CN101296500A - User authentication processing method, system and server - Google Patents

User authentication processing method, system and server Download PDF

Info

Publication number
CN101296500A
CN101296500A CNA2007100982880A CN200710098288A CN101296500A CN 101296500 A CN101296500 A CN 101296500A CN A2007100982880 A CNA2007100982880 A CN A2007100982880A CN 200710098288 A CN200710098288 A CN 200710098288A CN 101296500 A CN101296500 A CN 101296500A
Authority
CN
China
Prior art keywords
control function
service call
session control
function entity
call session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CNA2007100982880A
Other languages
Chinese (zh)
Inventor
时书锋
闫学霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CNA2007100982880A priority Critical patent/CN101296500A/en
Publication of CN101296500A publication Critical patent/CN101296500A/en
Pending legal-status Critical Current

Links

Images

Abstract

The invention discloses a processing method and a system of subscriber authentication, a subscriber subscription server and a service call session control function server, comprising the following steps: subscriber equipment authentication is confirmed failure by a session control function server which then sends authentication result information to the subscriber subscription server which then decides whether to save the name of the session control function sever or not according to the authentication result information. When the subscriber equipment authentication fails due to that the authentication result is incorrect or the authentication response is not received by subscriber equipment, by utilizing the invention, the subscriber subscription server can choose whether the name of the session control function sever is saved or not.

