CN101053203B - Method and system for authenticating internet multimedia domain of terminal user identification module - Google Patents
Method and system for authenticating internet multimedia domain of terminal user identification module Download PDFInfo
- Publication number
- CN101053203B CN101053203B CN2006800010952A CN200680001095A CN101053203B CN 101053203 B CN101053203 B CN 101053203B CN 2006800010952 A CN2006800010952 A CN 2006800010952A CN 200680001095 A CN200680001095 A CN 200680001095A CN 101053203 B CN101053203 B CN 101053203B
- Authority
- CN
- China
- Prior art keywords
- territory
- hss
- sqn
- authentication
- authentication vector
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
A method for IM domain authenticating for the terminal user identifier module includes: the HSS used for providing IM service is set in the network; after the S-CSCF receives the registration request for IM domain from the UE, it sends the authentication vector request to the HSS; then the HSS sends the request message to the home equipment of the UE for obtaining the authentication vector; the home equipment of the UE assigns SQN to the UE and generates the corresponding authentication vector based on the SQN; then the authentication vector is sent to the S-CSCF via the HSS; the S-CSCF authenticates the identifier module of the terminal user according to the authentication vector. A system for authenticating the domain of the terminal user identifier module includes: UE, S-SCCF, HSS and the home equipment of the UE. By using the present invention, the USIM user could use IM service without card replacing, the difficulty for spreading the IM service is reduced, and the continual resynchronization problem is solved. In addition, the present invention only need to upgrade the HSS and the HLR/AUC simply, so that the cost and complexity is reduced for implementing IM domain authentication in the existing network.
Description
Technical field
The present invention relates to authentication techniques, relate to a kind of method and system of terminal user identification module being carried out authentication in internet multimedia (IM) territory or rather portable terminal.
Background technology
Along with the development of multimedia service, the multimedia service at portable terminal has appearred at present.At present for portable terminal provide multimedia service IP Multimedia System (IMS) framework as shown in Figure 1, originally IMS is a subdomain that superposes outside the existing packet switching of third generation network (3G) (PS) territory, and this subdomain is specifically designed to IP multimedia (IM) business of supporting.Under the situation of condition maturity, IMS also can serve the user with IP-Connectivity Access Network (IP-CAN) access of wireless lan (wlan) or alternate manner.
As shown in Figure 1, IMS mainly is made of CSCF (CSCF) entity, media gateway (MGW), media resource function controller (MRFC), Media Resource Function Processor (MRFP), MGCF (MGCF), interruption gateway control function (BGCF), signatory locator function (SLF), policy decision function parts such as (PDF), the main Session Initiation Protocol control channel that uses between each parts.Call control department spare is the critical component among the IMS, mainly finishes the functions such as mobility of calling out control, address transition, charging, hidden portable terminal (UE); The media gateway parts are then for introducing with existing PSTN (PSTN) is compatible.In addition, the home subscriber server among the IMS (HSS) is the equipment that is used to preserve the IMS user signing contract information in the home network.
The safety function of IMS comprises that the user is in the authentication of IMS and the protection of sip message.The security architecture of IMS as shown in Figure 2.Wherein, (SA SecurityAssociation) consults to adopt IMS KI agreement (AKA) bidirectional authentication mechanism, and what the encryption of sip message and integrity protection adopted is the hop-by-hop processing mode for authentication between UE and the home network and Security Association.
Specifically, in IMS, for realizing the authentication to IP multimedia (IM) user, third generation affiliate tissue (3GPP) agreement has been used the authentication module of special IMS Subscriber Identity Module (ISIM) as user side, and has used the AKA mechanism of universal mobile telecommunications system (UMTS).The IMS system to user's authentication process process as shown in Figure 3, corresponding following steps:
When step 301:UE uses IMS professional at needs, by Proxy Call Session Control Function (P-CSCF) and query call conversation control function (I-CSCF) register requirement is sent to service call conversation control function (S-CSCF) successively.
Step 302:S-CSCF detects the five-tuple authentication vector (AV) that self whether exists at this user after receiving register requirement, if exist, then directly utilize this authentication vector that the user is carried out authentication, promptly enters step 304; If do not exist, then, promptly enter step 303 to HSS request AV.
Here, five-tuple AV comprises: encryption key (CK), Integrity Key (IK) and intended response (XRES) that random number (RAND), authentication-tokens (AUTN), global mobile communication (GSM) net use.
Step 303:HSS determines five-tuple AV, and sends to S-CSCF after receiving the AV request that S-CSCF sends.
Wherein, HSS determines five-tuple AV, specifically is to determine sequence number (SQN) by the embedded AUC of HSS self (AUC), and generates the corresponding authentication vector according to this SQN.
Certainly, for raising the efficiency, HSS generally can send many group five-tuple AV to S-CSCF in order, so that S-CSCF can be used for the five-tuple AV of authentication by the many groups of acquisition request.
XRES among step 304:S-CSCF reservation self the five-tuple AV that preserve or that HSS sends is placed on RAND, AUTN, CK and IK in authentication test (Auth_Challenge) message, and this message is sent to P-CSCF by I-CSCF.
