CN101668016B - Authentication method and device - Google Patents

Authentication method and device Download PDF

Info

Publication number
CN101668016B
CN101668016B CN200910174570A CN200910174570A CN101668016B CN 101668016 B CN101668016 B CN 101668016B CN 200910174570 A CN200910174570 A CN 200910174570A CN 200910174570 A CN200910174570 A CN 200910174570A CN 101668016 B CN101668016 B CN 101668016B
Authority
CN
China
Prior art keywords
application server
authentication information
ims network
authentication
response message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN200910174570A
Other languages
Chinese (zh)
Other versions
CN101668016A (en
Inventor
谢国军
谢秀洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN200910174570A priority Critical patent/CN101668016B/en
Publication of CN101668016A publication Critical patent/CN101668016A/en
Priority to PCT/CN2010/077516 priority patent/WO2011038691A1/en
Application granted granted Critical
Publication of CN101668016B publication Critical patent/CN101668016B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention provides an authentication method and a device; the device comprises the following steps: a network authentication request of an IP multimedia subsystem IMS, which is sent by user equipment, is received; according to the IMS network authentication request, authentication information of an application server is obtained from a home subscriber server HSS; an IMS network authentication respond message containing the authentication information of the application server is transmitted to the UE, so as to trigger the UE to utilize the authentication information of the application server to carry out authentication in the application server. In the method of the embodiment of the invention, uniform authentication of IMS and the application server is realized by carrying the authentication information of the application server in the returned result of the IMS network authentication without mutually intervening the authentication process of the application server by the user. The method brings great convenience to the usage of the user and the management of operators; in addition, the existing IMS authentication flow is fully utilized to realize simpleness.