Description

A kind of user authentication processing method, system and server
Technical field
The present invention relates to the communications field, particularly a kind of processing method of subscription authentication, system and user's subscribed services device, service call conversation control function server.
Background technology
3GPP (3rd Generation Partnership Project, 3G (Third Generation) Moblie standardization body), 3GPP2 (3rd Generation Partnership Project2,3rd Generation Partnership Project two), ITU-T (ITU-Telecommunication standardization sector, international telecommunication union telecommunication's standardization group), TISPAN (Telecoms ﹠amp; Internet converged Services ﹠amp; Protocols forAdvanced Networks, service and agreement that next generation network communication and internet merge) wait each big normal structure all in the standard formulation work of carrying out about next-generation communication network, determined that substantially IMS (IPMultimedia Subsystem, IP Multimedia System) is as fixing and mobile core network of future generation.Access technology and business having occurred provides variation, carrying IPization, core network unified development trend and network evolution process to IMS.The user can obtain better business experience in the IMS network.
Fig. 1 is an IMS function structure schematic diagram, and as shown in the figure, the framework of IMS is:
CSCF (Call Session Control Function, CSCF): be CSCF, in the IMS core net, be in the control core status, be responsible for UE (User Equipment, subscriber equipment) register and authentication and session control, execution is at calling terminal and called end IMS user's basic session routing function, and the IMS filtering rule of contracting according to the user, the value-added service route that proceeds to AS (Application Server, application server) when condition satisfies triggers and professional control alternately.
HSS (Home Subscriber Server, user's subscribed services device): be user database server, be used to store the IMS subscription information of setting when operator opens an account, support customization and the modification by operator or terminal use subscription data carried out by interface simultaneously with business management system.HSS by with S-CSCF (Serving CSCF, serving CSCF) between realize in the IMS registration process registration based on the Cx interface of Diameter to S-CSCF domain name routing iinformation, and support basic I MS CAMEL-Subscription-Information to be downloaded to S-CSCF by this interface; HSS by with I-CSCF (Interrogating CSCF, consult CSCF) between realize in user's registration to the user selects the S-CSCF that serves or provides the name that the S-CSCF of service is provided for the user at present to I-CSCF based on the Cx interface of Diameter, thereby I-CSCF can be routed to correct S-CSCF with registration message or session; HSS by with SIP (Session Initiation Protocol, Session initiation Protocol) Sh interface based on Diameter is value-added service SIPAS or OSA (Open Service Architecture between AS, the exploitation business structure) SCS (Service Capability Server, service capability server) provides the remote database access interface of subscription data, service logic script, HSS only is responsible for the transparent storage to specific contracted user AS value-added service data, does not semantically do parsing.
SLF (Subscription Location Function, Subscription Locator Function) is user's Subscription Locator Function, has address resolution mechanism, as the Virtual network operator subordinate during the addressable HSS of a plurality of independences, this mechanism makes I-CSCF, S-CSCF and AS can find the HSS address at the subscription data place that is used for given user identity, physically can close with HSS and establish.
The Sh interface of AS by HSS obtains or upgrades customer service relevant data and user state information, and S-CSCF is by obtaining user's CAMEL-Subscription-Information with the Cx interface of HSS.
In the IMS network, the miscellaneous service that UE can use the IMS network to provide after registering in network.Simultaneously, UE can select signatory unregistered service, commentaries on classics before network still can provide unregistered service such as calling for the user when UE does not register in network, calling record etc.When UE in network, register or the user when exhaling eventually, order interactive user authorization data and business datum by SAR/SAA (Server-Asignment-Request/Server-Asignment-Answer, server-assignment request/server-assignment is replied) between S-CSCF and the HSS.
Fig. 2 is the register flow path schematic diagram of UE at the IMS network, and as shown in the figure, registration comprises the steps:
Step 201, UE initiate the REGISTER registration message to network;
Step 202, P-CSCF issue the REGISTER request I-CSCF of UE ownership;
After step 203, I-CSCF receive REGISTER message, IMPU in the TO header field of message is carried at UAR (User-Authorization-Request, user-authorization-request) among the Public User Identity, username in the Authorization header field is carried among the Private User Identity of UAR, distributed to HSS request this user S-CSCF name or the capability set of the S-CSCF that service needs is provided for this user;
After step 204, HSS receive UAR message, carry out the inquiry of internal database according to IMPU in the message and IMPI.Return name or the capability set information that this user has distributed S-CSCF by UAA (User-Authorization-Answer, user-authorization-answer) to I-CSCF afterwards;
Step 205, I-CSCF are selected the S-CSCF of a service according to the capability set of S-CSCF for the user or the name of the S-CSCF that returns according to HSS, and REGISTER message is issued this S-CSCF;
After step 206, S-CSCF receive REGISTER message, IMPU in the TO header field of registration message is carried at MAR (Multimedia-Auth-Request, the multimedia authentication request) among the Public UserIdentity, username in the Authorization header field in the registration message is carried among the Private User Identity of MAR, to HSS request user's authorization data;
Step 207, HSS obtain returning to S-CSCF by MAA (Multimedia-Auth-Answer, multimedia authentication is replied) after the corresponding authentication data according to the IMPI of user among the MAR, simultaneously with this IMPI correspondence just in the flag set of authentication;
Step 208, S-CSCF initiate 401 authentication request by I-CSCF to UE, wherein comprise a random challenge (RAND) and a network authentication token (AUTN), simultaneously encryption key and Integrity Key are handed down to P-CSCF and are used for setting up between P-CSCF and the UE Security Association follow-up Signalling exchange is carried out integrity protection;
Step 209, I-CSCF issue P-CSCF with 401 authentication request message;
Step 210, P-CSCF issue UE with 401 authentication request message;
Step 211, UE verify the authentication token of network according to key in the ISIM card and authentication arithmetic, and produce an authentication response (RES).P-CSCF and UE set up Security Association according to CK (Confidentiality Key, encryption key), IK (Integrity Key, Integrity Key), and UE initiates REGISTER message by this Security Association and authenticating result RES is carried to network;
Step 212, P-CSCF issue I-CSCF with the REGISTER message that UE sends;
Step 213, I-CSCF issue S-CSCF with the REGISTER message that UE sends;
Step 214, S-CSCF verify RES, determines whether and conform to from the expected result XRES (Expected Response, the Authentication Response of expectation) that HSS obtains;