If HSS sends many group five-tuple AV to S-CSCF, then S-CSCF can select one group of five-tuple AV in order, and other five-tuple AV then stays in the authentication next time at this user and uses.
Step 305:P-CSCF keeps CK and the IK that S-CSCF sends by Auth_Challenge message, and RAND and AUTN are issued to UE.
If system start-up consistency protection and privacy protection, IK under then P-CSCF will use in follow-up session and preserve and CK are as key.
Step 306~307:UE sends to ISIM with RAND and the AUTN that receives, ISIM verifies the AUTN that receives, and verifying by the back according to RAND calculated response (RES), then the RES that calculates is sent to UE as Authentication Response, and this RES is returned to S-CSCF by UE, ISIM also calculates IK and CK according to RAND simultaneously, and IK and CK are sent to UE.
ISIM verifies to comprise determining whether medium access control (MAC) value that comprises among the AUTN is legal to the AUTN that receives, and whether the sequence number SQN among definite AUTN can accept.Wherein, whether whether acceptable checking is checking to ISIM need synchronous again to SQN.
UE specifically can send to S-CSCF with RES by P-CSCF and I-CSCF, and keeps IK and CK, with as the key in the subsequent session.
RES in the Authentication Response that step 308~309:S-CSCF sends UE and the XRES that self preserves compare, if equate, determine that then authentication passes through, and send the authentication success message by I-CSCF and P-CSCF to UE; Otherwise, determine failed authentication.
Above-mentioned processing procedure requires to use independent ISIM to finish the authentication in IM territory, that is to say, at present set ISIM is specifically designed to the authentication that realizes the IM territory, and the terminal user identification module that can be used in 3G at present all is not comprise ISIM, so these terminal user identification modules can't be finished the authentication in IM territory by said process.Such as, the UICC card at 3G that has occurred has at present generally only comprised the USIM that is used for circuit switching (CS) territory and PS territory authentication, so also just can't be by the authentication in the above-mentioned IM territory of finishing dealing with at ISIM.Simultaneously, do not have the related data of USIM among the HSS yet, therefore can't determine the authentication vector that the USIM subscription authentication is required, just can't directly carry out authentication to USIM yet by such scheme.
If will make HSS can finish the authentication to USIM user, a kind of scheme is: in HSS, then HSS just can have the related data of USIM with the data integration among the HLR, therefore can determine the corresponding authentication vector.Obviously, this just need replace existing HLR on a large scale, and still, present IMS network is in the starting stage, and replacing HLR on a large scale is impossible basically.More rational solution is the one or more HSS that the IM business is provided specially of stack on the basis of existing network, and existing HLR remains unchanged, and continues to provide the business in CS and PS territory.But according to the proposed projects of 3GPP, the HSS of stack need use ISIM to carry out authentication, and original HLR then can use original USIM to carry out authentication.This just needs the user is the card that comprises ISIM with card replacement.According to present operation mode,, can realize by all means that interface upgrade of purchasing new machine, providing by Java or mobile-phone manufacturers etc. is provided, these upgradings have very strong operability if the user wants the UE that upgrades.If but the user wants to change card, then must change to the special agency that operator is authorized, and be to guarantee professional continuation, IMSI in IMSI International Mobile Subscriber Identity in the neocaine (IMSI) and the old card must guarantee certain relevance, such as, must belong to same HLR, therefore, change when being stuck in practical operation inevitable very loaded down with trivial details.
In addition, even there is the related data of USIM among the HSS, and can determine the authentication vector that the USIM subscription authentication is required, still have other problem: a USIM can cause stationary problem again for a plurality of territories authentication simultaneously.What is called is meant synchronously again: preserved SQN among the USIM
MSIf the SQN in the five-tuple that HSS/HLR issues is than the SQN that preserves among the USIM
MSOld, and the SQN that issues is the SQN that preserves with HSS/HLR
HEBe as the criterion, this illustrates SQN
HECompare SQN
MSOld, use the SQN of self so will cause USIM
MSSQN among the HSS/HLR desynchronizes
HEAnd, if all there is SQN among HSS and the HLR, then can there be the inconsistent problem of SQN among HSS and the HLR, like this, also need carry out again synchronous between HSS and the HLR at SQN.
Being example more synchronously between USIM and HLR.For improving the access efficiency of network, in existing network, usually all can once ask for many group authentication vector at the VLR Visitor Location Register (VLR) in CS territory and at the service universal grouping wireless business supporting node (SGSN) in PS territory, each only use wherein one group to carry out authentication process, and from the remaining authentication vector of row cache.In this case, if the operation frequency difference in each territory, such as, SGSN and VLR have successively obtained 5 groups of authentication tuples to HSS, using separately after one group, may make that 4 groups of residue authentication vector of buffer memory will be than the highest serial number (SQN of the acceptance of the USIM among the USIM among the SGSN because the user is very frequent in the operation in CS territory
MS) old, the SQN that preserve among the USIM this moment
MSThe SQN that issues with VLR is as the criterion, and like this, USIM just uses the SQN of self
MSSQN among the HLR desynchronizes
HE, this SQN
HEBe the individual sequence number of preserving for each user among the HLR/AUC, and then cause all authentication vector of SGSN/VLR current cache to lose efficacy.From above-mentioned example as seen, if the operation frequency of same area does not differ bigger, then will inevitably cause frequent synchronous again.