Description

Method for authenticating and device
Technical field
The present invention relates to the communications field, relate to a kind of method for authenticating and device particularly.
Background technology
In IMS (IP multimedia subsystem, IP Multimedia System) network, except the professional network equipment of basic telecommunications class is provided, the application server of value-added service is provided much in addition.This type application server can be independent of the IMS network operation, uses and correct charging for guaranteeing legal business, and the plurality of applications server all needs separately UE (User Equipment, subscriber equipment) to be carried out authentication.Such as an application server GROUP that address list storage and management are provided, no matter whether UE is through the authentication of IMS network, and UE must provide right user name and password with the authentication through GROUP before the service that normal use GROUP provides.
Fig. 1 is the IMS network authentication and the application server authorizing procedure figure of prior art.As shown in Figure 1, wherein S101-S104 is the IMS network standard authorizing procedure of prior art; S105-S107 is the application server authorizing procedure of prior art, and wherein S105 needs the user manually to import authentication information once more.
The inventor finds that there is following deficiency at least in prior art in realizing process of the present invention: prior art all needs the user to intervene in each authentication process, can't realize automatic right-discriminating, inconvenient user's use; The method of prior art can't realize the unified authentication to IMS network and application server.
Summary of the invention
The embodiment of the invention provides a kind of method for authenticating, authentication information transmission method and device.
On the one hand, the embodiment of the invention provides a kind of method for authenticating, and said method comprises: receive the IP Multimedia System IMS network authentication request that user equipment (UE) sends; According to the request of said IMS network authentication, obtain the application server authentication information from home subscriber server HSS; Send the IMS network authentication response message that comprises said application server authentication information to said UE, utilize said application server authentication information to carry out authentication to said application server to trigger said UE.
Another aspect, the embodiment of the invention provide a kind of authentication information transmission method, and said method comprises:
First message that receipt of call conversation control function entity CSCF sends comprises the UE sign that the IMS network authentication is carried out in request in said first message; According to said first message, judge whether to exist and said UE corresponding application server authentication information; When existence and said UE corresponding application server authentication information, send second message that comprises said UE corresponding application server authentication information to said CSCF.
Also have on the one hand, the embodiment of the invention provides a kind of method for authenticating, and said method for authenticating comprises: send the request of IP Multimedia System IMS network authentication to call conversation control function entity CSCF; Receive the IMS network authentication response message that said CSCF sends, said IMS network authentication response message carries the application server authentication information; Utilize said application server authentication information to carry out authentication to said application server.
On the other hand; The embodiment of the invention provides a kind of call conversation control function entity CSCF; Said call conversation control function entity CSCF comprises: the authentication request receiving element is used to receive the IP Multimedia System IMS network authentication request that user equipment (UE) sends; The authentication information acquiring unit is used for obtaining the application server authentication information according to the request of said IMS network authentication from home subscriber server HSS; The Authentication Response transmitting element is used for sending the IMS network authentication response message that comprises said application server authentication information to said UE, utilizes said application server authentication information to carry out authentication to said application server to trigger said UE.
Again on the one hand; The embodiment of the invention provides a kind of home subscriber server; Said home subscriber server comprises: receiving element, be used for first message that receipt of call conversation control function entity CSCF sends, and comprise the UE sign that the IMS network authentication is carried out in request in said first message; Judging unit is used to judge whether exist and said UE corresponding application server authentication information; Transmitting element is used for when existence and said UE corresponding application server authentication information, sending second message that comprises said UE corresponding application server authentication information to said CSCF.
Last aspect, the embodiment of the invention provide a kind of subscriber equipment, and said subscriber equipment comprises: the first authentication request transmitting element is used for sending the request of IP Multimedia System IMS network authentication to call conversation control function entity CSCF; The Authentication Response receiving element is used to receive the IMS network authentication response message that said CSCF sends, and said IMS network authentication response message carries the application server authentication information; The second authentication request transmitting element is used to utilize said application server authentication information to carry out authentication to said application server.
The technical scheme that the embodiment of the invention provides; Through carrying the authentication information of application server among the result who returns at the IMS network authentication; Realized the unified authentication of IMS network and application server; Realized the automatic right-discriminating of application server simultaneously, promptly in authentication process, need not the user and intervene, all brought great convenience to user's use and operator's management; Make full use of existing IMS network authentication flow process, realize simple.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do one to the accompanying drawing of required use in embodiment or the description of the Prior Art below introduces simply; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 is the IMS network authentication and the application server authorizing procedure figure of prior art;
Fig. 2 is the Signalling exchange flow chart of the system of the embodiment of the invention 1;
Fig. 3 is the system functional block diagram of the embodiment of the invention 1;
Fig. 4 is the overall flow figure of the method for the embodiment of the invention 2;
The particular flow sheet one of the method for Fig. 4 a embodiment of the invention 2;
Fig. 4 b is the particular flow sheet two of the method for the embodiment of the invention 2;
Fig. 4 c is the particular flow sheet three of the method for the embodiment of the invention 2;
Fig. 5 is the method flow diagram of the embodiment of the invention 3;
Fig. 6 is the expansion structure sketch map of the User Profile of the embodiment of the invention 3;
Fig. 7 is the in-line format sample figure of the user profile of the embodiment of the invention 3;
Fig. 8 is the structural representation of the application server authentication information of the embodiment of the invention 3;
Fig. 9 is the definition figure of the Add-ons field of the embodiment of the invention 3;
Figure 10 is the overall flow figure of the method for the embodiment of the invention 4;
Figure 10 a is the particular flow sheet one of the method for the embodiment of the invention 4;
Figure 10 b is the particular flow sheet two of the method for the embodiment of the invention 4;
Figure 11 is the functional block diagram of the call conversation control function entity of the embodiment of the invention 5;
Figure 11 a is the functional block diagram of the authentication information acquiring unit of the embodiment of the invention 5;
Figure 11 b is the functional block diagram of the Authentication Response transmitting element of the embodiment of the invention 5;
Figure 12 is the functional block diagram of the home subscriber server of the embodiment of the invention 6;
Figure 13 is the allomeric function block diagram of the subscriber equipment of the embodiment of the invention 7;
Figure 14 is the refinement functional block diagram of the subscriber equipment of the embodiment of the invention 7.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention clearer; To combine the accompanying drawing in the embodiment of the invention below; Technical scheme in the embodiment of the invention is carried out clear, intactly description; Obviously, described embodiment is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
The described application server of the embodiment of the invention refers to that mainly it is independent of the IMS network, needs the application server of independent authentication, and this type application server independently provides value-added service, for example " WEB territory application server " usually.
