CN101483860A - Negotiation control method based on SIP security policy grade in IMS network - Google Patents
Negotiation control method based on SIP security policy grade in IMS network Download PDFInfo
- Publication number
- CN101483860A CN101483860A CNA2009100778604A CN200910077860A CN101483860A CN 101483860 A CN101483860 A CN 101483860A CN A2009100778604 A CNA2009100778604 A CN A2009100778604A CN 200910077860 A CN200910077860 A CN 200910077860A CN 101483860 A CN101483860 A CN 101483860A
- Authority
- CN
- China
- Prior art keywords
- security
- cscf
- strategy
- message
- ims
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
A negotiation control method based on SIP security strategy level in an IMS network provides a negotiation control mechanism based on session initiation protocol (SIP) security strategy level in the IMS network of an IP multimedia subsystem. The method belongs to the field of network safety protection and access control technology, which is characterized in that two aspects are included: 1) According to IMS technical specification, different safety mechanisms are combined to select safety protection strategies from weak to strong, so as to provide a set of integral and unified IMS safety strategy combination for IMS and user equipment (UE) to carry out safety negotiation and strategy selection. 2) Through the newly defined SIP message domain and negotiation process, the method provides negotiation process and SIP message field format for terminals users and IMS operators, so as to allow the IMS operators and the terminal users to negotiate and determine the method of business safety strategy. Eventually, the operators can provide the safety strategies with different safety levels according to different business types and different user types, thus realizing personalized user service quality assurance, reducing resource costs brought by network safety, and realizing the optimal selection strategy for network safety protection and service quality assurance.
Description
Technical field
The present invention relates to a kind of user safety strategy division methods and negotiation control method among the IP Multimedia System IMS, belong to network security and access control technology field based on the SIP signaling.
Background technology
The SIP signaling
(SIP is the standard that the Internet engineering duty group IETF delivered in 1999 to session initiation protocol, with the signaling control that solves on the IP network.Third generation partner program 3GPP selects SIP as session control protocol, and this agreement is the core of IMS architecture.SIP can set up sessions such as audio frequency, video, MPTY, also can be used for transmitting instant message and file, makes operator to provide integrated service by unified business platform, to realize the fusion of network.Set up IP in user and IMS core net and be connected and obtain in the process of IMS business, relevant with the SIP signaling mainly contain two communication processs, IMS registration process and Multimedia session are set up process.
The IMS demand for security
According to 3GPP technical specification 33.102, the IMS demand for security can be divided into three class safety: (1) Authentication and Key Agreement AKA, comprise the mutual authentication of user equipment (UE) and home subscriber server HSS and set up to encrypt and transmission security key right, this part defines in the IMS technical specification release 5 of 3GPP issue.(2) IMS access security AccessSecurity comprises the feature and the mechanism definition of network access security, how to authenticate such as UE and IMS core net, how to consult security mechanism, algorithm and key.Access security provides security association for UE and Proxy-Call Session Control Function P-CSCF server, also is responsible for the Confidentiality protection of SIP signaling etc.This part is the definition standard in 3GPP technical specification 33.203.(3) network domain security Network Domain Security; confidentiality, data integrity, authentication property and the anti-replay-attack protection etc. of whole core net based on IP message stream are provided; encryption safe mechanism and agreements such as internet usage security protocol IPSec, this part has defined standard in 3GPP technical specification 33.210.
The IMS security mechanism
According to the relevant criterion of the defined IMS security mechanism of 3GPP, security mechanism mainly comprises 5 classes, is respectively authentication property, confidentiality, integrality, availability and privacy.(1) authentication property wherein: in the IMS safety standard, require to use the AKA authentication mechanism, to realize the mutual authentication between authenticated user equipment and the home network, for the information of transmitting between the network equipment provides data source authentication.(2) confidentiality: the IMS safety standard does not have the Confidentiality protection of the sip message between mandatory requirement UE and the P-CSCF, and suggestion provides encipherment protection at the link layer of Access Network.In addition, in the territory between the sip server Confidentiality protection of SIP signaling be optional; The Confidentiality protection between the same area network equipment is not compulsory.(3) integrality: in the network traffics by in each packet, comprising the integrity protection that a message authentication code MAC realizes data; the IMS safety standard requires to use between UE and the P-CSCF IPSec encapsulation safe bearing load of transmission mode; use the IPsec ESP of tunnel mode between the IMS core network device; can use message digest algorithm MD5 or SHA SHA-1, the data integrity protection of SIP signaling between them is provided.(4) availability: the IMS safety standard is not eliminated Denial of Service attack DoS clearly, but has defined security domain, and they are protected by security gateway, and operator can directly implement the DoS protection mechanism of oneself.Therefore, unless operator has taked relative measures, each network equipment in the IMS architecture and the server in the OSS all might suffer DoS attack.(5) privacy: operator usually with the details of network as: the quantity of the network equipment, performance, the capacity of network etc. are considered as responsive business information.P-CSCF is by the next information from this class to the terminal use that hide of its agent functionality.Inquiry-CSCF I-CSCF server is used for hiding network topological information to other operator, is sent to the SIP information of P-CSCF in the external network as encryption.From the IMS security framework, hiding mechanism is optional.Concluded each layer security mechanism relevant in the IMS network as table 1 with each security attribute.
Among the IMS based on the policy control of SIP
It is exactly all behaviors that can control in the IMS network that operator uses the IMS network that the most urgent demand of service is provided, and the entity in the IMS network is all operated according to the regulation of operator.This means that the IMS network need move according to the strategy that operator disposes, and that is to say that the IMS network need carry out corresponding policy control.Simple policy control is such as the control medium type, control coded system or the like, the then more diversified and particularization of complicated strategy at specific transactions, as the service of asking certain IMS service provider at a user, different according to some following contents and parameter, strategy then may be different: (1) type of service difference, possible strategy is different, may use Conference and use the mobile radio network conversational service to provide different strategies according to same user as operator, such as different rights, different control flows or the like; (2) user's type, the user is a limited users, and the general user still is advanced level user or the like, and according to different mode classifications and user class, the strategy that operator works out has nothing in common with each other; (3) different operators (or in the same operation under different situations as different periods) also may provide different policy control on the basis with a kind of business, as taking different control modes for Video service or Multi-Party Conference.