In sum, want to use the IM business at present, then must comprise ISIM in user's the terminal user identification module, perhaps replace existing HLR.Obviously, replace existing HLR and unlikely realize at short notice, comprise in the terminal user identification module ISIM then to the requirement of terminal user identification module than higher, the usim card that often needs the user to change self could be realized.Be stuck in the practical operation very loaded down with trivial detailsly and change, will inevitably reduce the attraction of IM business greatly, increase the difficulty that operator promotes the IM business.
Summary of the invention
In view of this, the invention provides and a kind of terminal user identification module is carried out the method and system of IM territory authentication,, can use the IM business so that use the user of usim card not need more change card.
For addressing the above problem, technical scheme of the present invention is achieved in that
A kind of terminal user identification module is carried out the method for IM territory authentication, this method is provided for providing the HSS of IM territory business in network, comprising:
A: the S-CSCF in the network sends the authentication vector request to HSS after receiving the IM territory register requirement that UE sends;
B:HSS is used to obtain the request message of authentication vector to the home device transmission of UE after receiving described request;
The home device of c:UE for this UE distributes SQN, and generates authentication vector based on this SQN after receiving described request message, afterwards this authentication vector is sent to HSS;
D:HSS sends to S-CSCF with described authentication vector, and S-CSCF carries out authentication according to described authentication vector to the terminal user identification module of described UE;
Wherein, the individual sequence number SQN of each UE in the home device of described UE
HEComprise at least one SQN corresponding with at least a territory
HE
Described home device to UE send a request message into:
Home device to UE sends authentication information message, carries the requesting node type in the wherein said transmission authentication information message;
The home device of described UE for this UE distributes SQN is:
The home device of UE is determined the territory of this HSS ownership according to the described request node type, and according to the pairing SQN in territory of this HSS ownership
HEFor distributing SQN in the territory of this HSS ownership.
The individual sequence number SQN of each UE in the home device of described UE
HEComprise: with the SQN in circuit switching (CS) territory
HESQN with packet switching PS territory correspondence
HEIn at least a; Carry the requesting node type in CS territory or PS territory in the described transmission authentication information message;
The home device of the described UE of step c for this UE distributes SQN is: the home device of UE determines that according to the requesting node type that sends in the authentication information message it still be the CS territory that this HSS belongs to the PS territory, and the pairing SQN in territory that belongs to according to this HSS
HEFor distributing SQN in the territory of this HSS ownership.
This method further comprises: the individual sequence number SQN of each UE in the home device of described UE
HEComprise: the SQN corresponding with the IM territory
HE
Carry the requesting node type information in IM territory in the described transmission authentication information of the step message;
The home device of the described UE of step c distributes SQN to be: the home device of UE determines that according to the requesting node type that sends in the authentication information message this HSS belongs to the IM territory, and according to the SQN corresponding with the IM territory
HEFor distributing SQN in this IM territory.
The individual sequence number SQN of each UE in the home device of described UE
HEFurther comprise: with the SQN in circuit switching (CS) territory
HESQN with packet switching PS territory correspondence
HEIn at least a; This method further comprises:
The described HSS of step b is before the home device of UE sends authentication information message, further comprise: HSS determines according to the information of self preserving whether the current home device of UE can distribute SQN for the IM territory, if can, then in described transmission authentication information message, carry the requesting node type information in IM territory; Otherwise, in described transmission authentication information message, carry the requesting node type information in CS territory or PS territory.
The home device of described UE is allocated to the effective range of SQN in IM territory less than the effective range of the SQN that is allocated to CS territory and/or PS territory.
The home device of the described UE of step c is according to SQN
HEDistributing SQN for the IM territory is: for distributing more than one SQN in the IM territory; Describedly generate the corresponding authentication vector based on SQN and be: generate one group of authentication vector based on each SQN;
The described S-CSCF of steps d carries out authentication according to described authentication vector to the terminal user identification module of described UE: S-CSCF selects one group of authentication vector that terminal user identification module is carried out authentication from the authentication vector of receiving, and preserves other authentication vector.
The described S-CSCF of step a is before HSS sends the authentication vector request, further comprise: judge the authentication vector that self whether exists at this UE, if, then directly the terminal user identification module of UE is carried out authentication according to this authentication vector, finish this handling process; Otherwise, carry out the step that sends the authentication vector request to HSS.
This method further comprises: the data message of configurating terminal Subscriber Identity Module in HSS;
The described HSS of step b is after receiving described request, before the home device transmission of UE is used to obtain the request message of authentication vector, further comprise: judge whether the contracted business in CS territory and/or PS territory of this UE, if then carry out the step that described transmission is used to obtain the request message of authentication vector; Otherwise HSS is according to the data message compute authentication vector of described terminal user identification module, execution in step d afterwards.