HSS (Home Subscriber System; Home subscriber server) with CSCF (Call SessionControl Functions; CSCF) interface between comprises Cx interface, and its major function comprises location management, user data download/update processing, subscription authentication etc.
Embodiment 1:
The embodiment of the invention 1 provides a kind of IP Multimedia System IMS network and application server to unify the method and system of authentication.
The embodiment of the invention 1 is utilized existing IMS equipment and flow process, suitably expands, and supports the unified authentication of IMS network and application server.Be UE after the IMS network authentication passes through, be utilized in the authentication information that gets access in the IMS network authentication process, employed other application server of the UE that has authorized is carried out automatic right-discriminating, the user need not intervene.
Fig. 2 is the Signalling exchange flow chart of the system of the embodiment of the invention 1.As shown in Figure 2, this Signalling exchange flow process comprises:
S201, user equipment (UE) carry out IP Multimedia System IMS network authentication, and UE sends the request of IMS network authentication to CSCF;
Authentication arithmetic comprises: IMS AKA (Authentication and Key Agreement, Authentication and Key Agreement), Early AKA or HTTP Digest (HTTP abstract authentication algorithm) etc.;
S202, CSCF send SAR message to HSS, to obtain the user signing contract information UserProfile of UE;
S203, HSS return the user signing contract information UserProfile of UE to CSCF through the SAA message of expansion; If corresponding IMPU (IP Multimedia Public Identity; IP multimedia public identify) or IRS (Implicitly Registered Set; Implicitly registered set) there is application associated server authentication information, then in User Profile, comprises the application server authentication information; Otherwise in User Profile, do not comprise the application server authentication information;
S204, CSCF judge whether attendant applications server authentication information of User Profile, and be subsidiary as, then returns the IMS network authentication response message 200OK consistent with prior art to UE; As subsidiary, then return IMS network authentication response message 200OK, and this 200OK carries above-mentioned application server authentication information to UE;
When S205, UE reception 200OK, take out the application server authentication information;
If in 200OK, increase related unified resource sign P-Associated-URI header field; And adopt the P-Associated-URI header field to carry the application server authentication information, then whether attach parameters such as http-username, http-token in the UE inspection p-aso-uri-spec tabulation.Have the URI of http-username parameter from first, take out http-token and subsequent other parameters; And use CK (Check Bit, check bit) to decipher; If when UE and IMS network using HTTP Digest authentication, then adopt HA1 to decipher.
S206, UE carry out authentication according to the authentication information that returns to application server;
If application server adopts HTTP Digest method for authenticating to subscription authentication.UE uses HTTP username, the HTTP Token (WEB Password) that obtains from the IMS network, and authentication is accomplished in compute authentication Digest response.
S207, application server return authenticating result.
When UE need arrive a plurality of application servers and carries out authentication, repeat S206-S207.
The system of the embodiment of the invention 1 utilizes existing authorizing procedure to realize the unified authentication to IMS network and application server.
Fig. 3 is the system functional block diagram of the embodiment of the invention 1.As shown in Figure 3, the system 10 that a kind of IP Multimedia System IMS network of the embodiment of the invention 1 and application server are unified authentication comprises:
User equipment (UE) 101 is used for sending the request of IP Multimedia System IMS network authentication to call conversation control function entity CSCF102; Receive the IMS network authentication response message 200OK that said CSCF102 sends, said 200OK carries the authentication information of application server; Utilize said application server authentication information to carry out authentication to application server;
Call conversation control function entity CSCF102 is used to receive the IP Multimedia System IMS network authentication request that user equipment (UE) 101 sends; Send SAR message to home subscriber server HSS103, to obtain the user signing contract information User Profile of said UE101; Receive the SAA message that said HSS103 sends, said SAA message comprises said User Profile, and said User Profile carries the application server authentication information; Send the IMS network authentication response message 200OK that comprises said application server authentication information to said UE101, utilize said application server authentication information to carry out authentication to application server 104 to trigger said UE101;
Home subscriber server HSS103 is used for the SAR message that receipt of call conversation control function entity CSCF102 sends; When having stored with UE101 corresponding application server authentication information, the SAA message of sending the user signing contract information User Profile that comprises said U101E to said CSCF102, and said User Profile carries said application server authentication information;
Application server AS 104 is used to receive the authentication request that said UE101 sends, and said UE101 is carried out authentication, and return Authentication Response to said UE101.
Adopt the system of the embodiment of the invention 1; The User Profile structure that HSS carries through expansion SAA message in Cx interface; Add application server authentication information structure at User Profile structure end, thereby the application server authentication information is passed to CSCF through SAA message.
CSCF is through in the process of transmission 200OK message, and the application server authentication information uses bit verification CK or HA1 mode to encrypt, thereby has guaranteed application server authentication information safety of transmission.
UE carries out authentication through the application server authentication information that uses 200OK message to carry to application server, and need not to import manually the application server authentication information repeatedly, has alleviated user's operation burden, has realized automatic right-discriminating.
In sum, the system of the embodiment of the invention 1 has realized the unified authentication to IMS network and application server, all brings great convenience to user's use and operator's management; Make full use of existing IMS authorizing procedure, realize simply, do not need newly-increased in addition authentication task equipment; Existing application server is not had specific (special) requirements, need not change existing authorizing procedure.
Embodiment 2:
The embodiment of the invention 2 provides a kind of method for authenticating, and this method for authenticating is the method that a kind of IP Multimedia System IMS network and application server are unified authentication, and the executive agent of this method can be CSCF.
Fig. 4 is the overall flow figure of the method for the embodiment of the invention 2.As shown in Figure 4, this method comprises:
The IP Multimedia System IMS network authentication request that S401, reception user equipment (UE) send;
S402, according to the request of said IMS network authentication, obtain the application server authentication information from home subscriber server HSS;
Particularly, above-mentioned application server authentication information comprises: the additional parameter Add-ons (the for example IP address of application server) of authentication password (can the expand to authentication credentials) HTTP-Token of the authentication user name HTTP-Username of application server, application server, application server.Wherein Add-ons is an optional parameters, and above-mentioned Add-ons parameter comprises one or more server parameter Sever-parameter.
S403, send the IMS network authentication response message that comprises said application server authentication information, utilize said application server authentication information to carry out authentication to said application server to trigger said UE to said UE.
Need to prove; Ordinary circumstance is that UE has defined and need carry out authentication to which application server; Just UE does not know the needed necessary information of authentication; For example IP address, user name, password etc., in case the IMS network returns to UE to these information, UE just can arrive application server and carry out authentication.
Fig. 4 a is the particular flow sheet one of the method for the embodiment of the invention 2.Alternatively, shown in Fig. 4 a, this method can comprise:
The IP Multimedia System IMS network authentication request that S401a, reception user equipment (UE) send;
S402a, send SAR message to home subscriber server HSS, to obtain the user signing contract information User Profile of said UE;
Particularly, said SAR message comprises Server-Assignment-Request message.Server-Assignment-Request is the order that CSCF sends to HSS in the Cx interface; Can carry IMPU and/or IMPI (the IP Multimedia Private Identity of UE in the said SAR message; IP multimedia private identity), so that HSS goes inquiry whether to store UE corresponding application server authentication information according to the IMPU of UE and/or IMPI.