Safe class is divided and security strategy control among the IMS
In existing SIP standard, mainly be to guarantee to consult and to adopt common security mechanism between UE and P-CSCF by SIP security mechanism agreement Sip-Sec-Agree.The problem that has two aspects like this: the security mechanism that only consult between UE and the P-CSCF (1) is not enough, according to IMS standard and the security mechanism concluded previously, some mechanism is optional in access security and the network domain security, this opening tends to cause the backwards compatibility problem, UE such as different editions, security mechanism between the heterogeneous networks territory, the security configuration incompatibility problem of different operators, when so IMS provides all kinds of multimedia service, not only need to provide the agreement protocol of the security mechanism between UE and the P-CSCF, also need to provide the negotiation mechanism of inner network domain security mechanism, the security strategy of being made up of the each several part security mechanism that finally forms the complete unification of a cover guarantees the compatibility of IMS safety.(2) the IMS network provides multiple multimedia service for the user, there are diversity in quality of services for users QoS demand and demand for security, different types of service is used with different users different security requiremenies, and the QoS negotiation mechanism does not take into full account the demand and the negotiation mechanism of network security, security-related service class is not provided yet, satisfies user's demand for security.So IMS should be under guaranteed qos resource reservation prerequisite, consider that different security strategies are to network performance and the influence that offers user's end-to-end QoS index, and at different service types, different user types, the security strategy of different safety class is provided, both satisfying personalized QoS of customer guarantee, reduce the resource overhead that network security is brought again, thereby realize the optimal selection strategy that network security and QoS ensure.
And in the existing SIP standard, the formal standard of neither one is come policy control and the interaction flow of standard based on Session Initiation Protocol.The security strategy definition standard that particularly lacks different level of securitys, and at user service type, take all factors into consideration the negotiation controlling mechanism of the security strategy of service quality and demand for security, and these 2 most important for solving above-mentioned IMS network security problem, is the necessary condition that satisfies following IMS network security and guarantee and service.New scheme is clear, simple and practical except the condition such as the framework that will satisfy above-mentioned analysis, and extensibility is strong, and security strategy also must be considered the secure and trusted of whole proposal to beyond user transparent or the like demand.
Summary of the invention
This programme design and realized in the IMS network expansion controlling schemes based on SIP, its objective is in order to realize the negotiation and the control method of unified security strategy before providing multimedia service in the IMS core net for the terminal use, finally determine the best configuration scheme that network security and QoS ensure.
The present invention mainly solves the technical problem of two aspects: (1) has designed the splitting scheme of IMS class of security protection; according to the IMS technical specification; select the safeguard protection strategy that grows from weak to strong by the combination of different safety mechanisms; provide a cover complete unified IMS security strategy combination; for carrying out security negotiation, IMS and user provide policy selection; can also further expand according to technical specification in the future, have favorable compatibility.(2) new security policy negotiation and control method have been designed based on SIP, make that operator can be at different service types, different user types, the security strategy of different safety class is provided, both satisfying personalized QoS of customer guarantee, reduce the resource overhead that network security is brought again, thereby realize the optimal selection strategy that network security and QoS ensure.Concrete scheme provides terminal use and IMS core net to consult flow process and sip message field alternately, and the negotiation controlling mechanism that designs among the present invention can provide technical foundation for guarantee of IMS network security and management from now on.
The invention is characterized in
It is characterized in that, be based on the defined IP Multimedia System IMS of third generation partner program 3GPP technical specification TS 33.102, TS 33.203 and TS 33.210, as the user equipment (UE) of client with realize according to the following steps successively as the IMS CSCF CSCF server of server end:
Step (1), during client UE registered ims home network, the CSCF server of client UE and server end is carried out according to following steps successively:
Step (1.1), security mechanism agreement Sip-Sec-Agree based on existing session initiation protocol SIP, described client UE is by the Proxy-Call Session Control Function server P-CSCF in its home network domain, first jumper connection that service-call session control function server S-CSCF in its home network domain provides client to support is gone into security mechanism
Step (1.2), described client UE statement are supported the expansion of security policy negotiation service Security-policy-service message header, and by described S-CSCF this user equipment information are marked in the local data base,
Step (1.3); described S-CSCF is according in the defined territory in the IMS technical specification and the optional or essential security mechanism between the territory; and the security mechanism of the client support described in the step (1.2) is combined into the security strategy of seven different brackets altogether that grows from weak to strong in following safeguard protection intensity; protection intensity is by calculating this strategy for authentication property; confidentiality; integrality; availability; the value of utility sum of privacy on totally 5 security attributes obtains; be used for described IMS home network domain and initiate professional general safety strategy at described client UE; selective use, the security strategy of described seven grades are that P1~P7 is as follows:
Security strategy P1 comprises mutual authentication+registration of adopting Authentication and Key Agreement AKA, is 2 at the safeguard protection value of utility of authentication property, and the availability value of utility is 1, and totally protecting the intensity value of utility is 3,
Security strategy P2 comprises the first jumping safeguard protection of the mutual authentication+registration+employing message digest algorithm MD5 that adopts Authentication and Key Agreement AKA, is 3 at the value of utility of authentication property; the value of utility of integrality is 1; the value of utility of availability is 3, and described overall protection intensity value of utility is 7
Security strategy P3; comprise safeguard protection between the territory of the first jumping safeguard protection of the mutual authentication+registration+employing message digest algorithm MD5 that adopts Authentication and Key Agreement AKA+adopt simultaneously message digest algorithm MD5 and reinforced data encryption standard 3DES; the value of utility of authentication property, confidentiality, integrality, four kinds of security attributes of availability is respectively 3,2,2,4; described overall protection intensity value of utility is 11
Security strategy P4; comprise safeguard protection in the territory of safeguard protection+employing message digest algorithm MD5 between the territory of the first jumping safeguard protection of the mutual authentication+registration+employing message digest algorithm MD5 that adopts Authentication and Key Agreement AKA+adopt simultaneously message digest algorithm MD5 and reinforced data encryption standard 3DES; value of utility at authentication property, confidentiality, integrality, four kinds of security attributes of availability is respectively 3,2,3,4; described overall protection intensity value of utility is 12