Use the privately owned sign of IMS (IMPI) of UE as user ID between described S-CSCF and the HSS;
The described HSS of step b is before the home device of UE sends a request message, further comprise: HSS is converted to IMSI International Mobile Subscriber Identity (IMSI) with the IMPI in the authentication vector request, and determine the home device that UE is current according to this IMSI and route principle, carry out the step that sends the request message that is used to obtain authentication vector to this home device afterwards;
The described HSS of steps d sends to described authentication vector before the S-CSCF, further comprises: described IMSI is converted to IMPI, afterwards IMPI is sent to S-CSCF with described authentication vector.
The home device of described UE is: the attaching position register HLR/ AUC of AUC of the current ownership of UE.
The terminal user identification module that described UE uses is: USIM.
A kind of terminal user identification module is carried out the system of IM territory authentication, comprising: the home device of UE, S-CSCF, UE, also comprise HSS, wherein:
UE: be used for initiating IM territory register requirement to S-CSCF, and and S-CSCF alternately self terminal user identification module is carried out the related news of authentication;
S-CSCF: be used for the IM territory register requirement sent according to UE, send the authentication vector request, authentication vector of sending according to HSS and UE carry out authentication alternately to the terminal user identification module of UE related news to HSS;
HSS: be used for the authentication vector request of sending according to S-CSCF, send the request message that is used to obtain authentication vector to the home device of UE, the authentication vector that the home device of UE is returned sends to S-CSCF;
The home device of UE: be used for the request message that is used to obtain authentication vector sent according to HSS, be that UE distributes SQN, and generate the corresponding authentication vector, this authentication vector is sent to HSS based on this SQN.
The home device of described UE is the attaching position register HLR/ AUC of AUC of the current ownership of UE.
The present invention program distributes SQN by the current home device of UE, and based on the SQN generation corresponding authentication vector that is distributed, afterwards the authentication vector that is generated is sent to S-CSCF by HS S, make the usim card user not need to change card and can use the IM business, greatly reduce the difficulty of promoting the IM business.
And the present invention program also distributes SQN at CS territory, PS territory and IM territory respectively by HLR
HEScope, terminal user identification module can be respectively to the SQN in each territory
MSCompare, solved frequently stationary problem more of the prior art.
In addition, the present invention program's all modifications and transformation have only related to HSS and HLR/AUC, for present GSM/ GPRS (GPRS)/miscellaneous equipments such as UMTS without any extra requirement, and just HLR/AUC is simply upgraded, rather than replace, reducing under the prerequisite that realizes cost and complexity, making superposes one to be specifically designed on existing network provides the IMS of IM territory authentication to become possibility.
Description of drawings
Fig. 1 is present IMS structural representation;
Fig. 2 is the security architecture schematic diagram of IMS;
Fig. 3 carries out the message flow sequential chart of authentication to UE by ISIM for IMS in the prior art;
Fig. 4 carries out the message flow sequential chart of IM territory authentication for what the embodiment of the invention provided to the USIM in the terminal;
Fig. 5 carries out the system block diagram of IM territory authentication for what the embodiment of the invention provided to the USIM in the terminal.
Embodiment
The present invention HSS that at first will superpose in existing network is to be implemented in IMS of stack on the existing network.In existing network, superposeed after the HSS, for realizing sharing USIM, in the authentication process process, after HSS receives the authentication vector request message that S-CSCF sends, need such as HLR/AUC, send the transmission authentication information message that is used to obtain authentication vector to user's home device; HLR/AUC then distributes SQN for this UE, and generates the corresponding authentication vector based on the SQN that is distributed, and this authentication vector is sent to HSS, and HSS then sends to S-CSCF again with the authentication vector of receiving.Thereby make the usim card user can finish the authentication in IM territory.
Wherein, the user is under USIM user's the situation, HSS is after receiving the authentication vector request message that S-CSCF sends, and need be when the current home device of UE be obtained authentication vector, can simulate VLR or SGSN to the current equipment that belongs to of UE, such as HLR/AUC, send the transmission authentication information message that is used to obtain authentication vector, then should comprise the requesting node type information in CS territory or PS territory in this transmission authentication information message; HLR/AUC then determines that according to the requesting node type of carrying in this transmission authentication information message it still is the CS territory that HS S belongs to the PS territory, distribute SQN for this territory then, and according to this territory pairing SQN compute authentication vector, then this authentication vector is sent to HSS, and these authentication vector are handed down to S-CSCF by HSS.
In addition, in above-mentioned processing procedure, HSS also needed HLR/AUC is carried out addressing before being used to obtain the transmission authentication information message of authentication vector to the HLR/AUC transmission.HSS can follow the addressing system of existing network MSC/VLR/SGSN to existing network HLR fully to the addressing of HLR/AUC.Specifically, because UE uses the privately owned sign of IMS (IMPI) of UE as user ID to the message pathway of HSS, therefore also use the IMPI of UE as user ID between S-CSCF and the HSS, again because MSC/VLR/SGSN carries out addressing by IMSI to HLR, therefore HSS need finish the conversion of IMPI to IMSI, and the IMSI that is converted to is filled into as user ID sends in the authentication information message, the HLR/AUC that determines the user place according to the route principle and the IMSI of existing network simultaneously will send authentication information message afterwards and issue purpose HLR/AUC according to the overall situation (GT) of this locality configuration yard or Destination Point Code (DPC); HSS finishes the conversion from IMSI to IMPI again after receiving the response message that purpose HLR/AUC returns, and IMPI is handed down to S-CSCF as user ID.