Step 215, authentication are carried among the SAR IMPU of the SIP URI in the TO header field of registration message (Universal Resource Identifier, unified resource sign) form to HSS request user contracting data by back S-CSCF;
After step 216, HSS receive SAR message,, return the requesting users subscription data by SAA to S-CSCF afterwards according to inquiry and the relevant treatment that the IMPU in the message and IMPI carry out internal database;
Step 217, S-CSCF get up the storage of subscriber data among the SAA, and return 200 OK to I-CSCF;
Step 218, I-CSCF return 200 OK to P-CSCF;
Step 219, P-CSCF return 200 OK to UE, and so far the registration of UE and authentication process finish.
In the step 208 of above-mentioned flow process, if S-CSCF sends response message or the login request message of not receiving UE after the 401 authentication challenges in the time that limits to UE, S-CSCF can think this authentification failure to UE.S-CSCF can initiate the SAR request to HSS, and the Server AssignmentType that carries is AUTHENTICATION_TIMEOUT, and is overtime to HSS indication authentication, and HSS can be with just the removing at the sign of authentication by the IMPI correspondence of authentication of wherein writing down.
In the step 214 of above-mentioned flow process, if indicated the authentification failure of UE to network in the REGISTER message that S-CSCF to the RES authentication failed, perhaps receives, S-CSCF can think this authentification failure to UE.S-CSCF can initiate the SAR request to HSS, and the Server Assignment Type that carries is AUTHENTICATION_FAILURE, and to HSS indication failed authentication, HSS can be with just the removing at the sign of authentication by the IMPI correspondence of authentication of wherein writing down.
Fig. 3 does not have exhale the session schematic flow sheet user's of registration end, as shown in the figure, comprises the steps:
Step 301, I-CSCF receive the INVITE of exhaling certain user about eventually;
Step 302, I-CSCF are initiated LIR (Location-Info-Request, location information request) message to HSS and are retrieved as the information of S-CSCF of user's service or the capability set of the S-CSCF that needs;
If write down the name that the S-CSCF of service is provided for this user among step 303 HSS, HSS is just by LIA (Location-Info-Answer, location information answer) returns the name of this S-CSCF to I-CSCF, if not then return and to satisfy the capability set that the user serves the S-CSCF of needs;
If step 304 HSS does not return the name of S-CSCF, but returned the capability set of S-CSCF, then the capability set of the S-CSCF that returns according to HSS of I-CSCF is selected a suitable S-CSCF;
Step 305, I-CSCF transmit the INVITE request to this S-CSCF;
If step 306 S-CSCF is this user's data not, will send SAR request user data to HSS, Server Assignment Type parameter in the SAR order is filled out and is UNREGISTERED_USER, informs that the current state of HSS user is to exhale unregistered end;
Step 307, HSS are handed down to S-CSCF by SAA with user data;
Step 308, S-CSCF carry out business control according to user data;
Step 309, S-CSCF carry out subsequent treatment.
Fig. 4 initiates the session schematic flow sheet that begins to exhale for AS replaces the user, as shown in the figure, comprises the steps:
Before AS replaced the user to initiate to begin to exhale, AS can be by third-party registration or by the name of Sh interface from the S-CSCF at HSS acquisition user place.
If AS can obtain the name of the S-CSCF at user place before replacing the user to initiate to begin to exhale, execution in step 401a then, promptly AS directly will talk about the S-CSCF that is routed to the user place.If can't obtain the name of the S-CSCF at user place, execution in step 401b1 then:
Step 401b1, will talk about the I-CSCF of the home domain that is routed to the user place;
Step 401b2, I-CSCF initiate LIR message to HSS, dialing user identity in the P-Asserted-Identity header field in the message is filled among the LIR, and increase a beginning and call for and ask sign, inquire about the positional information at this present place of user, just the information of user place S-CSCF;
Step 401b3, HSS are according to the user identity among the LIR, and the information of this user's correspondence of inquiry returns to I-CSCF by LIA with the name of user place S-CSCF or the capability set of S-CSCF in database;
If what step 401b4 HSS returned is the capability set of S-CSCF, I-CSCF just need select S-CSCF according to capability set;
Step 401b5, I-CSCF are routed to the S-CSCF that HSS returns with INVITE, or the S-CSCF that selects for the user of the capability set of the S-CSCF that returns according to HSS;
If step 402 S-CSCF is this user's information not, S-CSCF is carried among the SAR user identity in the P-Asserted-Identity header field in the message to HSS request user contracting data; If this user's information is arranged, then directly carry out step 404;
Step 403, HSS return the requesting users subscription data by SAA to S-CSCF;
Step 404, S-CSCF carry out business control;
Step 405, S-CSCF carry out subsequent treatment.
The inventor notices in the invention process: in the UE register flow path, if S-CSCF fails to the authentication of network to authentication failure or the UE of UE, S-CSCF can by SAR ask HSS remove corresponding IMPI just at the sign of authentication, if among the HSS state of this IMPU be unregistered or not other IMPU and IMPI of this user on this S-CSCF, register, HSS just removes the name of S-CSCF simultaneously.
The inventor notices in the invention process: in the UE register flow path, if S-CSCF fails to the authentication of network to authentication failure or the UE of UE, S-CSCF can by SAR ask HSS remove corresponding IMPI just at the sign of authentication, if among the HSS state of this IMPU be unregistered or not other IMPU and IMPI of this user on this S-CSCF, register, HSS just removes the name of S-CSCF simultaneously.The deficiency that causes like this is: S-CSCF can not allow HSS preserve the name of oneself.Thereby make and exhale the process of having introduced unnecessary I-CSCF selection S-CSCF in the process in the unregistered beginning that registration, unregistered end exhale, AS replaces UE to initiate.
The inventor is also noted that, because be metastable for the user provides the capability set of the S-CSCF of service among the HSS, I-CSCF in the UE registration process, exhale unregistered end or to exhale in the process all be to select the S-CSCF that serves according to what HSS returned for the user for the user provides the capability set of the S-CSCF of service the unregistered beginning.Even current like this failed authentication has been removed the name of S-CSCF from HSS, next I-CSCF still can choose same S-CSCF.Thereby caused following deficiency: (especially exhaling in the process in the unregistered beginning that AS replaces UE to initiate) can be because AS can't directly obtain the name of S-CSCF from HSS, have to talk about and be routed to I-CSCF, by the selection course of duplicate S-CSCF in I-CSCF execution and the authentication process, had to introduce the circuitous and time delay of unnecessary route.
Summary of the invention
The embodiment of the invention provides a kind of user authentication processing method, system and HSS server, in order to solve exist in the prior art after subscription authentication is failed, HSS can not preserve the problem of S-CSCF name.
The embodiment of the invention provides a kind of user authentication processing method, comprises the steps:
S-CSCF determines the UE failed authentication;
Described S-CSCF sends authentication result information to HSS;
Whether described HSS preserves described S-CSCF name according to described authentication result information content decision.
The embodiment of the invention also provides a kind of subscription authentication treatment system, comprises UE, HSS and is used for the S-CSCF whether definite described UE authentication fails, and also comprises:
Sending module links to each other with S-CSCF, is used for after S-CSCF determines the UE failed authentication, sends authentication result information to HSS;
Preserve module, link to each other, be used for whether preserving the S-CSCF name according to the described authentication result information content decision that described sending module sends with HSS.
The embodiment of the invention provides a kind of user's subscribed services device again, comprising:
Preserve module, be used for determining whether preserve the S-CSCF name according to the authentication result information content, described authentication result information is after S-CSCF determines the UE failed authentication, to the authentication result information of HSS transmission.
The embodiment of the invention provides a kind of service call conversation control function server, comprise removing module, whether be used for described user's corresponding data being deleted according to the operational circumstances decision, described operational circumstances is the operational circumstances of whether preserving the S-CSCF name that HSS feeds back to.
Embodiment of the invention beneficial effect is as follows:
Behind the UE failed authentication; Send authentication result information by S-CSCF to HSS; And HSS need determine whether preserving the S-CSCF name according to the authentication result information content.Thereby make HSS can determine whether preserving the S-CSCF name according to the indication of authentication result information, that is: because authenticating result is incorrect or when not receiving the UE failed authentication that the Authentication Response of UE causes, HSS can select whether to preserve the name of S-CSCF.
Description of drawings
Fig. 1 is the schematic diagram of IMS function structure described in the background technology;
Fig. 2 is the register flow path schematic diagram of UE described in the background technology at the IMS network;
Fig. 3 is for exhaling the session schematic flow sheet user's that not have described in the background technology to register end;
Fig. 4 initiates the session schematic flow sheet that begins to exhale for AS described in the background technology replaces the user;
Fig. 5 is the schematic diagram of user authentication processing method implementing procedure described in the embodiment of the invention;
Fig. 6 is the flow implementation schematic diagram of the register and authentication failure in network of UE described in the embodiment of the invention;
Fig. 7 is the structural representation of subscription authentication treatment system described in the embodiment of the invention;
Fig. 8 is the device of user's subscribed services described in an embodiment of the invention structural representation;
Fig. 9 is the schematic diagram of service call conversation control function server architecture described in the embodiment of the invention.
Embodiment
Below in conjunction with accompanying drawing the specific embodiment of the present invention is described.
Fig. 5 is a user authentication processing method implementing procedure schematic diagram, and as shown in the figure, subscription authentication can comprise the steps: when handling
Step 501, S-CSCF determine the UE failed authentication, and failed authentication can be that S-CSCF fails to the authentication of UE or UE fails to the authentication of network;
Step 502, S-CSCF send authentication result information to HSS;
Step 503, HSS identification authenticating result content, and whether preserve the S-CSCF name according to authentication result information content decision, if the authentication result information content is a failed authentication, change step 504 over to, if the authentication result information content is failed authentication and preserves the S-CSCF name, change step 505 over to, be failed authentication and do not preserve the S-CSCF name, change step 506 over to as if the authentication result information content;
Step 504, HSS determine whether preserve the S-CSCF name according to first conversation strategy, change step 507 over to;
Step 505, HSS preserve the S-CSCF name, change step 507 over to;
Step 506, HSS do not preserve the S-CSCF name, change step 507 over to;
Whether step 507, HSS will preserve the operational circumstances feedback S-CSCF of S-CSCF name;
Whether step 508, S-CSCF judge the operational circumstances of feedback, and described user's corresponding data is deleted according to the operational circumstances decision of feedback, and the HSS operational circumstances is when not preserving the S-CSCF name, and S-CSCF deletes user's corresponding data.
In the enforcement, S-CSCF sends to HSS after can carrying described authentication result information by SAR message.S-CSCF can carry described authentication result information in the Server of SAR message Assignment Type.
In preferred the enforcement, in the step 505, can be further according to second conversation strategy decision whether preserve the S-CSCF name, thereby improve the flexibility of HSS, the formulation of second strategy can be formulated according to the needs of operator etc.
Describe with an embodiment more below.
The present embodiment main purpose is by to the function of HSS and S-CSCF and the increased functionality of Cx interface between them, thereby makes the name that can select whether to preserve S-CSCF to the authentication failure of UE or UE to the authentication failure back HSS of network at S-CSCF.
Can carry authentication result information by the value of Server Assignment Type among the expansion SAR in the enforcement, authentication result information can be: failed authentication, failed authentication and preserve S-CSCF name, failed authentication and do not preserve the S-CSCF name.HSS can select whether to preserve the embodiment of the name of S-CSCF when increasing by two kinds of new action types in order to explanation S-CSCF indication UE failed authentication in the present embodiment.
Action type form and the value of two kinds of SAR that increase are as follows:
AUTHENTICATION_FAILURE_STORE_SERVER_NAME (12), indication is because the incorrect failure of authenticating result of UE;
AUTHENTICATION_TIMEOUT_STORE_SERVER_NAME (13), indication is not because receive the Authentication Response failure of UE.
By execution mode as can be known, these two kinds of newly-increased action types also can be other form and values, but be not limited only to described two kinds of action types, its purpose is identical, that is: can make HSS determine whether preserving the S-CSCF name according to the action type of carrying the authentication result information content.
After the authentication failure or UE authentication failure to network of S-CSCF to UE, S-CSCF is by these newly-increased two kinds of names that action type indication HSS can select whether to preserve S-CSCF.If the name that S-CSCF is preserved in the HSS decision, just only remove record wherein by the IMPI correspondence of authentication just at the sign of authentication, and return success DIAMETER_SUCCESS or other return code, such as a DIAMETER_SUCCESS_SERVER_NAME_STORED of redetermination (2005) indication S-CSCF, HSS has preserved the name of S-CSCF; If HSS does not preserve the name of S-CSCF, just return DIAMETER_SUCCESS_SERVER_NAME_NOT_STORED return code or other return code notice S-CSCF operating result.S-CSCF is receiving that HSS should be with the corresponding data deletion of user after not preserving the return value of S-CSCF name.
Fig. 6 is the flow implementation schematic diagram of UE register and authentication failure in network, and in conjunction with above explanation, as shown in the figure, the enforcement of UE register and authentication failure in network comprises the steps:
Step 601, UE initiate the REGISTER registration message to network;
Step 602, P-CSCF issue the REGISTER request I-CSCF of UE ownership;
After step 603, I-CSCF receive REGISTER message, IMPU in the TO header field of message is carried among the Public User Identity of UAR, username in the Authorization header field is carried among the Private User Identity of UAR, distributed to HSS request this user S-CSCF name or the capability set of the S-CSCF that service needs is provided for this user;
After step 604, HSS receive UAR message, carry out the inquiry of internal database according to IMPU in the message and IMPI.Return name or the capability set information that this user has distributed S-CSCF by UAA to I-CSCF afterwards;
Step 605, I-CSCF are selected the S-CSCF of a service according to the capability set of S-CSCF for the user or the name of the S-CSCF that returns according to HSS, and REGISTER message is issued this S-CSCF;
After step 606, S-CSCF receive REGISTER message, IMPU in the TO header field of registration message is carried among the Public User Identity of MAR, username in the Authorization header field in the registration message is carried among the Private User Identity of MAR, to HSS request user's authorization data;
Step 607, HSS obtain returning to S-CSCF by MAA after the corresponding authentication data according to the IMPI of user among the MAR, simultaneously with this IMPI correspondence just in the flag set of authentication;
Step 608, S-CSCF initiate 401 authentication request by I-CSCF to UE, wherein comprise a random challenge (RAND) and a network authentication token (AUTN), simultaneously encryption key and Integrity Key are handed down to P-CSCF and are used for setting up between P-CSCF and the UE Security Association follow-up Signalling exchange is carried out integrity protection;
Step 609, I-CSCF issue P-CSCF with 401 authentication request message;
Step 610, P-CSCF issue UE with 401 authentication request message;
Step 611, UE verify the authentication token of network according to key in the ISIM card and authentication arithmetic, and produce an authentication response (RES).P-CSCF and UE set up Security Association according to CK, IK, and UE initiates REGISTER message by this Security Association and authenticating result RES is carried to network;
Step 612, P-CSCF issue I-CSCF with the REGISTER message that UE sends;
Step 613, I-CSCF issue S-CSCF with the REGISTER message that UE sends;
It is same as the prior art to be carried out up to step 613, and this moment, UE initiated register requirement, after the capability set of the name of the S-CSCF that I-CSCF returns according to HSS or the S-CSCF of needs is selected S-CSCF, registration message is given to S-CSCF.S-CSCF initiates the authentication challenge to UE after HSS obtains authorization data, UE and P-CSCF set up Security Association according to authentication parameter CK and IK, and UE carries out authentication to network, and brings S-CSCF with authenticating result by REGISTER message.
Step 614, S-CSCF mate the authenticating result of authenticating result RES in the REGISTER message and expectation, when coupling is inconsistent, determine the UE failed authentication.Also can work as the authentication response message of still not receiving UE behind the timer expiry that S-CSCF sets, S-CSCF also can determine the UE failed authentication;
Step 615, (1) be if because the inconsistent failed authentication that causes of authenticating result, inserts AUTHENTICATION_FAILURE_STORE_SERVER_NAME among the Server Assignment Type of S-CSCF in SAR or AUTHENTICATION_FAILURE indicates failed authentication to HSS.The difference of two action types is: AUTHENTICATION_FAILURE_STORE_SERVER_NAME is used for S-CSCF indication HSS to the failed authentication of UE, and the indication HSS name of preserving S-CSCF.And AUTHENTICATION_FAILURE only is that indication HSS is to the failed authentication of UE;
(2), insert AUTHENTICATION_TIMEOUT_STORE_SERVER_NAME among the ServerAssignment Type of S-CSCF in SAR or AUTHENTICATION_TIMEOUT indicates failed authentication to HSS if because the failed authentication that causes of timer expiry.The difference of two action types is: AUTHENTICATION_TIMEOUT_STORE_SERVER_NAME is used for S-CSCF indication HSS to the failed authentication of UE, and the indication HSS name of preserving S-CSCF.And AUTHENTICATION_TIMEOUT only indicates HSS to the failed authentication of UE;
After step 616, HSS receive the SAR message of corresponding indication UE failed authentication, with just removing of the IMPI correspondence of this UE at the sign of authentication, if action type is AUTHENTICATION_FAILURE_STORE_SERVER_NAME or AUTHENTICATION_TIMEOUT_STORE_SERVER_NAME, the name whether HSS will preserve S-CSCF according to the decision of this message.If preserve, just return success DIAMETER_SUCCESS or other return code, such as a DIAMETER_SUCCESS_SERVER_NAME_STORED of redetermination (2005) indication S-CSCF, HSS has preserved the name of S-CSCF; If do not preserve, just return DIAMETER_SUCCESS_SERVER_NAME_NOT_STORED or other return code notice S-CSCF operating result, S-CSCF is receiving that HSS can be with the corresponding data deletion of user after not preserving the return value of S-CSCF name;
Step 617, S-CSCF return 403 response indication failed authentications to I-CSCF;
Step 618, I-CSCF return 403 response indication failed authentications to P-CSCF;
Step 619, P-CSCF return 403 response indication failed authentications to UE.
Among another embodiment, can also not implement, but after HSS obtained the authentication result information content and is failed authentication, HSS determined whether preserving the S-CSCF name according to the self memory strategy by the mode that increases new SAR action type.That is, when HSS receives the SAR message of S-CSCF indication failed authentication, own name of selecting whether to preserve S-CSCF according to the strategy that is provided with.If HSS has preserved the name of S-CSCF, just by return success sign indicating number DIAMETER_SUCCESS or other return code, such as a DIAMETER_SUCCESS_SERVER_NAME_STORED of redetermination (2005) indication S-CSCF, HSS has preserved the name of S-CSCF; If HSS does not preserve the name of S-CSCF, just return DIAMETER_SUCCESS_SERVER_NAME_NOT_STORED return code or other return code notice S-CSCF, S-CSCF is receiving that HSS can be with the corresponding data deletion of user after not preserving the return value of S-CSCF name.
The embodiment of the invention also provides a kind of subscription authentication treatment system, describes below in conjunction with the embodiment of accompanying drawing to system.
Fig. 7 is a subscription authentication treatment system structural representation, as shown in the figure, comprises UE, HSS, S-CSCF, sending module, preservation module in the system, wherein:
S-CSCF is used for determining whether the UE authentication fails:
Sending module links to each other with S-CSCF, is used for after S-CSCF determines the UE failed authentication, sends authentication result information to HSS;
Preserve module, link to each other with HSS, whether the authentication result information content decision that is used for sending according to sending module preserves the S-CSCF name.
In S-CSCF, can comprise authenticating unit, be used for the authentication failure to UE, or UE fail to determine failed authentication to the authentication of network according to S-CSCF.
Can comprise in the sending module and carry unit, transmitting element, wherein:
Carry the unit and carry authentication result information by SAR message; Transmitting element will carry the described authentication result information of carrying the unit and send to HSS.
Can comprise first recognition unit, second recognition unit, the 3rd recognition unit in the preservation module, preserve the unit, wherein:
After first recognition unit was used to discern the authentication result information content and is failed authentication, whether decision triggered and preserves the unit and preserve the S-CSCF name according to first conversation strategy.
Second recognition unit be used to discern the authentication result information content be failed authentication and preserve the S-CSCF name after, trigger and preserve the unit and preserve the S-CSCF name;
The 3rd recognition unit be used to discern the authentication result information content be failed authentication and do not preserve the S-CSCF name after, do not trigger and preserve the unit and preserve the S-CSCF name;
Preserve the unit and be used to preserve the S-CSCF name.
Preserve module and can further include the policy unit that links to each other with second recognition unit, be used to preserve second strategy;
Second recognition unit, after being used to discern described authentication result information content and being failed authentication and preserving the S-CSCF name, whether decision triggers and preserves the unit and preserve the S-CSCF name according to second conversation strategy.
Can also comprise the feedback module that links to each other with HSS, the removing module that links to each other with S-CSCF in the enforcement, wherein:
Feedback module is used for and will whether preserves the operational circumstances feedback S-CSCF of S-CSCF name; Whether removing module is used for user's corresponding data being deleted according to the operational circumstances decision of feedback module feedback.
In removing module, can comprise the 4th recognition unit, delete cells, wherein:
It is after not preserving the S-CSCF name that the 4th recognition unit is used for the identifying operation situation, triggers delete cells user's corresponding data is deleted;
Delete cells is used to delete user's corresponding data.
The embodiment of the invention also provides a kind of user's subscribed services device, describes below in conjunction with the embodiment of accompanying drawing to HSS.
Fig. 8 is user's subscribed services device structural representation, as shown in the figure, in HSS, comprise the preservation module, preserve module and determine whether to preserve the S-CSCF name according to the authentication result information content, authentication result information is after S-CSCF determines the UE failed authentication, to the authentication result information of HSS transmission.
In preserving module, can comprise first recognition unit, second recognition unit, the 3rd recognition unit, preserve the unit, wherein:
First recognition unit, after being used to discern described authentication result information content and being failed authentication, whether decision triggers and preserves the unit and preserve the S-CSCF name according to conversation strategy.
Second recognition unit after being used to discern described authentication result information content and being failed authentication and preserving the S-CSCF name, triggers and preserves the unit and preserve the S-CSCF name;
The 3rd recognition unit after being used to discern described authentication result information content and being failed authentication and not preserving the S-CSCF name, does not trigger and preserves the unit and preserve the S-CSCF name;
Preserve the unit, be used to preserve the S-CSCF name.
Preserve module and can further include the policy unit that links to each other with second recognition unit, be used to preserve second strategy;
Second recognition unit, after being used to discern described authentication result information content and being failed authentication and preserving the S-CSCF name, whether decision triggers and preserves the unit and preserve the S-CSCF name according to second conversation strategy.
Can further include among the HSS:
Feedback module is used for and will whether preserves the operational circumstances feedback S-CSCF of S-CSCF name, and whether S-CSCF deletes described user's corresponding data according to the operational circumstances decision.
The embodiment of the invention also provides a kind of service call conversation control function server, describes below in conjunction with the embodiment of accompanying drawing to server.
Fig. 9 is a service call conversation control function server architecture schematic diagram, as shown in the figure, whether S-CSCF comprises removing module, be used for described user's corresponding data being deleted according to the operational circumstances decision, and operational circumstances is the operational circumstances of whether preserving the S-CSCF name that HSS feeds back to.
Removing module can comprise the 4th recognition unit, delete cells, wherein:
The 4th recognition unit, being used to discern described operational circumstances is after not preserving the S-CSCF name, triggers delete cells described user's corresponding data is deleted;
Delete cells is used to delete described user's corresponding data.
As seen from the above description, pass through the embodiment of the invention, behind the UE registration failure, preserve the name of S-CSCF by HSS, thereby avoided exhaling the unnecessary I-CSCF of introducings in the process to select the process of S-CSCF in the unregistered beginning that UE registration, unregistered end exhale, AS replaces UE to initiate, also so no longer need to introduce unnecessary route circuitous with process such as time delay.
Concrete, by the foregoing description as can be known, value by Server Assignment Type among the expansion SAR, can carry the authentication result information that S-CSCF sends to HSS by increasing new action type, thereby can be so that HSS can determine whether preserving the S-CSCF name according to the indication of authentication result information, that is, because authenticating result is incorrect or when not receiving the UE failed authentication that the Authentication Response of UE causes, HSS can select whether to preserve the name of S-CSCF;
Further, whether HSS can will preserve the operating result notice S-CSCF of S-CSCF name, S-CSCF is after receiving that HSS does not preserve the return value of S-CSCF name, can be with the corresponding data deletion of user, distribute a S-CSCF owing to only allow for a user in the IMS network, therefore can ensure the consistency of data between S-CSCF and the HSS after removing, prevent the user on another S-CSCF during identification log, this S-CSCF originally also remains with this user's data.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, if of the present invention these are revised and modification belongs within the scope of claim of the present invention and equivalent technologies thereof, then the present invention also is intended to comprise these changes and modification interior.

Claims (22)

1, a kind of user authentication processing method is characterized in that, comprises the steps:
Service call session control function entity is determined the user equipment authority identification failure;
Described service call session control function entity sends authentication result information to user's subscribed services device;
Whether described user's subscribed services device preserves described service call session control function entity name according to described authentication result information content decision.
2, the method for claim 1 is characterized in that, described failed authentication comprises the authentication failure of service call session control function entity to subscriber equipment, or subscriber equipment is to the authentication failure of network.
3, the method for claim 1 is characterized in that, described service call session control function entity sends to described user's subscribed services device after carrying described authentication result information by the server-assignment request message.
4, method as claimed in claim 3 is characterized in that, described service call session control function entity carries described authentication result information in the Server of server-assignment request message Assignment Type.
5, the method for claim 1 is characterized in that, described authentication result information content is a failed authentication, and described user's subscribed services device determines whether to preserve the service call session control function entity name according to first conversation strategy.
6, the method for claim 1 is characterized in that, described authentication result information content is failed authentication and preserves the service call session control function entity name that described user's subscribed services device is preserved the service call session control function entity name;
Described authentication result information content is failed authentication and does not preserve the service call session control function entity name that described user's subscribed services device is not preserved the service call session control function entity name.
7, method as claimed in claim 6 is characterized in that, further comprises the steps:
Described authentication result information content is failed authentication and preserves the service call session control function entity name that described user's subscribed services device determines whether to preserve the service call session control function entity name according to second conversation strategy.
8, as claim 1 or 5 or 6 or 7 described methods, it is characterized in that, further comprise the steps:
The operational circumstances whether described user's subscribed services device will preserve the service call session control function entity name feeds back described service call session control function entity;
Whether described service call session control function entity is deleted described user's corresponding data according to the operational circumstances decision of described feedback.
9, method as claimed in claim 8 is characterized in that, described user's subscribed services device operational circumstances is not preserve the service call session control function entity name, and described service call session control function entity is deleted described user's corresponding data.
10, a kind of subscription authentication treatment system comprises subscriber equipment, user's subscribed services device and is used for the service call session control function entity whether definite described user equipment authority identification fails, and it is characterized in that, also comprises:
Sending module is used for sending authentication result information to user's subscribed services device after service call session control function entity is determined the user equipment authority identification failure;
Preserve module, be used for whether preserving the service call session control function entity name according to the described authentication result information content decision that described sending module sends.
11, system as claimed in claim 10, it is characterized in that, described service call session control function entity comprises authenticating unit, be used for according to the authentication failure of service call session control function entity, or subscriber equipment fails to determine failed authentication to the authentication of network subscriber equipment.
12, system as claimed in claim 10 is characterized in that, described sending module comprises:
Carry the unit, be used for carrying described authentication result information by server-assignment request server allocation request message;
Transmitting element is used for the described described authentication result information of carrying the unit of carrying is sent to user's subscribed services device.
13, system as claimed in claim 10 is characterized in that, described preservation module comprises first recognition unit, second recognition unit, the 3rd recognition unit, preserves the unit, wherein:
First recognition unit, after being used to discern described authentication result information content and being failed authentication, whether decision triggers and preserves the unit and preserve the service call session control function entity name according to first conversation strategy;
Second recognition unit after being used to discern described authentication result information content and being failed authentication and preserving the service call session control function entity name, triggers and preserves the unit and preserve the service call session control function entity name;
The 3rd recognition unit after being used to discern described authentication result information content and being failed authentication and not preserving the service call session control function entity name, does not trigger and preserves the unit and preserve the service call session control function entity name;
Preserve the unit, be used to preserve the service call session control function entity name.
14, system as claimed in claim 13 is characterized in that, described preservation module further comprises policy unit, links to each other with second recognition unit, is used to preserve second strategy;
Described second recognition unit, after being used to discern described authentication result information content and being failed authentication and preserving the service call session control function entity name, whether decision triggers and preserves the unit and preserve the service call session control function entity name according to second conversation strategy.
15, system as claimed in claim 10 is characterized in that, further comprises:
Feedback module links to each other with user's subscribed services device, is used for whether preserving the operational circumstances feedback service call session control function entity of service call session control function entity name;
Whether removing module links to each other with service call session control function entity, be used for described user's corresponding data being deleted according to the described operational circumstances decision of described feedback module feedback.
16, system as claimed in claim 15 is characterized in that, described removing module comprises the 4th recognition unit, delete cells, wherein:
The 4th recognition unit, being used to discern described operational circumstances is after not preserving the service call session control function entity name, triggers delete cells described user's corresponding data is deleted;
Delete cells is used to delete described user's corresponding data.
17, a kind of user's subscribed services device is characterized in that, comprising:
Preserve module, be used for determining whether to preserve the service call session control function entity name according to the authentication result information content, described authentication result information is after service call session control function entity is determined the user equipment authority identification failure, to the authentication result information of user's subscribed services device transmission.
18, user's subscribed services device as claimed in claim 17 is characterized in that, described preservation module comprises first recognition unit, second recognition unit, the 3rd recognition unit, preserves the unit, wherein:
First recognition unit, after being used to discern described authentication result information content and being failed authentication, whether decision triggers and preserves the unit and preserve the service call session control function entity name according to conversation strategy;
Second recognition unit after being used to discern described authentication result information content and being failed authentication and preserving the service call session control function entity name, triggers and preserves the unit and preserve the service call session control function entity name;
The 3rd recognition unit after being used to discern described authentication result information content and being failed authentication and not preserving the service call session control function entity name, does not trigger and preserves the unit and preserve the service call session control function entity name;
Preserve the unit, be used to preserve the service call session control function entity name.
19, user's subscribed services device as claimed in claim 18 is characterized in that, described preservation module further comprises policy unit, links to each other with second recognition unit, is used to preserve second strategy;
Described second recognition unit, after being used to discern described authentication result information content and being failed authentication and preserving the service call session control function entity name, whether decision triggers and preserves the unit and preserve the service call session control function entity name according to second conversation strategy.
20, user's subscribed services device as claimed in claim 17 is characterized in that, further comprises:
Feedback module, be used for whether preserving the operational circumstances feedback service call session control function entity of service call session control function entity name, whether described service call session control function entity is deleted described user's corresponding data according to described operational circumstances decision.
21, a kind of service call conversation control function server, it is characterized in that, comprise removing module, whether be used for described user's corresponding data being deleted according to the operational circumstances decision, described operational circumstances is the operational circumstances of whether preserving the service call session control function entity name that user's subscribed services device feeds back to.
22, service call conversation control function server as claimed in claim 21 is characterized in that, described removing module comprises the 4th recognition unit, delete cells, wherein:
The 4th recognition unit, being used to discern described operational circumstances is after not preserving the service call session control function entity name, triggers delete cells described user's corresponding data is deleted;
Delete cells is used to delete described user's corresponding data.
CNA2007100982880A 2007-04-25 2007-04-25 User authentication processing method, system and server Pending CN101296500A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNA2007100982880A CN101296500A (en) 2007-04-25 2007-04-25 User authentication processing method, system and server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNA2007100982880A CN101296500A (en) 2007-04-25 2007-04-25 User authentication processing method, system and server

Publications (1)

Publication Number Publication Date
CN101296500A true CN101296500A (en) 2008-10-29

Family

ID=40066435

Family Applications (1)

Application Number Title Priority Date Filing Date
CNA2007100982880A Pending CN101296500A (en) 2007-04-25 2007-04-25 User authentication processing method, system and server

Country Status (1)

Country Link
CN (1) CN101296500A (en)

Similar Documents

Publication Publication Date Title
CN101573934B (en) Discriminating in a communication network
CN100596084C (en) Method for accessing IMS network to mobile circuit domain user and its registering method
CN101971592B (en) Local session controller, ip multimedia subsystem and session registration method
CN100382503C (en) Registration abnormity handling method in user registration course
CN101621772B (en) Session control method and equipment
US8788678B2 (en) IP multimedia subsystem user identity handling
US20070055874A1 (en) Bundled subscriber authentication in next generation communication networks
US20110145388A1 (en) Method, system, and device for realizing registration mechanism of ip multimedia subsystem
US20130091546A1 (en) Transmitting Authentication Information
CN101127722A (en) Processing method after core network restart/failure recovery
CN101489242A (en) Method and apparatus for service recovery
EP2119178B1 (en) Method and apparatuses for the provision of network services offered through a set of servers in an ims network
KR100703426B1 (en) Method and apparatus for sending and receiving call unregistered user in a ip multimedia subsystem network
CN114667751A (en) Method for supporting authentication of user equipment
EP2449743B1 (en) Method and apparatus for use in an ip multimedia subsystem
CN104052744B (en) A kind of service trigger method and device
CN100452738C (en) Method for processing IMS session and module with query calling session controlling function
CN103607411B (en) A kind of processing method and processing device of IMS user identification
CN101296500A (en) User authentication processing method, system and server
CN101317419A (en) Operation processing method and device, service operation validity decision method and server
CN101299874B (en) User data returning method, system and equipment
CN101156371A (en) Method for implementing inceptive internet protocol multimedia subsystem registration
CN101489215A (en) Method and device for providing service to user
WO2009037182A1 (en) Password update in a communication system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Open date: 20081029