Security strategy P5; comprise safeguard protection in the territory of safeguard protection+employing SHA SHA-1 between the territory of the first jumping safeguard protection of the mutual authentication+registration+employing SHA SHA-1 that adopts Authentication and Key Agreement AKA+adopt simultaneously SHA SHA-1 and reinforced data encryption standard 3DES; value of utility at authentication property, confidentiality, integrality, four kinds of security attributes of availability is respectively 3,2,6,4; described overall protection intensity value of utility is 15
Security strategy P6; comprise that safeguard protection+network topology is hiding in the territory of safeguard protection between the territory that mutual authentication+registration of adopting Authentication and Key Agreement AKA+adopt simultaneously first of message digest algorithm MD5 and reinforced data encryption standard 3DES jump safeguard protection+adopt simultaneously message digest algorithm MD5 and reinforced data encryption standard 3DES+adopt simultaneously message digest algorithm MD5 and reinforced data encryption standard 3DES protects; at authentication property; confidentiality; integrality; availability; the value of utility of five kinds of security attributes of privacy is respectively 4; 4; 3; 6; 1; described overall protection intensity value of utility is 18
Security strategy P7, comprise that safeguard protection+network topology is hiding in the territory of safeguard protection between the territory that mutual authentication+registration of adopting Authentication and Key Agreement AKA+adopt simultaneously first of SHA SHA-1 and reinforced data encryption standard 3DES jump safeguard protection+adopt simultaneously SHA SHA-1 and reinforced data encryption standard 3DES+adopt simultaneously SHA SHA-1 and reinforced data encryption standard 3DES protects, at authentication property, confidentiality, integrality, availability, the value of utility of five kinds of security attributes of privacy is respectively 4,4,6,6,1, described overall protection intensity value of utility is 21, in the security strategy of described seven grades, the combination of "+" expression different mechanisms;
Step (2), the CSCF server of described client UE and described server end are carried out according to following steps successively, finish the service request process:
Step (2.1), described client UE comprises support security policy negotiation service message Supported:Security-policy-service in business request information, in proxy requests Proxy-Require message header, comprise security strategy label sec-policy, represent this service needed and the unified security strategy of described S-CSCF server negotiate
After step (2.2), described S-CSCF server are received the described business request information of step (2.1) by the described P-CSCF in home network domain, carry out the security strategy system of selection of following steps execution successively based on the customer service type:
Step (2.2.1), described S-CSCF based on user type, type of service and operator's type, recommends to be fit to the security policy grade of this client UE according to the security mechanism of being supported in registration and step (1.1) and (1.3),
Step (2.2.2), described S-CSCF check whether have in the optional security mechanism do not match, the situation of nonrecognition, if exist, then sending security mechanism to client UE can not identification message 411SecurityMechanism Undecipherable, otherwise execution in step (2.2.3)
Step (2.2.3), described S-CSCF checks whether there is alternative security strategy, if do not exist, then sends security policy negotiation failed message 422Security Policy AgreementFailed to client UE, otherwise execution in step (2.2.4),
Step (2.2.4), described S-CSCF writes all security mechanisms that security strategy comprised of recommending the security strategy Security-policy message header of session response message 183 Session Progress, this message header comprises in security policy grade policyid, access security mechanism access-sec, the territory security mechanism inter-domain-sec label between security mechanism intra-domain-sec and territory, the specific algorithm that security mechanism adopted is write in the message header corresponding in the message field, send to described client UE;
Step (2.3), described client UE carries out following steps after receiving the session response message that described S-CSCF sends according to step (2.2) by described P-CSCF successively:
Step (2.3.1), described client UE checks session response message, if security mechanism can not identification message 411Security Mechanism Undecipherable, the expression security mechanism can not be discerned, re-execute step (2.1) and carry out the negotiations process of security strategy
Step (2.3.2), described client UE checks session response message, if security policy negotiation failed message 422Security Policy Agreement is Failed, failure is consulted in expression, stops negotiations process,
Step (2.3.3), described client UE receives the security strategy message header that S-CSCF recommends described in the session response message in the step (2.2.4), after confirming to accept, the security strategy that all the elements that comprised in this message header copy among the request-reply message INVITE is confirmed to send to described S-CSCF in the Security-policy-verify message header;
Step (2.4); described S-CSCF is after receiving the security strategy affirmation Security-policy-verify message header that described client UE sends; confirm relatively whether this UE accepts the security strategy that step (2.2.4) is recommended; if it is inconsistent; repeating step (2.2) then; if it is in full accord; described S-CSCF will delete the field relevant with the security policy negotiation service extension in the service request instruction; and be transmitted on the corresponding application server; simultaneously at type of service that this UE asked; according to the general safety strategy that consults before, provide and insert protection; protection in the territory; the security mechanism of protecting between the territory.
Effect of the present invention is as follows:
(1) the present invention has defined the splitting scheme of class of security protection in the IMS network; provide a cover complete unified IMS security strategy combination; provide policy selection for IMS operator and terminal use carry out security negotiation, can also expand according to technical specification in the future.
(2) the present invention designed based on SIP security policy negotiation and control method; to be used for Virtual network operator and provide corresponding security strategy at different service types, different user types; satisfying personalized QoS of customer guarantee; reduce the resource overhead that network security is brought again, realize that the optimal strategy of network security protection and service quality guarantee is selected.
Description of drawings
Fig. 1 is a terminal UE security policy negotiation control flow chart among the present invention.
Fig. 2 is a S-CSCF security policy negotiation control flow chart among the present invention.
Fig. 3 be among the present invention during the IMS initialization S-CSCF divide the algorithm of security policy grade.
Fig. 4 is that S-CSCF selects the security strategy flow chart among the present invention.
Fig. 5 is a security policy negotiation control flow chart in the requested service process among the present invention.
Embodiment
The present invention is security policy negotiation and a control method in a kind of IMS network, and interworking entity involved in the present invention mainly is as the security policy negotiation control of carrying out between the service-call session control function S-CSCF in the user equipment (UE) of client and the IMS network based on the sip message form.
The present invention has defined a new SIP extended message territory: security policy negotiation service Security-policy-service, be used for security policy negotiation flow process between S-CSCF and the UE, provide the security strategy of acquiescence at registration process S-CSCF for UE, and check whether UE supports expansion of the present invention; In the service request signaling, consult to meet the security strategy of this user's requested service demand for security by Security policyservice.
The security policy negotiation flow chart of UE is referring to Fig. 1, UE at first must state in the process of registered ims network and oneself support the Security-policy-service expansion, and security mechanism and the algorithm that UE supported offered S-CSCF by existing security mechanism agreement Sip-Sec-Agree, being convenient to S-CSCF provides suitable security strategy.UE is in the service request process then, obtain the security strategy that S-CSCF recommends, and whether inspection meets the demand for security of own service, and whether oneself supports associated safety mechanism, accept if confirm, need be in security strategy acknowledge message territory Security-policy-verify the security strategy and the mechanism of duplicate ack, return to S-CSCF.
The security policy negotiation flow chart of S-CSCF is referring to Fig. 2; behind the home network of UE registered ims; S-CSCF will state and support the UE user of Security-policy-service message field expansion to be marked at local data base; S-CSCF is according to the optional or essential security mechanism in the defined territory in the IMS technical specification, between the territory simultaneously; and the access security mechanism that UE supported; be combined into the security strategy of safeguard protection intensity different brackets from weak to strong, be applicable to the general safety policy selection of IMS network at this UE user.Then in UE service request process; S-CSCF is at business recommended corresponding security strategy of this UE and concrete mechanism; send to UE by the Security-policy message field in the 183 Session Progress message; after acquisition Security-policy-verify confirms that UE accepts this security strategy; S-CSCF will delete in the service request instruction and expand relevant field with Security-policy-service; and be transmitted on the corresponding application server; simultaneously at type of service that UE asked; according to the general safety strategy that consults before, provide and insert protection; protection in the territory; the security mechanism of protecting between the territory.
The situation of the negotiation failure that may exist in this programme has two kinds, two kinds of responses that difference is corresponding: 421 SecurityPolicy Undecipherable and 422 Security Policy Agreement Failed.
421 Security Policy Undecipherable: the definition Standards and formats of security strategy does not meet standard maybe can't discern corresponding field, the security strategy that the affirmation that S-CSCF can't identification terminal UE sends over is accepted, at this moment S-CSCF will return " 421 Security Policy Undecipherable ".
422 Security Policy Agreement Failed: if the security strategy UE that S-CSCF recommends does not support, the security strategy S-CSCF of UE transmission simultaneously can't satisfy again, and S-CSCF will return " 422 Security PolicyAgreement Failed " message and represent and can't negotiate consistent general safety strategy with terminal.
The present invention mainly protects confidentiality and integrity by UE at the default security policy of registration process in the fail safe of the control signaling self of UE and S-CSCF negotiation safety strategy; it mainly is the Security Association that two-way authentication is set up in the registration process; and by 3GPP AKA mechanism acquisition Integrity Key and encryption key, specifically with reference to 3GPP TS 33.210 and 3GPP 33.203.
The present invention relates to two parts technical scheme and is described below in above-mentioned implementing procedure:
(1) splitting scheme of class of security protection
Security strategy at first needed divided rank before consulting.The present invention has defined a kind of at the evaluation method of IMS security mechanism protection power and the splitting scheme of protection class; the protection power that safety evaluation such as general international standard ISO17799 and ISO15408 standard is just divided enciphering and deciphering algorithm according to key length or information sensing degree, but lack the criteria for classifying at non-enciphering and deciphering algorithm.Splitting scheme of the present invention is to calculate value of utility according to security mechanism for the influence degree of security attribute, comprehensively determines the power and the grade of security strategy, and specific algorithm is referring to Fig. 3.
At first, calculate the value of utility of the corresponding authentication of different safety mechanisms, confidentiality, integrality, availability and five kinds of security attributes of privacy in the IMS network, as table 2 (concrete numerical value is only for reference).According to the associated safety standard; SHA SHA-1 is stronger than message digest algorithm MD5 protectiveness; the effectiveness of SHA-1 is 2 on integrity protection, and MD5 is 1, and ought take MD5 and the reinforced data encryption standard algorithm 3DES will be more effective for confidentiality than only adopting cryptographic algorithm simultaneously.Notice the weight of giving certain security attribute in the security mechanism, only shown the relative utility that it is compared with other security mechanism, these weights also do not mean that, the absolute magnitude of the safe effectiveness relevant with certain security attribute.So top utility schedule is just illustrated numerical value, and is only for reference, but the difference of protection power that must the reaction security mechanism.
Secondly, according to IMS network access security and network domain security related specifications, and the optional situation of security mechanism, by selecting optionally security mechanism of each layer, be combined into the different security strategies (can expand) that safeguard protection intensity grows from weak to strong.Combination selection for security mechanism must meet the defined safety standard of IMS technical specification that 3GPP formulates; contain the safeguard protection of 5 kinds of attributes such as authentication property, confidentiality, integrality, availability, privacy, determine the protection intensity of security strategy according to the effectiveness summation that adds up of each security mechanism.Final the present invention is according to above-mentioned splitting scheme, the combination of the complete unified IMS security strategy of one cover is provided, provides policy selection for IMS and user carry out security negotiation, the combination of IMS security strategy does not have sole criterion certainly, the present invention only provides a kind of evaluation of programme, has stronger autgmentability.
In the reference splitting scheme that the present invention provides; concrete security strategy value of utility calculates as shown in table 3; total { P1; P2; seven kinds of security strategies of P7}; if take the P6 strategy, illustrate that IMS will provide the mutual authentication login mechanism of being protected by AKA, first to jump safety (between UE and the P-CSCF) is taked between the protection mechanism of MD5+3DES, IMS territory simultaneously and safety is all taked MD5+3DES simultaneously in the territory encipherment protection and the hiding machine-processed availability of protecting of network topology at this user at a certain user.It should be noted that the IMS network can take different security strategy standards for different service types, different user types, different operators, but security strategy self must be compatible, must take with a kind of enciphering and deciphering algorithm, can not take conflicting security mechanism combination.