Obviously, aforesaid way does not need the existing HLR that upgrades, and USIM user does not need to change card yet.But because IM territory business has taken the SQN effective range in CS territory or PS territory, this may bring certain frequently stationary problem again, makes overall system efficiency that certain reduction be arranged.Certainly, initiate to send authentication information message to HLR, so its synchronous again coverage includes only IM territory and CS territory because HSS is simulation VLR or SGSN, or IM territory and PS territory.
For this situation by HSS simulation VLR or SGSN, because the authentication operations frequency in PS territory is lower, so HSS should be modeled as SGSN with self as far as possible, to reduce synchronous again frequency.
If the frequently stationary problem of avoiding fully may bringing thus again, then can clearly notify HLR/AUC should be used to obtain the transmission authentication information message of authentication vector by HSS from the IM territory, HLR/AUC then at first determines that according to the transmission authentication information message of being received this UE is in the IM territory, and be that SQN is distributed in the residing IM of this UE territory, and then generate the corresponding authentication vector, and this authentication vector is sent to S-CSCF by HSS based on the SQN that distributed.Certainly, this mode need be with existing HLR/AUC upgrading, to support new protocol extension.Just make the HLR in the existing network SQN that issues can be divided into CS territory, PS territory and IM territory, like this, USIM can compare the SQN in each territory respectively, as long as can guarantee that the pairing SQN of authentication tuple that HLR is handed down to each territory is orderly, just can not cause unnecessary synchronizing process again.Because all have only a network entity to be used for buffer memory authentication tuple in each territory, such as, by the VLR buffer memory, by the SGSN buffer memory, by the S-CSCF buffer memory, therefore the branch territory of SQN is divided and can be solved stationary problem again in the IM territory in the PS territory in the CS territory by HLR.
Be described in further detail avoiding frequent synchronous more concrete scheme among the present invention fully below in conjunction with drawings and the specific embodiments.
Present 3GPP R4/R5/R629.002 agreement has defined requesting node type (requestingNodeType) cell in sending authentication information (MAP-SEND-AUTHENTICATION-INFO) message, in order to the identification request node types belong to the CS territory as: when cell value or PS territory during for vlr as: when the cell value is sgsn.Based on this definition, HLR is before issuing authentication vector to S-CSCF, at first the SQN among the AUTN of authentication vector is divided into CS territory and PS territory, determine that according to the requestingNodeType cell type of requesting node is VLR or SGSN then, and utilize the SQN consistent to generate the corresponding authentication vector, and then the authentication vector that is generated is sent to this node with this node type.Like this, just can guarantee that the SQN that HLR is issued in each territory is orderly, make the SQN that on usim card, manages simultaneously
MSAlso distinguish corresponding CS territory and PS territory, the SQN verification in each territory is relatively independent, does not interfere with each other, thereby has avoided causing the frequent synchronous again problem that triggers because of operation frequency difference in two territories.
Therefore, for making HLR/AUC distribute SQN for the residing IM of UE territory, to avoid the aforementioned frequent synchronous again problem that causes because of HSS simulation VLR or SGSN, the present invention program can expand sending authentication information message, specifically be that the requestingNodeType cell that sends in the authentication information message is expanded, with two enumerated values in this cell: the value in expression CS territory as: the value in vlr and expression PS territory as: sgsn expands to three enumerated values, that is: the value in expression CS territory, the value in the value in expression PS territory and expression IM territory as: im, other all cells then remain unchanged.
After the expansion, original VLR/SGSN does not need to do any change, and still can use original transmission authentication information message to obtain authentication vector, newly-increased HSS then uses the transmission authentication information message after the expansion to obtain authentication vector, wherein, the requestingNodeType cell at the IM territory should be written as im.Certainly, original HLR/AUC also needs to carry out necessary upgrading, and it is changed point and mainly comprises: make the transmission authentication information message after the HLR/AUC compatible extensions; HLR/AUC need be with SQN
HEBe divided into CS territory, PS territory and IM territory, according to sending the entrained requestingNodeType cell of authentication information message and the SQN in IM territory
HEGeneration is at the SQN in IM territory, and generates the corresponding authentication vector according to this SQN, and then the authentication vector that is generated sent to the network node of the request of initiation.
Since identical at the authentication vector acquisition process of AUC and HLR, only be example below therefore with HLR.
By above-mentioned setting, concrete authentication process message flow sequential as shown in Figure 4, it specifically may further comprise the steps:
Step 401~402:S-CSCF sends authentication vector request (Cx-AuthDataReq) to HSS after receiving the IM territory register requirement that UE sends.
Step 403:HSS sends authentication information (MAP-SEND-AUTHENTICATION-INFO) message and gives the current home device that belongs to of this user, i.e. HLR/AUC after receiving the authentication vector request that S-CSCF sends.