The SAA message that S403a, the said HSS of reception send, said SAA message comprises said UserProfile, and said User Profile carries the application server authentication information;
Particularly, said SAA message is Server-Assignment-Answer message, and it is the response that HSS orders SAR in the Cx interface.
The expansion structure of the User Profile of the embodiment of the invention and the structure of application server authentication information will be described in detail in the embodiment of back, wouldn't describe at this.
Alternatively, also can send other message and obtain the application server authentication information, for example can come delivery applications server authentication information through other message in self-defining other processes between CSCF and the HSS.
S404a, send the IMS network authentication response message 200OK that comprises said application server authentication information, utilize said application server authentication information to carry out authentication to application server to trigger said UE to said UE.
Fig. 4 b is the particular flow sheet two of the method for the embodiment of the invention 2.The difference of Fig. 4 b and Fig. 4 a is S404b.
S404b, send IMS network authentication response message 200OK to said UE; Said 200OK message comprises related unified resource sign P-Associated-URI header field; Said P-Associated-URI header field carries said application server authentication information, utilizes said application server authentication information to carry out authentication to application server to trigger said UE.
Particularly, the detailed process of S404b also can comprise:
Give the ai-param parameter that said P-Associated-URI header field comprises with the value of said HTTP-Username;
Give the 2nd ai-param parameter that said P-Associated-URI header field comprises with the value of said HTTP-Token;
Send IMS network authentication response message 200OK to said UE, said 200OK comprises related unified resource sign P-Associated-URI header field, and said P-Associated-URI header field comprises a said ai-param parameter and said the 2nd ai-param parameter.
The value of one or more server parameter Server-parameter that can also Add-ons be comprised alternatively, is given other corresponding a plurality of ai-param parameters that the P-Associated-URI header field comprises respectively;
Alternatively; Can also send IMS network authentication response message 200OK to said UE; Said 200OK comprises related unified resource sign P-Associated-URI header field, other a plurality of ai-param parameters that said P-Associated-URI header field comprises a said ai-param parameter, said the 2nd ai-param parameter and carries the value of a plurality of Server-parameter.
Fig. 4 c is the particular flow sheet three of the method for the embodiment of the invention 2.The difference of Fig. 4 c and Fig. 4 is S404c and S405c.
S404c, employing check bit CK or HA1 encrypt said application server authentication information;
S405c, send IMS network authentication response message 200OK to said UE; Said 200OK comprises the said application server authentication information that adopts after check bit CK or HA1 encrypt, and utilizes said application server authentication information to carry out authentication to application server to trigger said UE.
The method of in above-mentioned 200Ok response, carrying the application server authentication information can comprise: the application server authentication information is transmitted as the ai-param parameter of P-Associated-URI header field.
For example: utilize the parameter of P-Associated-URI definition in the standard to carry " application server authentication information ".
P-Associated-URI being defined as in standard:
P-Associated-URI=″P-Associated-URI″HCOLON
(p-aso-uri-spec)
*(COMMA?p-aso-uri-spec)
p-aso-uri-spec=name-addr*(SEMI?ai-param)
ai-param=generic-param
Below illustrate the process of carrying " application server authentication information " through the parameter of P-Associated-URI definition.
CSCF takes out the HTTP-username cell of application server authentication information, with its content replication in the http-username parameter, with the ai-param parameter of http-username as P-Associated-URI;
For example; Take out the HTTP-username cell of application server authentication information; The content " user1home1.net " of this cell is copied in the http-username parameter; Make http-username=" user1home1.net ", and with the ai-param parameter of this http-username as P-Associated-URI.
CSCF takes out the HTTP-Token cell of application server authentication information, with its content replication in the http-token parameter, with the ai-param parameter of http-token as P-Associated-URI;
For example; Take out the HTTP-Token cell of application server authentication information; The content " PWD " of this cell is copied in the http-token parameter, make http-token=" PWD ", and with the ai-param parameter of http-token as P-Associated-URI.
CSCF takes out the Add-ons cell of application server authentication information; Each Server-parameter among one or more Server-parameter that above-mentioned Add-ons cell is comprised is respectively as an independent ai-param parameter; If a plurality of Server-parameter are arranged, then distinguish corresponding one by one a plurality of ai-param parameters.
For example; Take out the Add-ons cell of application server authentication information; Content among the 1st Server-parameter that this cell is comprised " group-domain-address " copy in the group-uri parameter; Make group-uri=" group-domain-address ", and with the ai-param parameter of group-uri as P-Associated-URI;
Content among the 2nd Server-parameter that this cell is comprised " AP-domain-address " copy in the ap-uri parameter, make ap-uri=" AP-domain-address "; And with the ai-param parameter of ap-uri as P-Associated-URI.
Therefore, an example that carries the P-Associated-URI of application server authentication information forms as follows:
P-Associated-URI:
Sip:user1home1.net;http-username=”user1home1.net”;http-token=”PWD”;group-uri=”group-domain-address”;ap-uri=”AP-domain-address”
Further, for guaranteeing the fail safe of transmission course, can adopt CK to encrypt by the application server authentication information; If when UE and IMS adopt HTTP Digest authentication, then adopt HA1 (results of intermediate calculations of HTTPDigest authentication process) to encrypt.
The method of the embodiment of the invention; Through receiving the SAA message that comprises the application server authentication information that HSS sends, and this application server authentication information is sent to UE through the 200OK response, thereby make UE carry out authentication to application server according to the application server authentication information that receives from the 200OK response; This process need not manual intervention; Realize the automatic right-discriminating of application server, also realized the unified authentication of IMS network and application server, convenient for users to use.
Through adopting CK or HA1 that the application server authentication information in the transmission course is encrypted, guaranteed the fail safe of data passes effectively.
Because the method for the embodiment of the invention; Not newly-increased authentication special equipment; But on the basis of existing device and existing flow process, improve, a kind of unified authorizing procedure of realizing simple IMS network and application server is provided, thereby has helped the investment of operator's management and saving operator.
Embodiment 3:
The embodiment of the invention 3 provides a kind of transmission method of application server authentication information, and the executive agent of this method can be HSS.
Fig. 5 is the method flow diagram of the embodiment of the invention 3.As shown in Figure 5, this method comprises:
First message that S501, receipt of call conversation control function entity CSCF send comprises the UE sign that the IMS network authentication is carried out in request in said first message;
S502, according to said first message, judge whether to exist and said UE corresponding application server authentication information;
S503, when existing with said UE corresponding application server authentication information, send second message that comprises said UE corresponding application server authentication information to said CSCF.
Alternatively, said first message can be SAR message, and said second message can be SAA message, and said UE sign comprises: IP multimedia public identify IMPU or the IMPI of UE.
The process of S503 specifically can comprise:
When existence and said UE corresponding application server authentication information, send SAA message to said CSCF, said SAA message comprises the user signing contract information User Profile of said UE, and said UserProfile carries said application server authentication information.
Alternatively, can carry IMPU and/or the IMPI of UE in the said SAR message, so that HSS removes to inquire about UE corresponding application server authentication information according to IMPU and/or the IMPI of UE.Wherein when UE comprised a plurality of IMPU, above-mentioned a plurality of IMPU can form an IRS.
Particularly; When IMS user opens an account or applies for new business; If by manual work of office side or BOSS (Business and Operation Supporting System; The telecommunication service OSS) judges the back discovery, the application server that needs independent authentication is arranged, then leave the authentication information of this application server among the HSS in.The authentication information of application server can be associated with one or more IMPU, and promptly the authentication information of application server can be corresponding with one or more IMPU, can belong to one or more IMPU.