(2) security policy negotiation and suggested design
Terminal UE user and S-CSCF negotiation safety strategy and control method relate to registration process and two processes of professional application.The present invention has defined new SIP label a: Security-policy-service, be used for security policy negotiation flow process between S-CSCF and the UE, provide the security strategy of acquiescence at registration process S-CSCF for the terminal use, and check whether UE supports expansion of the present invention; In the service request signaling, consult to meet the security strategy of this user's requested service demand for security by Security policy service.
After having divided security policy grade, must provide S-CSCF how to consult and recommend the method for suitable security strategy with UE.Idiographic flow is referring to Fig. 4, the acquisition input information comprises: the security mechanism that UE supported, the type of service that UE applied for, UE user type, S-CSCF is according to security mechanism that UE supported, if the security mechanism of UE can't be discerned, export 421 Security Mechanism Undecipherable; If can discern, according to the type of service of user type and application, in the security strategy of above-mentioned selection, select satisfactory minimum strategy again, if there is not optional strategy, still export 422 Security Policy Agreement Failed; If have, then S-CSCF is to the recommendation security strategy of this UE user applies business.
All sip messages only provide the header field relevant with this expansion scheme among the present invention, and other irrelevant messages territory will be omitted.Simultaneously, the message header field that SIP need use compressed format in IMS is read for convenience with conserve bandwidth, and all message fields all do not use compressed format among the present invention.Provide the message examples of security policy negotiation control flow below:
Registration process
Suppose that terminal user (UE) supports the expansion of this programme definition, initiate register requirement to the home network of oneself, this request must show this client support security strategy formulation and relevant agreement, and can understand the corresponding header field of expansion.The login request message of client UE is as follows:
After S-CSCF authenticated user UE, know the expansion of this client support the present invention definition by Supported:Security-policy-service, this user is marked in the local data base, sets up in the process so that consult required security strategy with the terminal use in subsequent session.IMS was for the security strategy that UE taked after registration was finished, and access security is according to reach an agreement on security mechanism (see figure 1) between determined P-CSCF and the UE of SIP security mechanism, and network domain security is then taked the default security policy of IMS core net.
IMS service provider must support the Security-policy-service expansion in the time of can requiring the user to use the service of present networks, if do not support then to refuse this registration request from user, this can be by judging that whether comprising Supported:Security-policy-service in the register requirement realizes; IMS service provider also can allow not support user's registration of Security-policy-service expansion, and identifies these users, limits the visit of this user to service by certain strategy, as indivedual basic services only are provided; The service provider can also download to user terminal with new expansion by air interface, with not supporting user's request of Security-policy-service expansion to be redirected to the update service device, after the user installation expansion, allow it normally be linked into the IMS network again by 301 responses.
The service request process
Fig. 5 has described UE and has initiated signaling related to the present invention in the request call process to sip application server.Wherein UE is the SIP client, and P-CSCF and S-CSCF are the SIP session control servers in the IMS network, and ApplicationServer is the application server in the IMS network.
Describe each step in this call flow and the relevant field of sip message below in detail:
(1) service of UE request application server AS, in sip message, comprise Supported:Security-policy-service and shown the expansion of supporting this patent, the Proxy-Require message header has comprised option-tag " sec-policy ", indicate this requested service to consult unified security strategy, sip message following (all message only comprise necessary field in this patent) with S-CSCF:
(2) P-CSCF mails to S-CSCF with INVITE request, and the expansion that this user supports verified in the record of S-CSCF during according to registration.Because the user supports Security-policy-service expansion, expression Alice needs and S-CSCF negotiates security strategy and could ask to set up later session.Method according to accompanying drawing 5, S-CSCF is by after inquiring about the HSS server, type and type of user terminal according to user's requested service, determine corresponding security strategy, and return 183Session Progress message, and in this message, increase the Security-policy message header, comprise policyid, access-sec, intra-domain-sec and inter-domain-sec label in the message header, formulate in security strategy ID, access security mechanism, the territory security mechanism between security mechanism and territory respectively.In the Security-policy message header, policyid is ID number of security strategy, and the security strategy of taking shown in Figure 5 is P5 (between mutually authentication+registration+protection first jumping safety (SA SHA-1)+territory in safety (SHA-1 3DES)+territory safety (SHA-1)).Sip message is as follows:
(3) after Alice receives 183 Session Progress response, check whether the security strategy that S-CSCF advised in the Security-policy message header is supported whether meet user's demand for security.If, then return the Security-policy-verify message header, the security strategy that S-CSCF recommends is duplicated transmission one time again, expression confirms to accept security strategy; If think that this security strategy can not accept, then send " Require:sec-policy once more; Proxy-Require:sec-policy " message request S-CSCF recommends suitable security strategy once more.
(4) after S-CSCF receives the affirmation security strategy of Alice transmission; whether check is consistent with the strategy of oneself recommending; if; expression general safety policy conferring is finished; the field deletion of " Supported:Security-policy-service " during the service request that S-CSCF sends Alice is instructed; and be transmitted on the corresponding application server; and at the terminal UE at Alice place and the type of service that he asked; according to the general safety strategy that consults before; provide and insert protection; protection in the territory; the security mechanism of protecting between the territory; guarantee the safety of this business control signaling of Alice, and the favorable service quality assurance is provided.
Under connect table 1~table 3
Each layer of IMS security mechanism under table 1. prior art
The utility schedule of the corresponding security attribute of table 2. different safety mechanisms
The security strategy of table 3. different brackets is for the value of utility of security attribute
Claims (1)
1.IMS in the network based on the negotiation control method of SIP security policy grade, it is characterized in that, be based on the defined IP Multimedia System IMS of third generation partner program 3GPP technical specification TS 33.102, TS 33.203 and TS33.210, as the user equipment (UE) of client with realize according to the following steps successively as the IMS CSCF CSCF server of server end:
Step (1), during client UE registered ims home network, the CSCF server of client UE and server end is carried out according to following steps successively:
Step (1.1), security mechanism agreement Sip-Sec-Agree based on existing session initiation protocol SIP, described client UE is by the Proxy-Call Session Control Function server P-CSCF in its home network domain, first jumper connection that service-call session control function server S-CSCF in its home network domain provides client to support is gone into security mechanism
Step (1.2), described client UE statement are supported the expansion of security policy negotiation service Security-policy-service message header, and by described S-CSCF this user equipment information are marked in the local data base,
Step (1.3); described S-CSCF is according in the defined territory in the IMS technical specification and the optional or essential security mechanism between the territory; and the security mechanism of the client support described in the step (1.2) is combined into the security strategy of seven different brackets altogether that grows from weak to strong in following safeguard protection intensity; protection intensity is by calculating this strategy for authentication property; confidentiality; integrality; availability; the value of utility sum of privacy on totally 5 security attributes obtains; be used for described IMS home network domain and initiate professional general safety strategy at described client UE; selective use, the security strategy of described seven grades are that P1~P7 is as follows:
Security strategy P1 comprises mutual authentication+registration of adopting Authentication and Key Agreement AKA, is 2 at the safeguard protection value of utility of authentication property, and the availability value of utility is 1, and totally protecting the intensity value of utility is 3,
Security strategy P2 comprises the first jumping safeguard protection of the mutual authentication+registration+employing message digest algorithm MD5 that adopts Authentication and Key Agreement AKA, is 3 at the value of utility of authentication property; the value of utility of integrality is 1; the value of utility of availability is 3, and described overall protection intensity value of utility is 7
Security strategy P3; comprise safeguard protection between the territory of the first jumping safeguard protection of the mutual authentication+registration+employing message digest algorithm MD5 that adopts Authentication and Key Agreement AKA+adopt simultaneously message digest algorithm MD5 and reinforced data encryption standard 3DES; the value of utility of authentication property, confidentiality, integrality, four kinds of security attributes of availability is respectively 3,2,2,4; described overall protection intensity value of utility is 11
Security strategy P4; comprise safeguard protection in the territory of safeguard protection+employing message digest algorithm MD5 between the territory of the first jumping safeguard protection of the mutual authentication+registration+employing message digest algorithm MD5 that adopts Authentication and Key Agreement AKA+adopt simultaneously message digest algorithm MD5 and reinforced data encryption standard 3DES; value of utility at authentication property, confidentiality, integrality, four kinds of security attributes of availability is respectively 3,2,3,4; described overall protection intensity value of utility is 12
Security strategy P5; comprise safeguard protection in the territory of safeguard protection+employing SHA SHA-1 between the territory of the first jumping safeguard protection of the mutual authentication+registration+employing SHA SHA-1 that adopts Authentication and Key Agreement AKA+adopt simultaneously SHA SHA-1 and reinforced data encryption standard 3DES; value of utility at authentication property, confidentiality, integrality, four kinds of security attributes of availability is respectively 3,2,6,4; described overall protection intensity value of utility is 15
Security strategy P6; comprise that safeguard protection+network topology is hiding in the territory of safeguard protection between the territory that mutual authentication+registration of adopting Authentication and Key Agreement AKA+adopt simultaneously first of message digest algorithm MD5 and reinforced data encryption standard 3DES jump safeguard protection+adopt simultaneously message digest algorithm MD5 and reinforced data encryption standard 3DES+adopt simultaneously message digest algorithm MD5 and reinforced data encryption standard 3DES protects; at authentication property; confidentiality; integrality; availability; the value of utility of five kinds of security attributes of privacy is respectively 4; 4; 3; 6; 1; described overall protection intensity value of utility is 18
Security strategy P7; comprise that safeguard protection+network topology is hiding in the territory of safeguard protection between the territory that mutual authentication+registration of adopting Authentication and Key Agreement AKA+adopt simultaneously first of SHA SHA-1 and reinforced data encryption standard 3DES jump safeguard protection+adopt simultaneously SHA SHA-1 and reinforced data encryption standard 3DES+adopt simultaneously SHA SHA-1 and reinforced data encryption standard 3DES protects; at authentication property; confidentiality; integrality; availability; the value of utility of five kinds of security attributes of privacy is respectively 4; 4; 6; 6; 1; described overall protection intensity value of utility is 21
In the security strategy of described seven grades, the combination of "+" expression different mechanisms;
Step (2), the CSCF server of described client UE and described server end are carried out according to following steps successively, finish the service request process:
Step (2.1), described client UE comprises support security policy negotiation service message Supported:Security-policy-service in business request information, in proxy requests Proxy-Require message header, comprise security strategy label sec-policy, represent this service needed and the unified security strategy of described S-CSCF server negotiate