Wherein, support new protocol extension if this HLR has upgraded, then entrained requestingNodeType cell extends this as im in this transmission authentication information message; If this HLR does not upgrade, then entrained requestingNodeType cell extends this as sgsn or vlr in this transmission authentication information message, suggestion sgsn.
This step specifically can be that whether configuration HLR can distribute SQN for the IM territory in HSS
HEInformation, HSS then can determine whether corresponding HLR has supported new protocol extension according to this information, and sends the corresponding authentication information message that sends according to this information of determining.
Which territory step 404:HLR/AUC determines this message from according to the requestingNodeType cell in this message after receiving transmission authentication information message, and according to the SQN that self preserves
HEThe SQN that this territory requires is satisfied in generation, and generates the corresponding authentication vector according to this SQN, afterwards this authentication vector is sent to HSS as the response message that sends authentication information message.
Wherein, if HLR/AUC determines this transmission authentication information message from the IM territory according to the requestingNodeType cell, then according to the SQN that self preserves
HEThe SQN that the IM territory requires is satisfied in generation; If determine this transmission authentication information message from CS or PS territory, then according to the SQN that self preserves according to the requestingNodeType cell
HEThe SQN of CS territory or the requirement of PS territory is satisfied in generation.
Step 405:HSS sends to S-CSCF with the authentication vector that HLR/AUC sends.
Step 406:S-CSCF carries out authentication according to the authentication vector that HSS sends to UE.
After obtaining authentication vector, the concrete authentication process of S-CSCF just will ISIM wherein changes USIM into and get final product, so repeat no more shown in step 304 among Fig. 3 and subsequent step.
By above-mentioned steps, can realize purpose of the present invention.
For raising the efficiency, S-CSCF can also be to the many groups of HSS request authentication vector after receiving register requirement.Like this, in above-mentioned steps 401~402, S-CSCF at first will judge self whether to also have effective authentication vector after receiving register requirement, if having, then S-CSCF can directly carry out authentication according to this authentication vector to UE; If no, then S-CSCF sends the authentication vector request message to HSS again, to ask many group authentication vector.The transmission authentication information message that HSS transmits to HLR/AUC equally also is used to ask many group authentication vector, and HLR/AUC then can correspondingly distribute a plurality of SQN for the IM territory, and generates many group authentication vector according to these SQN.
In addition, if the signatory CS/PS territory of UE business also is the UE IM territory business of only having contracted, synchronous problem can not appear then again.Therefore, HSS is after receiving the authentication vector request message that S-CSCF sends, can judge this user CS/PS territory business of whether having contracted earlier, if, then send the HLR/AUC of authentication information message to user attaching, as previously mentioned, whether the filling content of requestingNodeType cell can promptly support the expansion decision of requestingNodeType cell according to the ability decision of this HLR/AUC in this message according to HLR/AUC; If the not signatory CS/PS territory of this user business, then this USIM is identical with existing ISIM, promptly only support IM territory business, therefore can in the embedded AUC of HSS, generate authentication vector according to the processing mode of ISIM and issue for this user, certainly, identical with ISIM, need in HSS, preset the related data of USIM equally.
Need to prove that also for present operating position, compare with the PS territory with the CS territory, the authentication frequency in IM territory is lower, so HLR/AUC can be IM territory distribution SQN more among a small circle.
Fig. 5 carries out system's composition diagram of IM territory authentication for what provide based on the embodiment of the invention to the USIM in the terminal, as shown in Figure 5, it mainly comprises: the home device of UE, S-CSCF, UE is as HLR/AUC and HSS, wherein:
UE: be used for initiating IM territory register requirement to S-CSCF, and and S-CSCF alternately self USIM is carried out the related news of authentication;
S-CSCF: be used for the IM territory register requirement sent according to UE, send the authentication vector request, authentication vector of sending according to HSS and UE carry out authentication alternately to the USIM of UE related news to HSS;
HSS: be used for the authentication vector request of sending according to S-CSCF, send the request message that is used to obtain authentication vector to the home device of UE, the authentication vector that the home device of UE is returned sends to S-CSCF;
The home device of UE: be used for the request message that is used to obtain authentication vector sent according to HSS, be that UE distributes SQN, and generate the corresponding authentication vector, this authentication vector is sent to HSS based on this SQN.
The above only is process of the present invention and method embodiment, in order to restriction the present invention, all any modifications of being made within the spirit and principles in the present invention, is not equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (13)
1. one kind is carried out the method for internet protocol multimedia territory authentication to terminal user identification module, it is characterized in that be provided for providing the home subscriber server HSS of internet protocol multimedia IM territory business in network, this method comprises:
A: the service call conversation control function S-CSCF in the network sends the authentication vector request to HSS after receiving the IM territory register requirement that mobile terminal UE is sent;
B:HSS is used to obtain the request message of authentication vector to the home device transmission of UE after receiving described request;
The home device of c:UE is this UE distributing serial numbers SQN after receiving described request message, and generates authentication vector based on this SQN, afterwards this authentication vector is sent to HSS;
D:HSS sends to S-CSCF with described authentication vector, and S-CSCF carries out authentication according to described authentication vector to the terminal user identification module of described UE;
The individual sequence number SQN of each UE in the home device of described UE
HEComprise at least one SQN corresponding with at least a territory
HE
Described home device to UE send a request message into:
Home device to UE sends authentication information message, carries the requesting node type in the wherein said transmission authentication information message;
The home device of described UE for this UE distributes SQN is:
The home device of UE is determined the territory of this HSS ownership according to the described request node type, and according to the pairing SQN in territory of this HSS ownership
HEFor distributing SQN in the territory of this HSS ownership.
2. method according to claim 1 is characterized in that, the individual sequence number SQN of each UE in the home device of described UE
HEComprise: with the SQN in circuit switching (CS) territory
HESQN with packet switching PS territory correspondence
HEIn at least a;
Carry the requesting node type in circuit switching (CS) territory or packet switching PS territory in the described transmission authentication information message;
The home device of the described UE of step c for this UE distributes SQN is:
The home device of UE determines that according to the requesting node type that sends in the authentication information message it still be the CS territory that this HSS belongs to the PS territory, and the pairing SQN in territory that belongs to according to this HSS
HEFor distributing SQN in the territory of this HSS ownership.
3. method according to claim 1 is characterized in that, the individual sequence number SQN of each UE in the home device of described UE
HEComprise: the SQN corresponding with the IM territory
HE
Carry the requesting node type information in IM territory in the described transmission authentication information of the step b message;
The home device of the described UE of step c distributes SQN to be: the home device of UE determines that according to the requesting node type that sends in the authentication information message this HSS belongs to the IM territory, and according to the SQN corresponding with the IM territory
HEFor distributing SQN in this IM territory.
4. method according to claim 3 is characterized in that, the individual sequence number SQN of each UE in the home device of described UE
HEFurther comprise: with the SQN in circuit switching (CS) territory
HESQN with packet switching PS territory correspondence
HEIn at least a; This method further comprises:
The described HSS of step b is before the home device of UE sends authentication information message, further comprise: HSS determines according to the information of self preserving whether the current home device of UE can distribute SQN for the IM territory, if can, then in described transmission authentication information message, carry the requesting node type information in IM territory; Otherwise, in described transmission authentication information message, carry the requesting node type information in CS territory or PS territory.
5. method according to claim 3 is characterized in that, the home device of described UE is allocated to the effective range of SQN in IM territory less than the effective range of the SQN that is allocated to CS territory and/or PS territory.
6. method according to claim 3 is characterized in that the home device of the described UE of step c is according to SQN
HEDistributing SQN for the IM territory is: for distributing more than one SQN in the IM territory; Describedly generate the corresponding authentication vector based on SQN and be: generate one group of authentication vector based on each SQN;
The described S-CSCF of steps d carries out authentication according to described authentication vector to the terminal user identification module of described UE: S-CSCF selects one group of authentication vector that terminal user identification module is carried out authentication from the authentication vector of receiving, and preserves other authentication vector.
7. method according to claim 6, it is characterized in that, the described S-CSCF of step a is before HSS sends the authentication vector request, further comprise: judge the authentication vector that self whether exists at this UE, if, then directly the terminal user identification module of UE is carried out authentication, finish this handling process according to this authentication vector; Otherwise, carry out the step that sends the authentication vector request to HSS.
8. according to any described method in the claim 1 to 7, it is characterized in that this method further comprises: the data message of configurating terminal Subscriber Identity Module in HSS;
The described HSS of step b is after receiving described request, before the home device transmission of UE is used to obtain the request message of authentication vector, further comprise: judge whether the contracted business in CS territory and/or PS territory of this UE, if then carry out the step that described transmission is used to obtain the request message of authentication vector; Otherwise HSS is according to the data message compute authentication vector of described terminal user identification module, execution in step d afterwards.
9. according to any described method in the claim 1 to 7, it is characterized in that, use the privately owned sign IMPI of IMS of UE between described S-CSCF and the HSS as user ID;
The described HSS of step b is before the home device of UE sends a request message, further comprise: HSS is converted to IMSI International Mobile Subscriber Identity IMSI with the IMPI in the authentication vector request, and determine the home device that UE is current according to this IMSI and route principle, carry out the step that sends the request message that is used to obtain authentication vector to this home device afterwards;
The described HSS of steps d sends to described authentication vector before the S-CSCF, further comprises: described IMSI is converted to IMPI, afterwards IMPI is sent to S-CSCF with described authentication vector.
10. according to any described method in the claim 1 to 7, it is characterized in that the home device of described UE is: the attaching position register HLR/ AUC of AUC of the current ownership of UE.
11., it is characterized in that the terminal user identification module that described UE uses is: the user serves identification module USIM according to any described method in the claim 1 to 7.
12. one kind is carried out the system of IM territory authentication to terminal user identification module, comprising: the home device of UE, S-CSCF, UE, it is characterized in that, also comprise HSS, wherein:
UE: be used for initiating IM territory register requirement to S-CSCF, and and S-CSCF alternately self terminal user identification module is carried out the related news of authentication;
S-CSCF: be used for the IM territory register requirement sent according to UE, send the authentication vector request, authentication vector of sending according to HSS and UE carry out authentication alternately to the terminal user identification module of UE related news to HSS;
HSS: be used for the authentication vector request of sending according to S-CSCF, send the request message that is used to obtain authentication vector to the home device of UE, the authentication vector that the home device of UE is returned sends to S-CSCF;
The home device of UE: be used for the request message that is used to obtain authentication vector sent according to HSS, be that UE distributes SQN, and generate the corresponding authentication vector, this authentication vector is sent to HSS based on this SQN.
13. system according to claim 12 is characterized in that, the home device of described UE is the attaching position register HLR/ AUC of AUC of the current ownership of UE.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2006800010952A CN101053203B (en) | 2005-05-31 | 2006-05-31 | Method and system for authenticating internet multimedia domain of terminal user identification module |
Applications Claiming Priority (4)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100733639A CN100428848C (en) | 2005-05-31 | 2005-05-31 | Method for authenticating IP multi-media zone to terminal user mark module |
| CN200510073363.9 | 2005-05-31 | ||
| CN2006800010952A CN101053203B (en) | 2005-05-31 | 2006-05-31 | Method and system for authenticating internet multimedia domain of terminal user identification module |
| PCT/CN2006/001161 WO2006128373A1 (en) | 2005-05-31 | 2006-05-31 | A method for im domain authenticating for the terminal user identifier module and a system thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101053203A CN101053203A (en) | 2007-10-10 |
| CN101053203B true CN101053203B (en) | 2010-09-08 |
Family
ID=38783562
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2006800010952A Active CN101053203B (en) | 2005-05-31 | 2006-05-31 | Method and system for authenticating internet multimedia domain of terminal user identification module |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101053203B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8027666B2 (en) | 2005-05-31 | 2011-09-27 | Huawei Technologies Co., Ltd. | Method and system for authenticating terminal subscriber identity module in IP multimedia domain |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115022878B (en) * | 2022-08-08 | 2022-11-11 | 中国电子科技集团公司第三十研究所 | Method, apparatus and medium for takeover of selected VoLTE user |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1524816A2 (en) * | 2003-10-17 | 2005-04-20 | Nokia Corporation | Authentication of messages in a communication system |
-
2006
- 2006-05-31 CN CN2006800010952A patent/CN101053203B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1524816A2 (en) * | 2003-10-17 | 2005-04-20 | Nokia Corporation | Authentication of messages in a communication system |
Non-Patent Citations (1)
| Title |
|---|
| HENRY HAVERINEN et al.CELLULAR ACCESS CONTROL AND CHARGINGFORMOBILE OPERATOR WIRELESS LOCALAREANETWORKS.IEEE Wireless Communications9 6.2002,9(6),52-60. * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8027666B2 (en) | 2005-05-31 | 2011-09-27 | Huawei Technologies Co., Ltd. | Method and system for authenticating terminal subscriber identity module in IP multimedia domain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101053203A (en) | 2007-10-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100428848C (en) | Method for authenticating IP multi-media zone to terminal user mark module | |
| CN100596084C (en) | Method for accessing IMS network to mobile circuit domain user and its registering method | |
| CN101573934B (en) | Discriminating in a communication network | |
| US9374744B2 (en) | Apparatus and method for seamless handoff of a service between different types of networks | |
| US9894142B2 (en) | Methods, devices, and computer program products for providing a plurality of application services via a customized private network connection | |
| US7813730B2 (en) | Providing mobile core services independent of a mobile device | |
| CN100428718C (en) | Identification log-on method and device for access non IMS mobile terminal into IMS field | |
| CN101401476B (en) | Access control in a communication network | |
| EP2245873B1 (en) | System and method of user authentication in wireless communication networks | |
| US20080092212A1 (en) | Authentication Interworking | |
| EP2603024B1 (en) | Key separation method and device | |
| WO2006095265A1 (en) | Method and apparatuses for authenticating a user by comparing a non-network originated identities | |
| CN100384120C (en) | Method for carrying out authentication for terminal user identification module in IP multimedia subsystem | |
| WO2008116804A1 (en) | Method for providing subscriptions to packet-switched networks | |
| WO2017092229A1 (en) | Multiservice-based ims registration method and ims registration system | |
| CN106101078B (en) | A kind of IP multimedia subsystem, terminal and service implementation method | |
| CN102984164A (en) | IMS registration method and device | |
| CN1801706B (en) | Network authentication system and method for IP multimedia subsystem | |
| CN1929678B (en) | Method and device for updating user terminal switch-in code | |
| CN103517383A (en) | A method and a device for the access of a mobile terminal to a household network | |
| CN101053203B (en) | Method and system for authenticating internet multimedia domain of terminal user identification module | |
| CN101232707B (en) | Method for distinguishing subscriber terminal authority identifying type in IMS network and I-CSCF | |
| CN101478740B (en) | Method, system and apparatus for implementing service sharing between heterogeneous networks | |
| KR100933779B1 (en) | IP Multimedia Subsystem Network Registration Method and Registration System | |
| CN102469438A (en) | Method and device for updating transfer number when in registration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: GR Ref document number: 1099153 Country of ref document: HK |