When the authentication information of application server is related with a plurality of IMPU, can in HSS, register the IMPU that is associated as an IRS, promptly be equivalent to be associated application server authentication information and IRS.Be arranged in the set through a plurality of IMPU, when UE has a plurality of IMPU, no matter login like this with which IMPU, the server authentication information that can be applied, and need on HSS, not preserve the application server authentication information repeatedly.
When HSS judges that there are application associated server authentication information in corresponding IMPU or IRS, then in User Profile, comprise this application server authentication information.
For example; The User Profile structure that expansion SAA message is carried in Cx interface; Add application server authentication information structure at this UserProfile structure end; Use UML (Unified ModelLanguage, UML) to be expressed as Fig. 6, Fig. 6 is the expansion structure sketch map of the User Profile of the embodiment of the invention 3.
As shown in Figure 6, an IMS user's IMPI can corresponding one or more " Service Profile " and can be corresponding one or 0 " application server authentication information "." 1...n " expression among Fig. 6 is one or more, and " 0...1 " expression does not have or one.Fig. 7 is the in-line format sample figure of the user profile of the embodiment of the invention 3.2 Service profile only are shown among Fig. 7,, can adopt Service profile more than 2 for different application; 3 Public id only are shown among Fig. 7,, can adopt more than 3 Public id for different application.IFC among Fig. 7 representes inceptive filtering criterion (initial filtercriteria).Service profile is identical with the definition among the former user profile.
The structure of the application server authentication information of the embodiment of the invention 3 uses UML to be expressed as Fig. 8, and Fig. 8 is the structural representation of the application server authentication information of the embodiment of the invention 3.As shown in Figure 8, HTTP-Username has indicated the authentication user name of application server; HTTP-Token has indicated the authentication password (can expand to authentication credentials) of application server; Add-ons has then stored the additional parameter (the for example IP address of application server) of application server.Can know that by Fig. 8 an application server authentication information for example can comprise a HTTP-Username, a HTTP-Token, 1 or 0 Add-ons.In other is used, also can comprise a plurality of HTTP-Username, a plurality of HTTP-Token and a plurality of Add-ons.
If a plurality of application servers are arranged, then, specify identical authentication user name and authentication password opening an account, apply for new business or other application scenarios, to different additional parameters (the for example IP address of application server), in the Add-ons field, store.Alternatively, application server authentication information structure also can be expanded, and can specify authentication user name and authentication password inequality for a plurality of application servers.
The Add-ons field of application server authentication information structure can adopt definition shown in Figure 9.Fig. 9 is the definition figure of the Add-ons field of the embodiment of the invention 3.As shown in Figure 9, wherein " 1...n " expression is one or more, and promptly 1 Add-ons field can comprise one or more Server-parameter, in each Server-parameter, has preserved the title and the parameter value of parameter; Group-uri=for example " group-domain-address " form, wherein group-uri representes the parameter title, group-domain-address representes the relevant parameters value.
In a word; The User Profile message structure that HSS comprises through expansion SAA message; Add application server authentication information structure at this UserProfile structure end, and return the SAA message of carrying the application server authentication information, thereby the application server authentication information is transmitted CSCF to CSCF.Alternatively, also can add application server authentication information structure in the front of User Profile structure.
The method of the embodiment of the invention 3; Through expanding the User Profile structure that SAA message is carried; Add application server authentication information structure at User Profile structure end, thereby can the application server authentication information be sent to CSCF through SAA message, thereby CSCF can further send to UE with this application server authentication information; So that UE carries out authentication according to this application server authentication information to application server, and do not need the authentication process of user's manual intervention application server.This method is used to the user and operator's management all brings great convenience.Through technique scheme, the method for the embodiment of the invention 3 helps realizing the unified authentication of IMS network and application server.
Embodiment 4:
The embodiment of the invention 4 provides a kind of method for authenticating, and this method for authenticating comprises that a kind of IMS multi-media subsystem network and application server unify the method for authentication.The executive agent of this method can be UE.
Figure 10 is the overall flow figure of the method for the embodiment of the invention 4.Shown in figure 10, this method comprises:
S1001, send the request of IMS network authentication to call conversation control function entity CSCF;
The IMS network authentication response message that S1002, the said CSCF of reception send, said IMS network authentication response message carries the authentication information of application server;
S1003, utilize said application server authentication information to carry out authentication to said application server.
Figure 10 a is the particular flow sheet one of the method for the embodiment of the invention 4.The difference of Figure 10 a and Figure 10 is S1002a.
S1002a receives the IMS network authentication response message 200OK that said CSCF sends, and said 200OK comprises related unified resource sign P-Associated-URI header field, and said P-Associated-URI header field carries the application server authentication information.
Particularly, the process of S1002a can comprise:
Receive the IMS network authentication response message 200OK that said CSCF sends; Said 200OK comprises related unified resource sign P-Associated-URI header field, and a plurality of ai-param parameters that said P-Associated-URI header field is comprised are carried authentication password HTTP-Token and or the additional parameter Add-ons of zero application server of authentication user name HTTP-Username, the application server of application server.
Figure 10 b is the particular flow sheet two of the method for the embodiment of the invention 4.Shown in Figure 10 b, this method comprises:
S1001b, send the request of IMS network authentication to call conversation control function entity CSCF;
The IMS network authentication response message that S1002b, the said CSCF of reception send, said IMS network authentication response message carry and adopt check bit CK or HA1 encrypted applications server authentication information;
S1003b, employing check bit CK or HA1 decipher said application server authentication information;
S1004b, utilize said application server authentication information to carry out authentication to said application server.
The method of the embodiment of the invention 4; Through in IMS network authentication response message, carrying the application server authentication information; Make UE can from the IMS network authentication response message that receives, obtain the application server authentication information, and carry out automatic right-discriminating to application server according to this application server authentication information.This method has been simplified authorizing procedure, and is convenient for users, and the user need not intervene, and this method is used to the user and operator's management all brings great convenience; Through using CK or HA1 to encrypt, guaranteed the fail safe of data passes simultaneously to the application server authentication information in the transmission course.
Embodiment 5:
The embodiment of the invention 5 provides a kind of call conversation control function entity CSCF.This CSCF forms for the method corresponding to embodiment 2.
Figure 11 is the functional block diagram of the call conversation control function entity of the embodiment of the invention 5.Shown in figure 11, this CSCF20 comprises:
Authentication request receiving element 201 is used to receive the IP Multimedia System IMS network authentication request that user equipment (UE) sends;
Authentication information acquiring unit 202 is used for obtaining the application server authentication information according to the request of said IMS network authentication from home subscriber server HSS;
Authentication Response transmitting element 203 is used for sending the IMS network authentication response message that comprises said application server authentication information to said UE, utilizes said application server authentication information to carry out authentication to said application server to trigger said UE.