After step (2.2), described S-CSCF server are received the described business request information of step (2.1) by the described P-CSCF in home network domain, carry out the security strategy system of selection of following steps execution successively based on the customer service type:
Step (2.2.1), described S-CSCF based on user type, type of service and operator's type, recommends to be fit to the security policy grade of this client UE according to the security mechanism of being supported in registration and step (1.1) and (1.3),
Step (2.2.2), described S-CSCF check whether have in the optional security mechanism do not match, the situation of nonrecognition, if exist, then sending security mechanism to client UE can not identification message 411 SecurityMechanism Undecipherable, otherwise execution in step (2.2.3)
Step (2.2.3), described S-CSCF checks whether there is alternative security strategy, if do not exist, then sends security policy negotiation failed message 422Security Policy AgreementFailed to client UE, otherwise execution in step (2.2.4),
Step (2.2.4), described S-CSCF writes all security mechanisms that security strategy comprised of recommending the security strategy Security-policy message header of session response message 183Session Progress, this message header comprises in security policy grade policyid, access security mechanism access-sec, the territory security mechanism inter-domain-sec label between security mechanism intra-domain-sec and territory, the specific algorithm that security mechanism adopted is write in the message header corresponding in the message field, send to described client UE;
Step (2.3), described client UE carries out following steps after receiving the session response message that described S-CSCF sends according to step (2.2) by described P-CSCF successively:
Step (2.3.1), described client UE checks session response message, if security mechanism can not identification message 411Security Mechanism Undecipherable, the expression security mechanism can not be discerned, re-execute step (2.1) and carry out the negotiations process of security strategy
Step (2.3.2), described client UE checks session response message, if security policy negotiation failed message 422Security Policy Agreement is Failed, failure is consulted in expression, stops negotiations process,
Step (2.3.3), described client UE receives the security strategy message header that S-CSCF recommends described in the session response message in the step (2.2.4), after confirming to accept, the security strategy that all the elements that comprised in this message header copy among the request-reply message INVITE is confirmed to send to described S-CSCF in the Security-policy-verify message header;
Step (2.4); described S-CSCF is after receiving the security strategy affirmation Security-policy-verify message header that described client UE sends; confirm relatively whether this UE accepts the security strategy that step (2.2.4) is recommended; if it is inconsistent; repeating step (2.2) then; if it is in full accord; described S-CSCF will delete the field relevant with the security policy negotiation service extension in the service request instruction; and be transmitted on the corresponding application server; simultaneously at type of service that this UE asked; according to the general safety strategy that consults before, provide and insert protection; protection in the territory; the security mechanism of protecting between the territory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100778604A CN101483860B (en) | 2009-01-23 | 2009-01-23 | Negotiation control method based on SIP security policy grade in IMS network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2009100778604A CN101483860B (en) | 2009-01-23 | 2009-01-23 | Negotiation control method based on SIP security policy grade in IMS network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101483860A true CN101483860A (en) | 2009-07-15 |
| CN101483860B CN101483860B (en) | 2010-09-01 |
Family
ID=40880748
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2009100778604A Expired - Fee Related CN101483860B (en) | 2009-01-23 | 2009-01-23 | Negotiation control method based on SIP security policy grade in IMS network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101483860B (en) |
Cited By (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010083671A1 (en) * | 2009-01-21 | 2010-07-29 | 中兴通讯股份有限公司 | Network security hypertext transfer protocol negotiation method and correlated devices |
| CN102316450A (en) * | 2010-06-29 | 2012-01-11 | 上海贝尔股份有限公司 | Group-based M2M (machine-to-machine) communication authentication method and equipment |
| CN103036885A (en) * | 2012-12-18 | 2013-04-10 | 迈普通信技术股份有限公司 | Session initiation protocol (SIP) server overload protective system and method |
| CN103095657A (en) * | 2011-11-03 | 2013-05-08 | 中兴通讯股份有限公司 | User access method and access serving router and user access system |
| US8565226B1 (en) | 2012-04-23 | 2013-10-22 | Huawei Technologies Co., Ltd. | Data transmission system used between multiple servers, data interface device, and data transmission method |
| CN103458046A (en) * | 2013-09-13 | 2013-12-18 | 中国科学院信息工程研究所 | Data secrete sharing system and method based on core network |
| CN105247832A (en) * | 2013-04-03 | 2016-01-13 | 赛门铁克公司 | Method and apparatus for integrating security context in network routing decisions |
| CN106301947A (en) * | 2016-08-31 | 2017-01-04 | 广州唯品会信息科技有限公司 | Business information processing system and method |
| CN103716192B (en) * | 2013-12-31 | 2017-03-22 | 大连环宇移动科技有限公司 | Non-inductive series connection device based on virtual IP |
| CN107231332A (en) * | 2016-03-24 | 2017-10-03 | 华为技术有限公司 | Security strategy determines method and device |
| CN108055278A (en) * | 2017-12-26 | 2018-05-18 | 杭州迪普科技股份有限公司 | A kind of method and device for searching session information |
| CN109314638A (en) * | 2016-07-01 | 2019-02-05 | 华为技术有限公司 | Cipher key configuration and security strategy determine method, apparatus |
| CN109450852A (en) * | 2018-10-09 | 2019-03-08 | 中国科学院信息工程研究所 | Network communication encrypting and decrypting method and electronic equipment |
| CN111049810A (en) * | 2019-11-28 | 2020-04-21 | 光通天下网络科技股份有限公司 | Network security suite matching method, device, equipment and medium |
| CN112333288A (en) * | 2021-01-04 | 2021-02-05 | 三盟科技股份有限公司 | Intelligent classroom data safety protection method, system and readable storage medium |
| CN112788045A (en) * | 2021-01-21 | 2021-05-11 | 杭州迪普科技股份有限公司 | Safety protection method and device for network camera |
| CN113672985A (en) * | 2021-08-25 | 2021-11-19 | 支付宝(杭州)信息技术有限公司 | Machine learning algorithm script compiling method and compiler for privacy protection |
| CN115589321A (en) * | 2022-10-11 | 2023-01-10 | 中国电信股份有限公司 | Security context isolation policy negotiation method, device, equipment and storage medium |
-
2009
- 2009-01-23 CN CN2009100778604A patent/CN101483860B/en not_active Expired - Fee Related
Cited By (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010083671A1 (en) * | 2009-01-21 | 2010-07-29 | 中兴通讯股份有限公司 | Network security hypertext transfer protocol negotiation method and correlated devices |
| US8701160B2 (en) | 2009-01-21 | 2014-04-15 | Zte Corporation | Network security HTTP negotiation method and related devices |
| CN102316450A (en) * | 2010-06-29 | 2012-01-11 | 上海贝尔股份有限公司 | Group-based M2M (machine-to-machine) communication authentication method and equipment |
| CN102316450B (en) * | 2010-06-29 | 2014-01-22 | 上海贝尔股份有限公司 | Group-based M2M (machine-to-machine) communication authentication method and equipment |
| CN103095657A (en) * | 2011-11-03 | 2013-05-08 | 中兴通讯股份有限公司 | User access method and access serving router and user access system |
| WO2013064052A1 (en) * | 2011-11-03 | 2013-05-10 | 中兴通讯股份有限公司 | User access method, access service router, and user access system |
| US8565226B1 (en) | 2012-04-23 | 2013-10-22 | Huawei Technologies Co., Ltd. | Data transmission system used between multiple servers, data interface device, and data transmission method |
| CN103036885A (en) * | 2012-12-18 | 2013-04-10 | 迈普通信技术股份有限公司 | Session initiation protocol (SIP) server overload protective system and method |
| CN103036885B (en) * | 2012-12-18 | 2016-03-23 | 迈普通信技术股份有限公司 | Sip server overload protective device and method |
| CN105247832A (en) * | 2013-04-03 | 2016-01-13 | 赛门铁克公司 | Method and apparatus for integrating security context in network routing decisions |
| CN105247832B (en) * | 2013-04-03 | 2019-06-14 | 赛门铁克公司 | Safe context is integrated into the method and apparatus in network routing decision |
| CN103458046A (en) * | 2013-09-13 | 2013-12-18 | 中国科学院信息工程研究所 | Data secrete sharing system and method based on core network |
| CN103458046B (en) * | 2013-09-13 | 2016-09-07 | 中国科学院信息工程研究所 | A kind of data secret shared system based on core network and method |
| CN103716192B (en) * | 2013-12-31 | 2017-03-22 | 大连环宇移动科技有限公司 | Non-inductive series connection device based on virtual IP |
| CN107231332A (en) * | 2016-03-24 | 2017-10-03 | 华为技术有限公司 | Security strategy determines method and device |
| CN109314638A (en) * | 2016-07-01 | 2019-02-05 | 华为技术有限公司 | Cipher key configuration and security strategy determine method, apparatus |
| US11057775B2 (en) | 2016-07-01 | 2021-07-06 | Huawei Technologies Co., Ltd. | Key configuration method, security policy determining method, and apparatus |
| CN109560929A (en) * | 2016-07-01 | 2019-04-02 | 华为技术有限公司 | Cipher key configuration and security strategy determine method, apparatus |
| CN109560929B (en) * | 2016-07-01 | 2020-06-16 | 华为技术有限公司 | Secret key configuration and security policy determination method and device |
| US11689934B2 (en) | 2016-07-01 | 2023-06-27 | Huawei Technologies Co., Ltd. | Key configuration method, security policy determining method, and apparatus |
| CN114285570A (en) * | 2016-07-01 | 2022-04-05 | 华为技术有限公司 | Secret key configuration and security policy determination method and device |
| CN106301947A (en) * | 2016-08-31 | 2017-01-04 | 广州唯品会信息科技有限公司 | Business information processing system and method |
| CN108055278A (en) * | 2017-12-26 | 2018-05-18 | 杭州迪普科技股份有限公司 | A kind of method and device for searching session information |
| CN108055278B (en) * | 2017-12-26 | 2020-12-29 | 杭州迪普科技股份有限公司 | Method and device for searching session information |
| CN109450852A (en) * | 2018-10-09 | 2019-03-08 | 中国科学院信息工程研究所 | Network communication encrypting and decrypting method and electronic equipment |
| CN109450852B (en) * | 2018-10-09 | 2020-09-29 | 中国科学院信息工程研究所 | Network communication encryption and decryption method and electronic equipment |
| CN111049810A (en) * | 2019-11-28 | 2020-04-21 | 光通天下网络科技股份有限公司 | Network security suite matching method, device, equipment and medium |
| CN112333288A (en) * | 2021-01-04 | 2021-02-05 | 三盟科技股份有限公司 | Intelligent classroom data safety protection method, system and readable storage medium |
| CN112788045A (en) * | 2021-01-21 | 2021-05-11 | 杭州迪普科技股份有限公司 | Safety protection method and device for network camera |
| CN113672985A (en) * | 2021-08-25 | 2021-11-19 | 支付宝(杭州)信息技术有限公司 | Machine learning algorithm script compiling method and compiler for privacy protection |
| CN113672985B (en) * | 2021-08-25 | 2023-11-14 | 支付宝(杭州)信息技术有限公司 | Machine learning algorithm script compiling method and compiler for privacy protection |
| CN115589321A (en) * | 2022-10-11 | 2023-01-10 | 中国电信股份有限公司 | Security context isolation policy negotiation method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101483860B (en) | 2010-09-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101483860B (en) | Negotiation control method based on SIP security policy grade in IMS network | |
| CN101322428B (en) | Method and apparatus for distributing keying information | |
| EP1743449B1 (en) | Handling of identities in a trust domain of an ip network | |
| CN101102185B (en) | Media security for IMS session | |
| US9854508B2 (en) | Downloadable ISIM | |
| EP1583312A1 (en) | Apparatuses and method for controlling access to an IP multimedia system from an application server | |
| EP2319224B1 (en) | Application server, media distribution system, control method thereof, program, and computer-readable storage medium | |
| CN101330504B (en) | Method for implementing transport layer safety of SIP network based on sharing cryptographic key | |
| CN101379802B (en) | Method and device for the encoded transmission of media data between the media server and the subscriber terminal | |
| KR20120109580A (en) | Authentication method, system and device | |
| EP1994707B1 (en) | Access control in a communication network | |
| CN102868665A (en) | Method and device for data transmission | |
| CN101350808A (en) | Method, system and apparatus for implementing conversion of medium contents | |
| JP4838881B2 (en) | Method, apparatus and computer program product for encoding and decoding media data | |
| EP2011299B1 (en) | Method and apparatuses for securing communications between a user terminal and a sip proxy using ipsec security association | |
| CN101990771B (en) | Service reporting | |
| US8683034B2 (en) | Systems, methods and computer program products for coordinated session termination in an IMS network | |
| Sher et al. | Secure Service Provisioning Framework (SSPF) for IP Multimedia System and Next Generation Mobile Networks | |
| Sen et al. | Convergence and next generation networks | |
| CN101796797A (en) | Methods and apparatuses for handling trust in an IP multimedia subsystem communication network | |
| Baba et al. | Web-IMS convergence architecture and prototype | |
| Rehman | Investigation of Interworked IMS Architecture In Terms Of Traffic Security | |
| Matsunaka et al. | Device authentication and registration method assisted by a cellular system for user-driven service creation architecture | |
| CN102045297A (en) | Method and equipment for performing strategic management on application server in network | |
| Tsagkaropoulos et al. | Provisioning of Multimedia Applications across Heterogeneous All-IP Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100901 Termination date: 20210123 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |