WO2007098669A1 - Procédé, système et dispositif d'authentification de terminal d'utilisateur - Google Patents

Procédé, système et dispositif d'authentification de terminal d'utilisateur Download PDF

Info

Publication number
WO2007098669A1
WO2007098669A1 PCT/CN2007/000234 CN2007000234W WO2007098669A1 WO 2007098669 A1 WO2007098669 A1 WO 2007098669A1 CN 2007000234 W CN2007000234 W CN 2007000234W WO 2007098669 A1 WO2007098669 A1 WO 2007098669A1
Authority
WO
WIPO (PCT)
Prior art keywords
user terminal
address
request message
authentication
address information
Prior art date
Application number
PCT/CN2007/000234
Other languages
English (en)
Chinese (zh)
Inventor
Hui Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007098669A1 publication Critical patent/WO2007098669A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Definitions

  • the present invention relates to the field of communications, and in particular, to a system and apparatus for authenticating a user terminal. Background of the invention
  • the IP Multimedia Subsystem is a subsystem that 3GPP superimposes on a packet network.
  • the IMS uses the packet domain as its bearer channel for control signaling and media transmission, and introduces Session Initiation Protocol (SIP) as its service control protocol.
  • SIP Session Initiation Protocol
  • IMS utilizes the characteristics of simple SIP, easy to expand, and convenient media combination to provide rich multimedia services by separating service control from bearer control.
  • the main functional entities in the IMS include Call Session Control Function (CSCF), which controls user registration, session control, etc.
  • CSCF Call Session Control Function
  • HSS Home Subscriber Server
  • AS Application Server
  • the 3GPP in order to complete the registration function of the user terminal, and the calling or called service, the 3GPP defines the user public identity (IMPU, IM Public Identity) and the private identity (IMPI, IM Private Identity), and the user uses the IMPU. Communication, use ⁇ to authenticate the user terminal.
  • the standard IMS terminal authenticates the user terminal by using the IMS authentication and key agreement (AKA) authentication and key agreement.
  • the IMS AKA authentication method establishes a secure channel in the access network between the IMS terminal and the P-CSCF through the registration process to protect the integrity and confidentiality of subsequent messages. But given the current IMS The processing power of the terminal makes it difficult to provide a secure channel. If the terminal does not establish a secure channel, the re-registration and session request initiated by the IMS terminal cannot be secured.
  • the existing solution is that when the IMS terminal initiates a re-registration request, a logout request, and a dialog request and a non-registered independent transaction request, the network initiates an authentication process to ensure user reliability. As the network authenticates each request of the IMS terminal, the request processing delay increases, which affects the user experience. At the same time, the network message traffic increases and the processing overhead increases. Other authentication methods, such as HTTP Digest, etc., use the per-session authentication method to ensure the reliability of the user request after the initial authentication is passed, so the same problem exists. Summary of the invention
  • the embodiment of the invention provides a user terminal authentication method and system, which simplifies the authentication process, ensures the reliability of the user terminal, and enhances the user experience.
  • a user terminal authentication system comprising: a network access control entity, a registration authentication control entity;
  • the network access control entity is configured to receive the request message of the user terminal, and carry the address information of the user terminal in the request message, and forward the request message carrying the user terminal address information to the registration authentication control entity;
  • the registration authentication control entity stores the address information of the user terminal, and after receiving the request message, compares whether the address information of the user terminal carried in the request message matches the stored address information of the user terminal, and if yes, determines the user terminal The right to pass.
  • a user terminal authentication system comprising: a network access control entity, and a registration authentication control Entity, session control entity;
  • the registration authentication control entity stores the address information of the user terminal
  • the network access control entity is configured to receive the request message of the user terminal, and carry the address information of the user terminal in the request message, and send the request message carrying the user terminal address information to the session control entity;
  • the session control entity is configured to receive a request message that carries the user terminal address information sent by the network access control entity, obtain the saved address information of the user terminal from the registration authentication control entity, and compare the address information and the saved address information in the request message. Whether it matches, if it matches, it determines that the user terminal is authenticated.
  • a registration authentication control entity is configured to store address information of a user terminal, receive a request message of the user terminal, and compare whether the address information of the user terminal carried in the request message matches the stored address information of the user terminal, and if so, Then, the user terminal is determined to pass the authentication.
  • a session control entity is configured to receive a request message carrying user terminal address information, obtain the stored address information of the user terminal, and compare whether the address information in the request message matches the saved address information, and if yes, determine the user terminal The authentication was passed.
  • the authentication method of the embodiment of the present invention enables the user terminal to initiate a re-registration request, a logout request, and a dialog request without establishing a secure channel while ensuring the reliability of the user terminal and the integrity and confidentiality of subsequent messages.
  • the non-registered independent transaction request is authenticated by comparing the address information of the user terminal in the request message with the stored address information of the user terminal, so that the network does not need to perform initial authentication for each request of the IMS terminal.
  • the authentication process simplifies the corresponding authentication process, so that the traffic of the network message is controlled, the network processing overhead is reduced, the delay of processing the request message is reduced, and the user experience is enhanced.
  • FIG. 1 is a network logical structure diagram of a user terminal authentication system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart of an initial registration authentication request process when the IMS AKA authentication mode is adopted in the embodiment of the present invention.
  • FIG. 3 is a flowchart of a user terminal initiating a re-registration authentication request when the IMS AKA authentication mode is adopted in the embodiment of the present invention.
  • FIG. 4 is a flow chart of the user terminal initiating re-authentication in the process of re-registering the authentication request when the IMS AKA authentication mode is adopted in the embodiment of the present invention.
  • FIG. 5 is a flowchart of a user terminal initiating a non-registration authentication request when the IMS AKA authentication mode is used in the embodiment of the present invention.
  • FIG. 6 is a flow chart of initial authentication when the BA authentication mode is adopted in the embodiment of the present invention. Mode for carrying out the invention
  • the user terminal obtains an access address after being authenticated by the access network, and the access address is reliable.
  • the network can retain the address information of the user terminal when the authentication of the user terminal is passed.
  • the address information of the user terminal carried in the request message and the address information of the user terminal saved when the authentication is passed may be compared, if If yes, the user terminal is determined to pass the authentication; if different, the network initiates a re-authentication process to the user terminal, or returns a failure response.
  • the address information of the user terminal may be an IP address, a port number, or a Full Qualified Domain Name (FQDN).
  • the network logical structure of the user terminal authentication system in the embodiment of the present invention is as shown in FIG. 1, and includes a user terminal 101, a network access control entity 102, a registration authentication control entity 103, and a session control entity 104. among them:
  • the user terminal 101 is a communication terminal that can access a packet network, such as an IMS terminal, a PC, or the like.
  • the network access control entity 102 is a network entity that provides access control to the user terminal 101, and is responsible for proxy control such as registration, authentication, and session of the user terminal, and can access the user terminal 101 and the network according to the authentication information of the user.
  • a secure channel is established between the control entities 102.
  • the registration authentication control entity 103 provides a user with a registration mechanism and an authorization control function, and can control the network access control entity 101 to establish a secure channel for the authenticated user in the access network.
  • the session control entity 104 provides functions such as session control, routing connection, and service triggering for registered and authorized users.
  • the address information of the user terminal 101 takes an IP address as an example.
  • the request message carries its IP address, and forwards the registration authentication request message carrying the user terminal IP address to the registration authentication control entity 103;
  • the registration authentication control entity 103 authenticates the user terminal 101 using the authentication mode supported by the user terminal 101. If the authentication is passed, the registration authentication control entity 103 saves the IP address carried in the registration authentication request message it receives.
  • the request message carries the IP address of the user terminal, and the user terminal is carried.
  • the request message of the IP address is forwarded to the registration authentication control entity 103;
  • the registration authentication control entity 103 After receiving the request message, the registration authentication control entity 103 compares whether the saved IP address and the IP address in the request message are consistent. If they are consistent, the authentication is passed. Otherwise, if the authentication fails, the user terminal may be re-authenticated, and after the re-authentication is passed, the saved IP address is refreshed.
  • the method of the embodiment of the present invention is described in detail below by taking the IMS AKA authentication in the IMS network as an example.
  • the address information of the user terminal is obtained during the initial registration process, and the initial authentication is performed. After saving, the address information of the user terminal is saved, as shown in FIG. 2:
  • Step 201 The user terminal sends a registration request to the P-CSCF, where the registration request indicates that the terminal supports the IP address authentication method.
  • Step 202 The P-CSCF receives the registration request sent by the user terminal, and checks the IP address IP1 included in the "sent-by" parameter of the Via header field in the registration request. If the "sent-by" parameter contains a domain name, or if the IP address it contains and the source address received by the IP packet are different, the P-CSCF will add the parameter "received" in the Via header field, which contains the IP address IP2 used to receive the request. . Then forward the registration request to the I-CSCF.
  • Step-209 The I-CSCF receives the registration request forwarded by the P-CSCF, and then forwards the registration request to the S-CSCF.
  • Step 204 The S-CSCF receives the registration request forwarded by the I-CSCF. If the registration request includes the indication that the terminal supports the IP address authentication method, the S-CSCF considers that the terminal supports the IP address authentication method. The S-CSCF sends an authentication challenge (401 Challenge) to the user terminal according to the user authentication information obtained by the HSS query.
  • an authentication challenge (401 Challenge)
  • Step 205 The I-CSCF forwards the registration authentication challenge.
  • Step 206 After receiving the registration authentication ⁇ challenge, the P-CSCF forwards the registration authentication challenge to the user terminal.
  • Step 207 After receiving the registration authentication challenge, the user terminal does not need to establish a secure channel.
  • the network is authenticated and the authentication response is calculated, and the registration process is re-initiated.
  • Step 208 The P-CSCF forwards the registration request.
  • Step 209 The I-CSCF forwards the registration request.
  • Step 210 The S-CSCF receives the registration request, and performs matching according to the authentication response of the user terminal. If the matching is successful, the user status is set to the registered state. Then check whether the Via header field in the registration message contains the "sent-by" parameter. If it contains, the corresponding IP1 in the "sent-by” parameter is saved. If the Via header field also contains the "received” parameter, it is also saved. IP2 in the "received” parameter. The S-CSCF sends a successful acknowledgement to the user terminal.
  • Step 211 The I-CSCF forwards the successful confirmation.
  • Step 212 The P-CSCF forwards the successful confirmation.
  • the user terminal completes the initial registration authentication process, and saves the address information IP 1 or IP 1 and IP 2 when the user terminal passes the authentication in the S-CSCF.
  • the authentication process includes the following steps, as shown in Figure 3:
  • Step 301 The user terminal sends a re-registration request to the P-CSCF, where the registration message indicates that the terminal supports the IP address-based authentication method.
  • Step 302 The P-CSCF checks the IP address IP1 included in the "sent-by" parameter of the Via header field in the registration message. If the IP address of the "sent-by" parameter is different from the source address received by the IP packet, the P-CSCF will add the parameter "accepted” in the Via header field, and the parameter contains the source IP address IP2 received by the IP packet. The re-registration request is then forwarded to the I-CSCF.
  • Step 303 The I-CSCF receives the re-registration request forwarded by the P-CSCF, and then forwards the re-registration request to the S-CSCF.
  • Step 304 The S-CSCF receives the re-registration request, and the S-CSCF first checks whether the Via header field in the re-registration request includes a "sent-by" parameter and a "received" parameter. If included, the parameter value in the request message is The corresponding initial authentication is compared by the parameter values saved when the initial authentication is passed. If the matching is performed, the user terminal is deemed to have passed the authentication, and the successful confirmation is returned.
  • Step 305 the I-CSCF forwards the successful confirmation.
  • Step 306 the P-CSCF forwards the successful confirmation.
  • step 304 If the parameter values do not match in step 304, the user terminal fails to authenticate, and the user terminal needs to initiate re-authentication.
  • the process is as follows, as shown in Figure 4:
  • Steps 401 to 403 are the same as steps 301 to 303.
  • Step 404 the S-CSCF receives the re-registration request, and the S-CSCF first checks the registration request. Whether the Via header field contains the "sent-by" parameter and the "received” parameter. If yes, compare the parameter value in the request message with the corresponding initial registered parameter value. If it does not match, the user terminal needs to be re-authenticated. Then, the S-CSCF initiates re-authentication (401 challenge) to the user terminal according to the user authentication information obtained by the HSS query.
  • Steps 405 - 409 are the same as steps 205 ⁇ 209.
  • Step 410 The S-CSCF receives the registration request, and performs matching according to the authentication response of the user terminal. If the matching is successful, the user state is set to the registered state. Then check whether the Via header field in the registration message contains the "sent-by" parameter and the "received” parameter. If it contains, the corresponding IP2 in the "sent-by” parameter and the IP2 in the "received” parameter are saved. The IP address IP1 or EP1 and IP2 saved when the last authentication was passed. The S-CSCF sends a successful acknowledgement to the user terminal.
  • Step 411 the I-CSCF forwards the successful confirmation.
  • Step 412 The P-CSCF forwards the successful confirmation.
  • Step 501 The user terminal sends a non-registered authentication request, including a dialog request or a non-registered independent transaction request, and a non-registered authentication request.
  • the terminal is instructed to support an IP address based authentication method.
  • Step 502 The P-CSCF forwards the non-registered authentication request to the requested S-CSCF.
  • Step 503 The S-CSCF receives the request message, and first checks whether the Via header field in the request message includes a "sent-by" parameter and a "received” parameter, if included, and a parameter value and corresponding in the non-registered authentication request message. If the parameter values saved when the user terminal authentication succeeds, the S-CSCF continues to perform the service logic processing; otherwise, the S-CSCF returns a 403 (Forbidden) response.
  • the user terminal initiates an initial registration request using the HTTP Digest authentication method.
  • the initial registration authentication process is basically the same as the IMS AKA. The same is not repeated here.
  • Step 601 The user terminal initiates an initial registration request according to the NBA authentication method, and the registration request indicates that the terminal supports the IP address authentication method.
  • Steps 602 to 603 are the same as steps 202 to 203.
  • Step 604 The S-CSCF receives the registration request forwarded by the I-CSCF. If the registration request includes the indication that the terminal supports the IP address authentication method, the S-CSCF considers that the terminal supports the IP address authentication method. The S-CSCF compares the user authentication information (user location information) obtained by the HSS query with the location information in the user registration request, and if the comparison passes, saves the IP address in the user registration message, and then returns a registration success response.
  • user authentication information user location information
  • Step 605 The I-CSCF forwards the registration success response.
  • Step 606 After receiving the registration success response, the P-CSCF forwards the registration success response to the user terminal.
  • the IMS network adopts the Digest or the BA authentication mode.
  • the process of the user terminal to initiate the re-registration request is the same as that of the IMS AKA, and is not described here.
  • the network implemented by the present invention includes, but is not limited to, an IP Multimedia Subsystem (IMS) network, a packet network such as a Next Generation Network (GN), and an Internet network.
  • the signaling implemented includes but is not limited to The initial session protocol (SIP, Session Initial Protocol), Hypertext Transmission Protocol (HTTP), etc.;
  • the authentication mode of the network to the terminal includes but is not limited to the authentication methods such as IMS AKA and HTTP Digest;
  • the secure channels established between the ingress control entities include, but are not limited to, IPSec secure channels, Transport Layer Security (TLS) channels, or no secure channels.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention concerne un procédé d'authentification de terminal d'utilisateur qui consiste à déterminer, lors de la réception d'un message de demande du terminal d'utilisateur, si l'information d'adresse du terminal d'utilisateur est contenue dans ledit message de demande. Dans ce cas, les informations d'adresse du terminal d'utilisateur contenues dans le message de demande sont comparées aux informations d'adresse stockées du terminal d'utilisateur; l'authentification du terminal se déroulant avec succès lorsque les informations d'adresse coïncident. Par ailleurs, l'invention concerne un système d'authentification de terminal d'utilisateur, une fonction de commande d'authentification de registre et une fonction de session d'appel, destinés à favoriser la sécurité du terminal d'utilisateur et à simplifier le processus d'authentification, et ce tout en réduisant le coût du traitement.
PCT/CN2007/000234 2006-03-02 2007-01-22 Procédé, système et dispositif d'authentification de terminal d'utilisateur WO2007098669A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2006100340808A CN101030853B (zh) 2006-03-02 2006-03-02 一种用户终端的鉴权方法
CN200610034080.8 2006-03-02

Publications (1)

Publication Number Publication Date
WO2007098669A1 true WO2007098669A1 (fr) 2007-09-07

Family

ID=38458650

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000234 WO2007098669A1 (fr) 2006-03-02 2007-01-22 Procédé, système et dispositif d'authentification de terminal d'utilisateur

Country Status (2)

Country Link
CN (1) CN101030853B (fr)
WO (1) WO2007098669A1 (fr)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184008B (zh) * 2007-12-14 2010-06-09 北京中星微电子有限公司 一种远程信息访问方法及装置
CN101997828B (zh) * 2009-08-28 2014-10-08 中国移动通信集团公司 网际协议多媒体子系统网络重注册的方法、设备及网络
CN104243422A (zh) * 2013-06-19 2014-12-24 中兴通讯股份有限公司 用户终端接入ims网络的注册实现方法及ims
CN108243403B (zh) * 2016-12-26 2021-01-01 中国移动通信集团河南有限公司 一种控制VoLTE用户注册S-CSCF的方法及I-CSCF网元
CN108811012A (zh) * 2018-06-01 2018-11-13 中国联合网络通信集团有限公司 语音通话方法、ims网络及终端

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002098062A1 (fr) * 2001-05-24 2002-12-05 British Telecommunications Public Limited Company Procede de fourniture d'acces reseau a un terminal mobile et reseau correspondant
US20030159067A1 (en) * 2002-02-21 2003-08-21 Nokia Corporation Method and apparatus for granting access by a portable phone to multimedia services
CN1650659A (zh) * 2002-08-16 2005-08-03 西门子公司 用于验证通信终端设备的方法
CN1802016A (zh) * 2005-06-21 2006-07-12 华为技术有限公司 对用户终端进行鉴权的方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002098062A1 (fr) * 2001-05-24 2002-12-05 British Telecommunications Public Limited Company Procede de fourniture d'acces reseau a un terminal mobile et reseau correspondant
US20030159067A1 (en) * 2002-02-21 2003-08-21 Nokia Corporation Method and apparatus for granting access by a portable phone to multimedia services
CN1650659A (zh) * 2002-08-16 2005-08-03 西门子公司 用于验证通信终端设备的方法
CN1802016A (zh) * 2005-06-21 2006-07-12 华为技术有限公司 对用户终端进行鉴权的方法

Also Published As

Publication number Publication date
CN101030853A (zh) 2007-09-05
CN101030853B (zh) 2010-04-14

Similar Documents

Publication Publication Date Title
US7574735B2 (en) Method and network element for providing secure access to a packet data network
JP5139570B2 (ja) Ipマルチメディア・サブシステムにアクセスする方法および装置
JP3936362B2 (ja) セキュリティアソシエーションの寿命を制御するための方法及び通信システム
US8335487B2 (en) Method for authenticating user terminal in IP multimedia sub-system
KR101343039B1 (ko) 인증 시스템, 방법 및 장치
WO2011079522A1 (fr) Procédé, système et dispositif d'authentification
JP5345154B2 (ja) Ipマルチメディアサブシステムにおけるメッセージハンドリング
US8713634B2 (en) Systems, methods and computer program products supporting provision of web services using IMS
US20080120705A1 (en) Systems, Methods and Computer Program Products Supporting Provision of Web Services Using IMS
WO2007098660A1 (fr) Procédé et système d'authentification d'entités de réseau dans un sous-système multimédia
US7940748B2 (en) Systems, methods and computer program products supporting provision of web services using IMS
WO2008025280A1 (fr) Procédé et système d'authentification
WO2007000115A1 (fr) Procede d'authentification de dispositif recevant un message de demande sip
WO2007098669A1 (fr) Procédé, système et dispositif d'authentification de terminal d'utilisateur
WO2014201904A1 (fr) Procédé pour parvenir à un enregistrement lorsqu'un terminal utilisateur accède à un réseau de sous-système multimédia ip(ims), et ims
CN102111379A (zh) 认证系统、方法及设备
CN102065069B (zh) 一种身份认证方法、装置和系统
WO2011035579A1 (fr) Procédé, système et terminal d'authentification pour un terminal d'infrastructure d'authentification et de confidentialité de réseau local sans fil (wapi) accédant à un réseau de sous-système ip multimédia (ims)
WO2008089699A1 (fr) Procédé et système d'authentification d'un terminal utilisateur dans un réseau ims
CN102082769B (zh) Ims终端在获取非ims业务时的认证系统、装置及方法
WO2013000285A1 (fr) Procédé pour dispositif d'accès permettant d'accéder à un réseau ims, et agcf et s-cscf
WO2008037196A1 (fr) Procédé, système et dispositif d'authentification dans un ims
Βράκας Enhancing security and privacy in VoIP/IMS environments
WO2008083631A1 (fr) Appareil de conversion d'identité d'utilisateur, ims et procédés d'enregistrement, de lancement et de fin d'appel

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07702164

Country of ref document: EP

Kind code of ref document: A1