Figure 11 a is the functional block diagram of authentication information acquiring unit.Alternatively, said authentication information acquiring unit 202 can comprise:
Request subelement 2021 is used for sending SAR message to home subscriber server HSS, to obtain the user signing contract information User Profile of said UE;
Receive subelement 2022, be used to receive the SAA message that said HSS sends, said SAA message comprises said User Profile, and said User Profile carries the application server authentication information.
Alternatively; Said Authentication Response transmitting element 203; Be used for sending IMS network authentication response message 200OK to said UE, increase related unified resource sign P-Associated-URI header field among the said 200OK, said P-Associated-URI header field carries said application server authentication information.
Figure 11 b is the functional block diagram of Authentication Response transmitting element.Alternatively, said Authentication Response transmitting element 203 can comprise:
Encrypt subelement 2031, be used to adopt check bit CK or HA1 that said application server authentication information is encrypted;
Send subelement 2032, be used for sending IMS network authentication response message to said UE, said IMS network authentication response message comprises the said application server authentication information that adopts after CK or HA1 encrypt.
Said application server authentication information comprises: the authentication user name HTTP-Username of application server and the authentication password HTTP-Token of application server; Alternatively, the application server authentication information can also comprise the additional parameter Add-ons of application server, and said Add-ons comprises one or more server parameters Server-parameter.
The CSCF entity that the embodiment of the invention 5 provides; Expanded the SAA message of User Profile structure through reception; Application server authentication information structure has been added at this User Profile structure end, thereby can obtain application corresponding server authentication information from HSS.
The CSCF entity is encrypted through in the transmission course of application server authentication information, using CK, or when UE and IMS employing HTTP Digest authentication, then adopts HA1 application server authentication information to encrypt, thereby help ensureing safety of transmission.
The CSCF entity makes UE can utilize this application server authentication information to carry out authentication to application server through in the 200OK message of returning to UE, carrying the application server authentication information, and this process need not manual intervention, has realized automatic right-discriminating.
In a word, through adopting the CSCF of the embodiment of the invention, realized the unified authentication of IMS and application server is all brought great convenience to user's use and operator's management; Save operator's investment simultaneously, do not need newly-increased in addition authentication task equipment.
Embodiment 6:
The embodiment of the invention provides a kind of home subscriber server, and it is for forming by the method for embodiment 3 is corresponding.
Figure 12 is the functional block diagram of the home subscriber server of the embodiment of the invention 6.Shown in figure 12, this home subscriber server 30 comprises:
Receiving element 301 is used for first message that receipt of call conversation control function entity CSCF sends, and comprises the UE sign that the IMS network authentication is carried out in request in said first message;
Judging unit is used to judge whether exist and said UE corresponding application server authentication information;
Transmitting element 302 is used for when existence and said UE corresponding application server authentication information, sending second message that comprises said UE corresponding application server authentication information to said CSCF.
Alternatively, said first message can be SAR message, and said second message can be SAA message, and the sign of said UE comprises IP multimedia public identify IMPU or the IMPI of UE.Said transmitting element 302; Can be used for when existence and said UE corresponding application server authentication information; Send SAA message to said CSCF; Said SAA message comprises the user signing contract information UserProfile of said UE, and said User Profile carries said application server authentication information.
Structure and the structure of application server authentication information about the User Profile of expansion see also Fig. 6-Fig. 9, and corresponding description, do not give unnecessary details at this.
The home subscriber server of the embodiment of the invention 6; Through storing UE corresponding application server authentication information in advance; And through expansion User Profile; Promptly be added on application server authentication information structure, thereby can help realizing the unified authentication of IMS and application server through the authentication information of SAA message to CSCF delivery applications server at the end of User Profile message structure.
Embodiment 7:
The embodiment of the invention 7 provides a kind of subscriber equipment, and this subscriber equipment is corresponding formation by the method for embodiment 4.
Figure 13 is the functional block diagram of the subscriber equipment of the embodiment of the invention 7.Shown in figure 13, this subscriber equipment 40 comprises:
The first authentication request transmitting element 401 is used for sending the request of IP Multimedia System IMS network authentication to call conversation control function entity CSCF;
Authentication Response receiving element 402 is used to receive the IMS network authentication response message that said CSCF sends, and said IMS network authentication response message carries the authentication information of application server;
The second authentication request transmitting element 403 is used to utilize said application server authentication information to carry out authentication to said application server.
Alternatively; Said Authentication Response receiving element 401; Can also be used to receive the IMS network authentication response message 200OK that said CSCF sends; Said 200OK comprises related unified resource sign P-Associated-URI header field, and said P-Associated-URI header field carries the application server authentication information.
Alternatively; Said Authentication Response receiving element 401; Can also be used to receive the IMS network authentication response message that said CSCF sends, a plurality of ai-param parameters that the related unified resource sign P-Associated-URI header field of said IMS network authentication response message is comprised are carried the value of additional parameter Add-ons of value and or zero application server of authentication password HTTP-Token of value, the application server of the authentication user name HTTP-Username of application server.
About carry the concrete grammar of application server authentication information through the newly-increased P-Associated-URI header field of 200OK, see also the corresponding description among the embodiment 2, do not give unnecessary details at this.
Alternatively, said Authentication Response receiving element 401 can also be used to receive the IMS network authentication response message that said CSCF sends, and said IMS network authentication response message carries and adopts check bit CK or HA1 encrypted applications server authentication information.
Figure 14 is the refinement functional block diagram of the subscriber equipment of the embodiment of the invention 7.Alternatively, said subscriber equipment 40 can also comprise:
Decryption unit 404 is used to adopt check bit CK or HA1 to decipher said application server authentication information.
The subscriber equipment that the embodiment of the invention 7 provides; The application server authentication information that can use 200OK message to carry carries out authentication to application server; And need not to import the application server authentication information convenient for users and operator's management through the repeatedly manual mode of manual work; The method of the embodiment of the invention has realized the unified authentication to IMS network and application server through carrying the authentication information of application server among the result who returns at the IMS network authentication.
One of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method; Be to instruct relevant hardware to accomplish through computer program; Described program can be stored in the computer read/write memory medium; This program can comprise the flow process like the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-OnlyMemory, ROM) or at random store memory body (Random Access Memory, RAM) etc.
Above embodiment is only in order to the technical scheme of the explanation embodiment of the invention, but not to its restriction; Although the embodiment of the invention has been carried out detailed explanation with reference to previous embodiment; Those of ordinary skill in the art is to be understood that: it still can be made amendment to the technical scheme that aforementioned each embodiment put down in writing, and perhaps part technical characterictic wherein is equal to replacement; And these are revised or replacement, do not make the spirit and the scope of each embodiment technical scheme of the essence disengaging embodiment of the invention of relevant art scheme.

Claims (16)

1. a method for authenticating is characterized in that, said method for authenticating is applicable to call conversation control function entity CSCF, and said method for authenticating comprises:
Receive the IP Multimedia System IMS network authentication request that user equipment (UE) sends;
According to the request of said IMS network authentication, obtain the application server authentication information from home subscriber server HSS;
Send the IMS network authentication response message that comprises said application server authentication information to said UE, utilize said application server authentication information to carry out authentication to said application server to trigger said UE.
2. method according to claim 1 is characterized in that, according to the request of said IMS network authentication, obtains the application server authentication information from home subscriber server HSS and comprises:
Send SAR message to home subscriber server HSS, to obtain the user signing contract information User Profile of said UE;
Receive the SAA message that said HSS sends, said SAA message comprises said User Profile, and said User Profile carries the application server authentication information.
3. method according to claim 1 is characterized in that, sends the IMS network authentication response message that comprises said application server authentication information to said UE and comprises:
Send IMS network authentication response message 200OK to said UE, increase related unified resource sign P-Associated-URI header field among the said 200OK, said P-Associated-URI header field carries said application server authentication information.
4. method according to claim 1 is characterized in that, sends the IMS network authentication response message that comprises said application server authentication information to said UE and comprises:
Adopt check bit CK or HA1 that said application server authentication information is encrypted;
Send IMS network authentication response message to said UE, said IMS network authentication response message comprises the said application server authentication information that adopts after CK or HA1 encrypt.
5. a method for authenticating is characterized in that, said method for authenticating is applicable to subscriber equipment, and said method for authenticating comprises:
Send the request of IP Multimedia System IMS network authentication to call conversation control function entity CSCF;
Receive the IMS network authentication response message that said CSCF sends, said IMS network authentication response message carries the application server authentication information;
Utilize said application server authentication information to carry out authentication to said application server.
6. method according to claim 5 is characterized in that, receives the IMS network authentication response message that said CSCF sends, and said IMS network authentication response message carries the application server authentication information and comprises:
Receive the IMS network authentication response message 200OK that said CSCF sends, said 200OK comprises related unified resource sign P-Associated-URI header field, and said P-Associated-URI header field carries the application server authentication information.
7. method according to claim 5 is characterized in that, receives the IMS network authentication response message that said CSCF sends, and said IMS network authentication response message carries the application server authentication information and comprises:
Receive the IMS network authentication response message that said CSCF sends, said IMS network authentication response message carries and adopts check bit CK or HA1 encrypted applications server authentication information.
8. method according to claim 7 is characterized in that, utilizes said application server authentication information before said application server carries out authentication, also to comprise:
Adopt check bit CK or HA1 to decipher said application server authentication information.
9. a call conversation control function entity CSCF is characterized in that, said call conversation control function entity CSCF comprises:
The authentication request receiving element is used to receive the IP Multimedia System IMS network authentication request that user equipment (UE) sends;
The authentication information acquiring unit is used for obtaining the application server authentication information according to the request of said IMS network authentication from home subscriber server HSS;
The Authentication Response transmitting element is used for sending the IMS network authentication response message that comprises said application server authentication information to said UE, utilizes said application server authentication information to carry out authentication to said application server to trigger said UE.
10. call conversation control function entity CSCF according to claim 9 is characterized in that, said authentication information acquiring unit comprises:
The request subelement is used for sending SAR message to home subscriber server HSS, to obtain the user signing contract information User Profile of said UE;
Receive subelement, be used to receive the SAA message that said HSS sends, said SAA message comprises said User Profile, and said User Profile carries the application server authentication information.
11. call conversation control function entity CSCF according to claim 9 is characterized in that,
Said Authentication Response transmitting element; Be used for sending IMS network authentication response message 200OK to said UE; Increase related unified resource sign P-Associated-URI header field among the said 200OK, said P-Associated-URI header field carries said application server authentication information.
12. call conversation control function entity CSCF according to claim 9 is characterized in that, said Authentication Response transmitting element comprises:
Encrypt subelement, be used to adopt check bit CK or HA1 that said application server authentication information is encrypted;
Send subelement, be used for sending IMS network authentication response message to said UE, said IMS network authentication response message comprises the said application server authentication information that adopts after CK or HA1 encrypt.
13. a subscriber equipment is characterized in that, said subscriber equipment comprises:
The first authentication request transmitting element is used for sending the request of IP Multimedia System IMS network authentication to call conversation control function entity CSCF;
The Authentication Response receiving element is used to receive the IMS network authentication response message that said CSCF sends, and said IMS network authentication response message carries the application server authentication information;
The second authentication request transmitting element is used to utilize said application server authentication information to carry out authentication to said application server.
14. subscriber equipment according to claim 13 is characterized in that,
Said Authentication Response receiving element; Be used to receive the IMS network authentication response message 200OK that said CSCF sends; Said 200OK comprises related unified resource sign P-Associated-URI header field, and said P-Associated-URI header field carries the application server authentication information.
15. subscriber equipment according to claim 13 is characterized in that,
Said Authentication Response receiving element is used to receive the IMS network authentication response message that said CSCF sends, and said IMS network authentication response message carries and adopts check bit CK or HA1 encrypted applications server authentication information.
16. subscriber equipment according to claim 15 is characterized in that, said subscriber equipment also comprises:
Decryption unit is used to adopt check bit CK or HA1 to decipher said application server authentication information.
CN200910174570A 2009-09-30 2009-09-30 Authentication method and device Active CN101668016B (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN200910174570A CN101668016B (en) 2009-09-30 2009-09-30 Authentication method and device
PCT/CN2010/077516 WO2011038691A1 (en) 2009-09-30 2010-09-30 Authentication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910174570A CN101668016B (en) 2009-09-30 2009-09-30 Authentication method and device

Publications (2)

Publication Number Publication Date
CN101668016A CN101668016A (en) 2010-03-10
CN101668016B true CN101668016B (en) 2012-10-03

Family

ID=41804456

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910174570A Active CN101668016B (en) 2009-09-30 2009-09-30 Authentication method and device

Country Status (2)

Country Link
CN (1) CN101668016B (en)
WO (1) WO2011038691A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101668016B (en) * 2009-09-30 2012-10-03 华为技术有限公司 Authentication method and device
CN102440018A (en) * 2011-06-30 2012-05-02 华为技术有限公司 User device authentication method and authentication device under general authentication framework
CN102916966A (en) * 2012-10-30 2013-02-06 青岛百灵信息科技有限公司 Cloud computing and C2D (core 2 duo) based HIS (hospital information system) communication dialing module
CN105636034A (en) * 2014-10-30 2016-06-01 南京悠信网络科技有限公司 Authentication method and device for user equipment
CN106713249A (en) * 2015-11-18 2017-05-24 大唐移动通信设备有限公司 Authentication method and device
CN107172494B (en) * 2017-06-29 2019-07-16 深圳市茁壮网络股份有限公司 A kind of method for authenticating and right discriminating system
WO2019075608A1 (en) * 2017-10-16 2019-04-25 Oppo广东移动通信有限公司 Method and device for identifying encrypted data stream, storage medium, and system
CN109618194B (en) * 2018-12-10 2021-05-11 贝尔合控(深圳)科技有限责任公司 Authentication on-demand method and device based on-demand platform end

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1859099A (en) * 2006-03-08 2006-11-08 华为技术有限公司 Online weight discriminating method in GPRS network
CN1866823A (en) * 2006-02-08 2006-11-22 华为技术有限公司 Authentication method, device and system in IMS network
CN1968138A (en) * 2006-06-07 2007-05-23 华为技术有限公司 Subscriber registration information management method and apparatus in IMS network

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812322A (en) * 2005-01-28 2006-08-02 华为技术有限公司 Right discriminating system and processing method
CN101668016B (en) * 2009-09-30 2012-10-03 华为技术有限公司 Authentication method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1866823A (en) * 2006-02-08 2006-11-22 华为技术有限公司 Authentication method, device and system in IMS network
CN1859099A (en) * 2006-03-08 2006-11-08 华为技术有限公司 Online weight discriminating method in GPRS network
CN1968138A (en) * 2006-06-07 2007-05-23 华为技术有限公司 Subscriber registration information management method and apparatus in IMS network

Also Published As

Publication number Publication date
CN101668016A (en) 2010-03-10
WO2011038691A1 (en) 2011-04-07

Similar Documents

Publication Publication Date Title
CN101668016B (en) Authentication method and device
US9178696B2 (en) Key management for secure communication
US7870262B2 (en) Method and element for service control
US10757144B2 (en) Session control logic with internet protocol (IP)-based routing
US9854508B2 (en) Downloadable ISIM
CN100461942C (en) Method for selecting safety mechanism of IP multimedia subsystem acess field
ES2424027T3 (en) Location subscription data in a network shared by multiple users
US8990563B2 (en) Sending protected data in a communication network
CN101841521A (en) Method, server and system for authenticating identify information in DNS message
US20090067591A1 (en) Apparatus and method for managing a network
WO2009024076A1 (en) Method for configuring service and entity for storing service configuration
US20150065089A1 (en) Network application function authorisation in a generic bootstrapping architecture
EP2472769A1 (en) Method for obtaining information of key management server, and method, system and device for monitoring
CN104486460B (en) Application server address acquisition methods, equipment and system
CN101227474A (en) Method for identifying authority of conversation initialized protocol user in soft switching network
CN109962878A (en) A kind of register method and device of IMS user
EP1880556A1 (en) Method and element for service control
CN105516070A (en) Authentication credential replacing method and authentication credential replacing device
US9332055B2 (en) Method and apparatus for routing XCAP requests
CN101674178A (en) User information storage method as well as user information authentication method and device
CN101001145B (en) Authentication method for supporting terminal roaming of non-IP multimedia service subsystem
WO2012103930A1 (en) Determining a location address for shared data
CN101083838B (en) HTTP abstract authentication method in IP multimedia subsystem
CN102594782B (en) IP Multimedia System method for authenticating, system and server
CN103607411A (en) Method and device for processing IMS user identification

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant