribute only. The present disclosure support the authentication when algorithm not received in the Authorization header. The S-CSCF receives the register request without or with “integrity-protected" parameter but algorithm not received in authorization header, then S-CSCF may select an authentication algorithm such as MD5/AKA for performing authentication on the basis of operator policy. [00136] In an example, the exact header value received in the register request may represent as:

Authorization: Digest username="405863250000000@ims.mnc863.mcc405.3xyznetwork.org",realm="ims. mnc863. mcc405.xyznetwork.org", uri="sip:ims.mnc863. mcc405.xyznetwork.org", res ponse=" " , integrity-protected=no

[00137] FIG. 6 illustrates an example computer system in which or with which the embodiments of the present disclosure may be implemented.

[00138] As shown in FIG. 6, the computer system (600) may include an external storage device (610), a bus (620), a main memory (630), a read-only memory (640), a mass storage device (650), a communication port(s) (660), and a processor (670). A person skilled in the art will appreciate that the computer system (600) may include more than one processor and communication ports. The processor (670) may include various modules associated with embodiments of the present disclosure. The communication port(s) (660) may be any of an RS-232 port for use with a modembased dialup connection, a 10/100 Ethernet port, a Gigabit or 10 Gigabit port using copper or fiber, a serial port, a parallel port, or other existing or future ports. The communication ports(s) (660) may be chosen depending on a network, such as a Local Area Network (LAN), Wide Area Network (WAN), or any network to which the computer system (600) connects.

[00139] In an embodiment, the main memory (630) may be Random Access Memory (RAM), or any other dynamic storage device commonly known in the art. The read-only memory (640) may be any static storage device(s) e.g., but not limited to, a Programmable Read Only Memory (PROM) chip for storing static information e.g., start-up or basic input/output system (BIOS) instructions for the processor (670). The mass storage device (650) may be any current or future mass storage solution, which can be used to store information and/or instructions. Exemplary mass storage solutions include, but are not limited to, Parallel Advanced Technology Attachment (PATA) or Serial Advanced Technology Attachment (SATA) hard disk drives or solid-state drives (internal or external, e.g., having Universal Serial Bus (USB) and/or Firewire interfaces).

[00140] In an embodiment, the bus (620) may communicatively couple the processor(s) (670) with the other memory, storage, and communication blocks. The bus (620) may be, e.g. a Peripheral Component Interconnect PCI) / PCI Extended (PCI-X) bus, Small Computer System Interface (SCSI), Universal Serial Bus (USB), or the like, for connecting expansion cards, drives, and other subsystems as well as other buses, such a front side bus (FSB), which connects the processor (670) to the computer system (600).

[00141] In another embodiment, operator and administrative interfaces, e.g., a display, keyboard, and cursor control device, may also be coupled to the bus (620) to support direct operator interaction with the computer system (600). Other operator and administrative interfaces can be provided through network connections connected through the communication port(s) (660). The components described above are meant only to exemplify various possibilities. In no way should the aforementioned exemplary computer system (600) limit the scope of the present disclosure.

[00142] In an aspect, the present disclosure discloses a computer program product comprising a non-transitory computer-readable medium comprising instructions that, when executed by one or more processors, cause the one or more processors to execute a method for authenticating a user equipment (UE) in a network. The method includes receiving at least one request from the UE by a network function. The method includes determining, by the network function, whether the at least one received request includes an authentication identifier. The method includes upon determining an absence of the authentication identifier in the at least one received request and selecting a supported authentication identifier based on an operator policy. The method includes sending an authentication request along with the selected authentication identifier to a server by the network function. The server is configured to authenticate the UE based upon the received authentication identifier. [00143] The present disclosure provides technical advancement related to authenticating the UE in the IMS network. This advancement addresses the limitations of existing solutions by providing a system and a method for reducing the UE registration failure in the HSS by providing a supporting authentication algorithm during multimedia-auth-request failure in case of the absence of an authentication algorithm in the sent registration request. The disclosure involves implementing a system and a method for selecting an authentication algorithm by the S-CSCF based on operator policy during the failure of UE to send the authentication algorithm in the registration request., which offers significant improvements in minimizing UE registration failure in the IMS network. By implementing the selection of supporting authentication algorithm based on operator policy, the present disclosure enhances the UE registration in the IMS network, resulting in reduction of UE registration failure and enhanced IMS network service.

[00144] While the foregoing describes various embodiments of the invention, other and further embodiments of the invention may be devised without departing from the basic scope thereof. The scope of the invention is determined by the claims that follow. The invention is not limited to the described embodiments, versions or examples, which are included to enable a person having ordinary skill in the art to make and use the invention when combined with information and knowledge available to the person having ordinary skills in the art.

[00145] The method and system of the present disclosure may be implemented in a number of ways. For example, the methods and systems of the present disclosure may be implemented by software, hardware, firmware, or any combination of software, hardware, and firmware. The above-described order for the steps of the method is for illustration only, and the steps of the method of the present disclosure are not limited to the order specifically described above unless specifically stated otherwise. Further, in some embodiments, the present disclosure may also be embodied as programs recorded in a recording medium, the programs including machine-readable instructions for implementing the methods according to the present disclosure. Thus, the present disclosure also covers a recording medium storing a program for executing the method according to the present disclosureAWhile considerable emphasis has been placed herein on the preferred embodiments, it will be appreciated that many embodiments can be made and that many changes can be made in the preferred embodiments without departing from the principles of the disclosure. These and other changes in the preferred embodiments of the disclosure will be apparent to those skilled in the art from the disclosure herein, whereby it is to be distinctly understood that the foregoing descriptive matter is to be implemented merely as illustrative of the disclosure and not as a limitation.

ADVANTAGES OF THE PRESENT DISCLOSURE

[00146] The present disclosure provides a system and a method for authenticating a user equipment (UE) in an Internet Protocol (IP) Multimedia Subsystem (IMS) network.

[00147] The present disclosure provides a system and a method for selecting an authentication algorithm based on operator policy.

[00148] The present disclosure provides a system and a method to reduce UE registration failure with the HSS by providing an authentication algorithm during multimedia-auth-request failure due to the lack of an authentication algorithm.

[00149] The present disclosure provides a system and a method that facilitates the S-CSCF to select an authentication algorithm for the UE to enhance and improve the IMS network performance.

Claims

CLAIMS We Claim:

1. A method (500) for authenticating a user equipment (UE) (104) in a network, the method (500) comprising: receiving (502), by a network function (130), at least one request from the UE (104); determining (504), by the network function (130), whether the at least one received request includes an authentication identifier ; upon determining an absence of the authentication identifier in the at least one received request, selecting (506), by the network function (130), a supported authentication information based on an operator policy; and sending (508), by the network function (130), an authentication request along with the selected authentication identifier to a server (140), wherein the server (140) is configured to authenticate the UE (104) based upon the received authentication identifier.

2. The method (500) as claimed in claim 1, wherein the authentication request is a multimedia-auth-request (MAR) command that is configured to request security information from the server.

3. The method (500) as claimed in claim 1, further comprising sending, by the server (140), a multimedia-authentication answer (MAA) to the network function (130) in response to the authentication request.

4. The method (500) as claimed in claim 1, further comprising sending, by the network function (130), an acknowledgement message to the UE (104) in response to the MAA.

5. The method (500) as claimed in claim 1, wherein the determining, by the network function (130), further comprising extracting one or more headers associated with the at least one received registration request.

6. A system (108) for authenticating a user equipment (UE) (104) in a network, the system (108) comprising a network function (130), wherein the network function comprises: a receiving unit (202) configured to receive at least one request from the UE (104); a memory (204) configured to store the at least one received request; a processing unit (208), wherein the processing unit (208) is configured to execute instructions stored in the memory (204) to: determine, by a determining module (210), whether the at least one received request includes an authentication identifier; upon determining an absence of the authentication identifier in the at least one received request, select, by a selection module (212), a supported authentication identifier based on an operator policy; and send, by a communication module (214), an authentication request along with the selected authentication identifier to a server (140), wherein the server (140) is configured to authenticate the UE (104) based upon the received authentication identifier.

7. The system (108) as claimed in claim 6, wherein the authentication request is a multimedia-auth-request (MAR) command that is configured to request security information from the server (140).

8. The system (108) as claimed in claim 6, wherein the server (140) is configured to send a multimedia-authentication answer (MAA) to the network function ( 130) in response to the authentication request.

. The system (108) as claimed in claim 6, wherein the network function (130) is configured to send an acknowledgement message to the UE (104) in response to the MAA.

10. A user equipment (UE) (104) communicatively coupled with a network, the coupling comprises steps of: receiving a connection request; sending an acknowledgment of connection request to the network; and transmitting a plurality of signals in response to the connection request, wherein the UE is connected with a system configured to authenticate the UE (104) in the network, as claimed in claim 6.

11. A computer program product comprising a non-transitory computer-readable medium comprising instructions that, when executed by one or more processors, cause the one or more processors to execute a method for authenticating a user equipment (UE) in a network, the method comprising: receiving (502), by a network function (130), at least one request from the UE (104); determining (504), by the network function (130), whether the at least one received request includes an authentication identifier ; upon determining an absence of the authentication identifier in the at least one received request, selecting (506), by the network function (130), a supported authentication information based on an operator policy; and sending (508), by the network function (130), an authentication request along with the selected authentication identifier to a server (140), wherein the server (140) is configured to authenticate the UE (104) based upon the received authentication identifier.