WO2008089699A1 - Procédé et système d'authentification d'un terminal utilisateur dans un réseau ims - Google Patents

Procédé et système d'authentification d'un terminal utilisateur dans un réseau ims Download PDF

Info

Publication number
WO2008089699A1
WO2008089699A1 PCT/CN2008/070149 CN2008070149W WO2008089699A1 WO 2008089699 A1 WO2008089699 A1 WO 2008089699A1 CN 2008070149 W CN2008070149 W CN 2008070149W WO 2008089699 A1 WO2008089699 A1 WO 2008089699A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
header field
authentication
network
mode
Prior art date
Application number
PCT/CN2008/070149
Other languages
English (en)
Chinese (zh)
Inventor
Chengdong He
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008089699A1 publication Critical patent/WO2008089699A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/147Signalling methods or messages providing extensions to protocols defined by standardisation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration

Definitions

  • the invention belongs to the technical field of IMS (IP Multimedia Service Subsystem), and particularly relates to a technology for access terminal authentication in an IMS network.
  • IMS IP Multimedia Service Subsystem
  • IP Internet Protocol
  • 3G third generation mobile communication system
  • TISPAN Telecommunications and Internet Converged Services and Protocols for Advanced Networking, Advanced Networking Telecommunications and Internet Convergence Services and Protocols
  • 3G Third Generation mobile communication system
  • TISPAN Telecommunications and Internet Converged Services and Protocols for Advanced Networking, Advanced Networking Telecommunications and Internet Convergence Services and Protocols
  • Security is an important aspect of 3G and TISPAN considerations.
  • the IMS network is divided into an access domain and a core domain from a security perspective, and security specifications of the access domain and the core domain are respectively defined.
  • the part of the IMS network about the transport network is related to the specific access network. It may be a TISPAN/NGN (Next Generation Network) access network, a Packet Cable access network, and a Wireless Local Area Network (WLAN). Access to the network, etc.
  • TISPAN/NGN Next Generation Network
  • WLAN Wireless Local Area Network
  • TISPAN Telecommunications and Internet Converged Services and Protocols for Advanced Networking
  • AKA AKA
  • NASS-Bundled-Authentication IMS service layer authentication and access
  • Layer authentication binding NBA HTTP DIGEST
  • An embodiment of the present invention provides a method for authenticating a user terminal in an IMS network and a CSCF, so that when different access networks access the same IMS network, the CSCF can distinguish the authentication mode of the user terminal, and thus can be used for the user terminal. Perform the correct authentication process.
  • An embodiment of the present invention provides a method for authenticating a user terminal in an IMS network, and receiving a registration REGISTER message of the user terminal UE; an authentication Authorization header field and/or a private access network information P-Access in the REGISTER message
  • the -Network-Info header field determines an authentication mode of the UE; and performs an authentication process according to the determined authentication mode.
  • the embodiment of the present invention further provides a system, further comprising an authentication mode determining unit, configured to determine, according to an Authorization header field and/or a P-Access-Network-Info header field in a REGISTER message of the UE, an authentication mode of the UE .
  • FIG. 1 is a schematic block diagram of an I-CSCF in an embodiment of the present invention.
  • FIG. 2 is a flow chart of a method for authenticating a user terminal in an IMS network according to the present invention
  • FIG. 3 is a flowchart of a specific implementation manner of the embodiment of the present invention shown in FIG.
  • Figure 5 is a flow chart of the AKA authentication mode
  • Figure 7 is a flow chart of the NBA authentication mode
  • FIG. 8 is a flow chart of the HTTP DIGEST authentication method.
  • the I-CSCF after receiving the REGISTER message sent by the P-CSCF, the I-CSCF distinguishes the authentication mode according to the Authorization header field and/or the P-Access-Network-Info header field in the REGISTER message, and then Subsequent authentication processing is performed. It should be noted that the corresponding functions performed by the I-CSCF in the embodiment of the present invention may also be completed by other CSCF entities.
  • the embodiment of the invention discloses a system, which may be a CSCF (such as I-CSCF) or capable of Other entities that perform the same function.
  • the system is described in detail below by taking the I-CSCF as an example.
  • the block diagram of the I-CSCF is as shown in FIG. 1 , and includes an authentication mode determining unit 11 .
  • the I-CSCF receives the REGISTER message
  • the I-CSCF according to the Authorization header field in the message and/or Or the P-Access-Network-Info header field determines the authentication mode adopted by the UE.
  • the authentication mode determining unit 11 analyzes the REGISTER message received by the I-CSCF:
  • the I-CSCF determines that the AKA authentication mode should be used
  • the access-type parameter in the header field or the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and the authentication mode of the UE is determined to be an HTTP summary mode.
  • I -CSCF determines that 3GPP early IMS authentication mode should be adopted;
  • the I-CSCF determines that it should be used. TISPAN's NBA or HTTP DIGEST authentication method.
  • the I-CSCF After the authentication mode determining unit 11 determines the authentication mode of the UE, the I-CSCF performs subsequent authentication processing according to the determined authentication mode.
  • the foregoing I-CSCF may further include a unit for receiving a REGISTER message of the UE, where the unit provides the REGISTER message of the UE for the authentication mode determining unit 11; and may further include a determining unit according to the authentication mode. 11 The authentication method determined by the authentication method.
  • Step 21 Receive a registration REGISTER message of the user terminal UE.
  • Step 22 Determine an authentication mode of the UE according to the authentication Authorization header field and/or the private access network information P-Access-Network-Info header field in the REGISTER message.
  • the authentication mode of the UE is determined to be an authentication and key agreement AKA mode.
  • the authentication mode of the UE is the early IMS authentication Early IMS mode.
  • the access-type parameter in the P-Access-Network-Info header field indicates that the access network type is the 3GPP mobile access network, and the authentication mode of the UE is determined to be the early IMS authentication Early IMS mode.
  • the access-type parameter in the P-Access-Network-Info header field indicates the access network type is advanced network telecommunications and Internet convergence service and protocol TISPAN
  • the fixed access network determines that the authentication mode of the UE is the IMS service layer authentication of the TISPAN and the NSA mode or the HTTP summary mode of the NASS access layer authentication binding authentication.
  • the value of the integrity-protected parameter in the Authorization header field in the REGISTER message corresponds to a value other than the AKA, determining that the authentication mode of the UE is an HTTP digest mode;
  • the authentication mode of the UE is an HTTP digest mode
  • the access-type parameter in the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and then determining the UE
  • the authentication method is HTTP summary mode.
  • Step 23 Perform authentication processing according to the determined authentication manner.
  • the UE sends a REGISTER message to the P-CSCF to request registration.
  • the P-CSCF forwards the REGISTER message to the I-CSCF;
  • the I-CSCF determines the user according to the parameters in the Authorization header field or the P-Access-Network-Info header field, or the parameters in the Authorization header field and the P-Access-Network-Info header field. Terminal authentication method;
  • the I-CSCF determines that the AKA authentication mode should be used
  • the access-type parameter in the -Info header field or the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and the authentication mode of the UE is determined to be an HTTP summary mode;
  • the access-type parameter in the P-Access-Network-Info header field or the P-Access-Network-Info header field indicates the 3GPP mobile access network, and the I-CSCF determines that 3GPP early IMS authentication should be used. the way;
  • the I-CSCF determines that it should Use TISPAN's NBA or HTTP DIGEST authentication method.
  • the I-CSCF determines the authentication mode
  • the I-CSCF performs subsequent authentication processing according to the corresponding authentication mode.
  • the specific process of the authentication method is as shown in FIG. 4, and includes the following steps:
  • the UE sends a REGISTER message to the P-CSCF to request registration.
  • the P-CSCF forwards the REGISTER message to the I-CSCF, and the I-CSCF receives the REGISTER message;
  • the I-CSCF determines whether the Authorization header field exists in the message. If not, go to step 4. If yes, go to step 7;
  • I-CSCF further determines whether there is a P-Access-Network-Info header field in the REGISTER message, if yes, go to step 5, otherwise go directly to step 6;
  • the I-CSCF further determines whether the access network type indicated by the access-type in the P-Access-Network-Info header field is a 3GPP mobile access network or a TISPAN fixed access network, if it is a 3GPP mobile access network, such as 3GPP-GERAN (Global Mobile Telecommunications System GSM Edge Radio Access Network GERAN), 3GPP-UTRAN-FDD (Universal Terrestrial Radio Access Network Frequency Division Duplex) or 3GPP-UTRAN-TDD (Universal Terrestrial Radio Access Network Time Division Duplex) ), go to step 6, if it is TISPAN fixed access network, such as NASS (network attached subsystem) or DSL (digital subscriber line), go to step 9;
  • 3GPP-GERAN Global Mobile Telecommunications System GSM Edge Radio Access Network GERAN
  • 3GPP-UTRAN-FDD Universal Terrestrial Radio Access Network Frequency Division Duplex
  • 3GPP-UTRAN-TDD Universal Terrestrial Radio Access Network Time Division Duplex
  • the I-CSCF determines that the authentication mode is 3GPP Early IMS; if not, go to step 8, otherwise go to step 10;
  • the I-CSCF determines whether the access-type in the P-Access-Network-Info header field indicates that the access network type is a TISPAN fixed access network, and if yes, go to step 9, otherwise go to step 11;
  • the I-CSCF determines the NBA or HTTP DIGEST authentication mode using TISPAN.
  • the I-CSCF can further distinguish the two authentication methods as follows: If the TISPAN fixed access network type is indicated as
  • the I-CSCF determines whether the value of the integrity-protected parameter corresponds to AKA (for example, its value is "YES” or "NO"), if yes, go to step 12, otherwise go to step 11;
  • the I-CSCF processes this as another case; for example, if the value of the integrity-protected parameter in the Authorization header field in the REGISTER message corresponds to other values of the AKA, or if the Authorization in the REGISTER message No in the header field.
  • the integrity-protected parameter, and the access-type parameter in the P-Access-Network-Info header field or the P-Access-Network-Info header field indicates that the access network type is a cable cable access network, and then the UE is determined.
  • the authentication method is HTTP summary mode.
  • the I-CSCF determines that the authentication method is AKA.
  • the subsequent authentication process is performed.
  • Different authentication methods correspond to different authentication processes.
  • the specific authentication process can refer to the application process corresponding to various authentication modes.
  • the application flow corresponding to each of several authentication methods is given below.
  • the application process of the UE is the application flow corresponding to the AKA mode, and the main steps are as follows:
  • the initial key K is shared between the UE (User Terminal) and the HSS (Home Subscribe Server).
  • SM1-CM2 The user initiates a registration request SMI (SM indicates that the protocol between the two entities is a SIP message SIP Message), and the S-CSCF passes the CM1 (CM indicates a Cx interface message between the I/S-CSCF and the HSS) Cx interface Message, not the SIP protocol, but the DIAMETER protocol) requests data from the HSS.
  • SMI SIP message
  • CM1 Cx interface message between the I/S-CSCF and the HSS
  • Cx interface Message not the SIP protocol, but the DIAMETER protocol
  • the HSS generates an authentication quintuple based on the initial key K and the sequence number (SQN, Sequence Number) and delivers an S-CSCF (Serving Call Session Control Function) through the CM2, wherein the quintuple includes (random data RAND - Random Data, authentication number AUTN - Authentication Token, expected result XRES - Expected Response, integrity protection key IK - Integrity Key, encryption key CK - Ciphering Key).
  • SQN Sequence Number
  • S-CSCF Server Call Session Control Function
  • S-CSCF returns a 401 response (authentication challenge) to the user, carrying the quaternion information except XRES.
  • P-CSCF Proxy Call Session Control Function
  • the UE authenticates whether the network device is trusted according to the information such as the initial key K and the SQN, and the AUTN sent by the received network device. If the authentication is successful, the network device is trusted, and the RAND is combined. And K, produce the result RES information, the RES will be used as the key "password" for the terminal to calculate the response response process, and the result of the calculation is sent to the network in SM7 (authentication response) On the network side, the UE calculates IK and CK by itself.
  • the S-CSCF receives the response information generated by the RES in the SM9, and compares it with the result calculated by the X ES. If the two are the same, the authentication to the user is considered successful.
  • the UE initiates registration with the IMS (IP Multimedia Core Network Subsystem) network, implements mutual authentication between the UE and the IMS network through AKA, and also completes the UE and the P-CSCF (proxy-call).
  • the session control function entity establishes an inter-security association.
  • the UE and the P-CSCF share an encryption key CK and an integrity protection key IK. These two keys will be used for secure communication channels between the UE and the P-CSCF.
  • FIG. 6 is an application flow corresponding to the Early IMS authentication mode.
  • the user terminal accesses a GPRS (General Packet Radio Service) network, a GGSN authentication user identifier (IMS International Mobile Subscriber Identity), and an MSISDN (Mobile Station International ISDN Number) through a GGSN (Gateway GPRS Support Node) to allocate a network transport layer to the user terminal.
  • Identification IP address
  • Step 1 The GGSN transmits the correspondence between the user identifier and the terminal IP address to the HSS through the "Accounting Request Start", and the HSS saves the corresponding relationship;
  • Step 2. The HSS responds by "Accounting Request Answer"; Step 3.
  • the user terminal initiates registration of the REGISTER request to the P-CSCF.
  • the P-CSCF compares the IP address of the sent-by header field in the via header field in the REGISTER message with the source IP address in the IP header of the REGISTER message. If it is inconsistent, add a received header field. Go to the via header field and fill it with the source IP address in the IP header; the P-CSCF forwards the above REGISTER request to the S-CSCF.
  • the S-CSCF queries whether the registration has been made based on the public user ID in the REGISTER request.
  • Step 4 If not registered, request the HSS to correspond to the terminal IP address corresponding to the public user ID (the correspondence between the HSS static configuration public user ID and the MSISDN, and obtain the corresponding terminal IP address through the public user identifier);
  • Step 5 The HSS returns the terminal IP address corresponding to the public user identifier.
  • Step 6 The S-CSCF checks the received source IP address of the REGISTER (if there is a received header field in the via header field, the received header field is preferentially compared, otherwise the sent-by header field in the via header field is compared), if If the IP address obtained from the HSS is the same, the authentication success message is sent to the GGSN.
  • the Early IMS access domain security mechanism is only for a specific wireless access environment, and has special requirements for the access network, and cannot guarantee user access security in other access environments.
  • Step 101 Network Attachment Subsystem (NASS) access layer attachment authentication, and a connection location function entity (Connection Location)
  • NNASS Network Attachment Subsystem
  • CLF Connection Location Function
  • Step 102 The UE sends a registration message REGISTER message to the P-CSCF, where the message carries the access operator identifier and the access user identifier.
  • Step 103 The P-CSCF determines whether a security association with the UE needs to be established by checking whether the REGISTER message includes a security negotiation parameter (for example, Security-Client). If you have this parameter, you need to create it. If you don't have this parameter, you don't need to create it. In general, Key Accounting (AKA) must have this parameter, and NASS-Bundled and Hypertext Transfer Protocol Summary (HTTP DIGEST) certainly do not have this parameter.
  • AKA Key Accounting
  • HTTP DIGEST Hypertext Transfer Protocol Summary
  • Step 104 The P-CSCF determines the CLF according to the access operator identifier in the registration message and the correspondence between the preset access carrier identifier and the CLF. Then, the P-CSCF queries the location information of the user in the CLF determined above according to the source IP address of the registration message.
  • Step 105 Since the location information corresponding to the source IP address is pre-stored in the CLF, the CLF returns corresponding location information and other information to the P-CSCF in this step.
  • Step 106 The P-CSCF sends the registration message REGISTER carrying the location information and other information obtained in the previous step to the Interrogating-Call Session Control Function (I-CSCF).
  • I-CSCF Interrogating-Call Session Control Function
  • Step 107 The I-CSCF sends a User Authorization Request (UAR) message to the User Profile (UPSF).
  • UAR User Authorization Request
  • step 108 the UPSF returns a User Authorization Answer (UAA) message.
  • UAA User Authorization Answer
  • Step 109 The I-CSCF selects a corresponding S-CSCF according to the message returned from the UPSF, that is, selects which S-CSCF processes the registration.
  • Step 110 The I-CSCF forwards the registration message REGISTER including the location information to the S-CSCF determined above.
  • the authentication request sent by the S-CSCF to the UPSF is only for requesting the authentication parameter. If there is no such parameter, the configured authentication mode needs to be queried to the UPSF, and the S-CSCF sends it to the UPSF.
  • the request is for requesting the authentication method and the corresponding authentication parameters. Since the NASS-Bundled authentication method is used here, the Integrity-Protected parameter is not included in the REGISTER message.
  • the S-CSCF sends a MAR (Multimedia Authentication Request) message to the UPSF, requesting the user's authentication vector and corresponding authentication parameters.
  • MAR Multimedia Authentication Request
  • Step 112 The UPSF checks the authentication subscription data of the user, and finds that the authentication mode of the user is the NASS-Bundled authentication mode.
  • Step 113 The UPSF sends a Multimedia Authentication Answer (MAA) message to the S-CSCF, and returns the user's authentication mode and the authentication parameter, that is, the location information.
  • MAA Multimedia Authentication Answer
  • Step 114 The S-CSCF compares the location information sent from the P-CSCF with the location information obtained from the UPSF query. If the information is consistent, the authentication succeeds. Step 115 and subsequent processes are performed, that is, the authentication succeeds is sent to the UE. If the message is inconsistent, the authentication fails, and step 115 and subsequent steps are performed, that is, the message that the authentication fails is sent to the UE.
  • Step 115 The S-CSCF sends a 2xx Auth_OK message to the I-CSCF, indicating that the authentication succeeds.
  • Step 116 The I-CSCF sends the foregoing 2xx Auth_OK message to the P-CSCF.
  • Step 117 The P-CSCF sends the foregoing 2xx Auth_OK message to the UE.
  • FIG. 8 is an application flow corresponding to the HTTP DIGEST authentication method, which includes the following steps:
  • Step 201 The UE sends a registration message to the P-CSCF.
  • Step 202 The P-CSCF determines whether a security association with the UE needs to be established by checking whether the REGISTER message includes a security negotiation parameter (for example, Security-Client). If you have this parameter, you need to create it. If you don't have this parameter, you don't need to create it. In general, Key Accounting (AKA) must have this parameter, and NASS-Bundled and Hypertext Transfer Protocol Summary (HTTP DIGEST) certainly do not have this parameter.
  • AKA Key Accounting
  • HTTP DIGEST Hypertext Transfer Protocol Summary
  • Step 203 The P-CSCF forwards the registration message REGISTER of the UE to the I-CSCF.
  • the message also carries the location information of the UE obtained by the P-CSCF from the CLF query.
  • Step 205 The I-CSCF forwards the UE registration REGISTER to the S-CSCF determined in step 204.
  • Step 206 The S-CSCF determines which authentication method is adopted by whether the Integrity-Protected parameter is included in the REGISTER message. If there is this parameter, it is definitely the AKA mode.
  • the authentication request sent by the S-CSCF to the UPSF is only for requesting the authentication parameter. If there is no such parameter, the configured authentication mode needs to be queried to the UPSF, and the S-CSCF sends it to the UPSF. The request is for requesting the authentication method and the corresponding authentication parameters. Since the HTTP DIGEST authentication method is used here, the Integrity-Protected parameter is not included in the REGISTER message.
  • the S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through the Cx-Put message, and inform the UPSF that the subsequent processing by the user is performed in the S-CSCF.
  • Step 207 The S-CSCF sends an MAR message to the UPSF, requesting the user's authentication mode and authentication data.
  • Step 208 The UPSF checks the authentication subscription data of the user, and obtains the authentication mode of the user according to the authentication subscription data as an HTTP DIGEST authentication mode, and generates an authentication vector such as nonce and an expected result (XRES) and the like.
  • Step 209 The UPSF sends a MAR message to the S-CSCF, and sends the user authentication mode information HTTP DIGEST, the authentication parameter nonce, the expected result (X ES ), and the like to the S-CSCF.
  • step 210 the S-CSCF calculates the expected result X ES .
  • Step 211 The S-CSCF obtains the authentication mode information and saves the XRES, and then sends the information to the I-CSCF.
  • the "4xx Auth-Challenge" message the Algorithm parameter in the WWW-Authenticate header of the message indicates that the HTTP DIGEST authentication method is used.
  • Step 212 the I-CSCF sends a "4xx Auth_Challenge" message to the P-CSCF, the message
  • the Algorithm parameter in the WWW-Authenticate header indicates that the HTTP DIGEST authentication method is used.
  • Step 213 The P-CSCF sends a "4xx Auth_Challenge" message to the UE.
  • Step 214 after receiving the "4xx Auth-Challenge" message, the UE finds that the Algorithm parameter indicates the HTTP DIGEST authentication mode, and re-sends the registration message REGISTER to the P-CSCF, and Carry the response (RES) for authentication.
  • the Algorithm parameter indicates the HTTP DIGEST authentication mode
  • Step 215 The P-CSCF sends a registration message REGISTER carrying the RES to the I-CSCF.
  • the -CSCF indication message informs the I-CSCF to process the S-CSCF of the registration.
  • the S-CSCF sends a message of successful authentication or authentication failure to the UE.
  • Step 217 the I-CSCF forwards the registration REGISTER to the S-CSCF determined in step 216.
  • Step 219 The S-CSCF and the UPSF update the S-CSCF indication information on the UPSF by using a Cx-Put message, and notify the UPSF that the subsequent processing by the user is performed in the S-CSCF.
  • Step 220 The S-CSCF and the UPSF obtain the subscription data information of the user by using a Cx-Pull message.
  • Step 221 The S-CSCF sends a 200 message indicating that the authentication succeeds to the I-CSCF, or a 403 Forbidden message indicating that the authentication fails. In the figure, only the 200 message when the authentication succeeds is indicated.
  • Step 222 The I-CSCF sends the foregoing message to the P-CSCF.
  • Step 223 The P-CSCF sends the foregoing message to the UE.
  • the I-CSCF needs to derive the IMPI (IMS Private User Identity) according to the IMPU (IMS Public User Identity) as follows: The URI (Uniform Resource Identifier), port number, etc. are removed as IMPI, and this is not required for other authentication methods.
  • IMPI IMS Private User Identity
  • IMPU IMS Public User Identity
  • the I-CSCF needs to perform the following S-CSCF reselection procedure: if the previous selected S-CSCF does not respond to the REGISTER message sent by the I-CSCF or sends a response message such as 3XX or 480, and the REGISTER message Without the "integrity-protected" header field, the I-CSCF performs the S-CSCF reselection process to select a new S-CSCF, which is not required for other authentication methods.
  • the registration message may contain the Authorization header field (with IMPI), it may not include the Authorization header field, which may or may not include IMPI, so that when IMPF interacts with CFX, IMPI
  • the acquisition method may be different from Early IMS.
  • the I-CSCF receives the REGISTER. After the message, it is first determined whether the Authorization header field exists in the message, and then the next step is judged according to whether or not the Authorization is present, but in the actual application, it is also possible to first determine whether the P-Access-Network-Info exists in the REGISTER message. The header field, and then according to the presence or absence of the P-Access-Network-Info header field, the next step is judged, that is, the I-CSCF judges the Authorization header field and the P-Access-Network-Info header field and its parameters. It is not limited to a specific order, and one authentication method can be uniquely determined according to one or both of the two header fields.
  • HTTP DIGEST authentication method in the foregoing specific embodiment of the present invention is a general term, which includes not only the HTTP DIGEST authentication method in the traditional sense, but also the SIP DIGEST authentication method developed based on the traditional HTTP DIGEST.
  • the I-CSCF is based on the Authorization header field of the REGISTER message and/or
  • the parameter in the P-Access-Network-Info header field determines the authentication mode of the user terminal, and can solve the problem of how the I-CSCF distinguishes various authentication modes when multiple access networks access the same IMS core network.
  • the technical solution provided by the embodiment of the present invention is also scalable, and can easily solve the problem that the I-CSCF distinguishes the new authentication when other access networks access the same IMS core network to introduce a new authentication mode. The problem with the way.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

L'invention concerne un procédé et un système d'authentification d'un terminal utilisateur dans un réseau IMS, consistant à recevoir un message d'enregistrement du terminal utilisateur UE, à déterminer un mode d'authentification en fonction du domaine d'authentification principal et/ou du domaine d'informations de réseau à accès privé (P-Access-Network-Info) principal dans le message d'enregistrement, et à exécuter un traitement d'authentification en fonction du mode d'authentification déterminé.
PCT/CN2008/070149 2007-01-23 2008-01-21 Procédé et système d'authentification d'un terminal utilisateur dans un réseau ims WO2008089699A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2007100730235A CN101232707B (zh) 2007-01-23 2007-01-23 一种ims网络中区分用户终端鉴权方式的方法及i-cscf
CN200710073023.5 2007-01-23

Publications (1)

Publication Number Publication Date
WO2008089699A1 true WO2008089699A1 (fr) 2008-07-31

Family

ID=39644139

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070149 WO2008089699A1 (fr) 2007-01-23 2008-01-21 Procédé et système d'authentification d'un terminal utilisateur dans un réseau ims

Country Status (2)

Country Link
CN (1) CN101232707B (fr)
WO (1) WO2008089699A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104683347A (zh) * 2015-03-12 2015-06-03 东北大学 基于ims进行可信通信的信令交互方法及可信认证系统
WO2022247938A1 (fr) * 2021-05-28 2022-12-01 华为技术有限公司 Procédé d'enregistrement de dispositif terminal, dispositif associé, système, et support de stockage

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102917342B (zh) * 2008-09-28 2015-11-25 华为技术有限公司 用户设备活动信息通知方法、系统及网元设备、服务器
CN101815296A (zh) * 2009-02-23 2010-08-25 华为技术有限公司 一种进行接入认证的方法、装置及系统
CN104066073B (zh) * 2014-06-30 2017-08-25 中国联合网络通信集团有限公司 一种语音业务的处理方法及系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040043756A1 (en) * 2002-09-03 2004-03-04 Tao Haukka Method and system for authentication in IP multimedia core network system (IMS)
EP1414212A1 (fr) * 2002-10-22 2004-04-28 Telefonaktiebolaget L M Ericsson (Publ) Methode et système pour l'authentification des usagers dans un système de télécommunication
CN1893352A (zh) * 2005-07-05 2007-01-10 华为技术有限公司 一种因特网协议多媒体子系统的鉴权方法
CN101043744A (zh) * 2006-03-21 2007-09-26 华为技术有限公司 一种ims网络中用户终端接入鉴权的方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040043756A1 (en) * 2002-09-03 2004-03-04 Tao Haukka Method and system for authentication in IP multimedia core network system (IMS)
EP1414212A1 (fr) * 2002-10-22 2004-04-28 Telefonaktiebolaget L M Ericsson (Publ) Methode et système pour l'authentification des usagers dans un système de télécommunication
CN1893352A (zh) * 2005-07-05 2007-01-10 华为技术有限公司 一种因特网协议多媒体子系统的鉴权方法
CN101043744A (zh) * 2006-03-21 2007-09-26 华为技术有限公司 一种ims网络中用户终端接入鉴权的方法

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104683347A (zh) * 2015-03-12 2015-06-03 东北大学 基于ims进行可信通信的信令交互方法及可信认证系统
CN104683347B (zh) * 2015-03-12 2017-10-17 东北大学 基于ims进行可信通信的信令交互方法及可信认证系统
WO2022247938A1 (fr) * 2021-05-28 2022-12-01 华为技术有限公司 Procédé d'enregistrement de dispositif terminal, dispositif associé, système, et support de stockage

Also Published As

Publication number Publication date
CN101232707A (zh) 2008-07-30
CN101232707B (zh) 2012-03-21

Similar Documents

Publication Publication Date Title
EP1879324B1 (fr) Procede d'authentification d'un terminal utilisateur dans un sous-systeme multimedia ip
CN101043744B (zh) 一种ims网络中用户终端接入鉴权的方法
US8880873B2 (en) Method, system and device for authenticating cardless terminal using application server
WO2007003140A1 (fr) Procede d'authentification de sous-systeme multimedia sous protocole ip
WO2007016847A1 (fr) Procédé de mise en œuvre d’enregistrement initial du sous-système multimédia du protocole internet
US8959343B2 (en) Authentication system, method and device
JP6330916B2 (ja) webRTCのためのシステム及び方法
WO2006047925A1 (fr) Procede permettant de selectionner le mode d'authentification cote reseau
WO2006125359A1 (fr) Procede d'implementation de la securite de domaine d'acces d'un sous-systeme multimedia ip
WO2007098660A1 (fr) Procédé et système d'authentification d'entités de réseau dans un sous-système multimédia
EP1563654A2 (fr) Equipement utilisateur adapte au protocole de signalisation sip permettant de fournir des services multimedia avec qualite de service
WO2008113299A1 (fr) Procédé d'authentification et de négociation de clé secrète, procédé de certification, système et dispositif
WO2011022999A1 (fr) Procédé et système de cryptage de données de vidéoconférence par un terminal
WO2012068922A1 (fr) Procédé et système de communication multimédia ims, terminal et réseau coeur ims
WO2006072209A1 (fr) Procede de negociation d'une cle dans un sous-systeme multimedia ip
WO2008025280A1 (fr) Procédé et système d'authentification
WO2011038691A1 (fr) Procédé et dispositif d'authentification
WO2008025272A1 (fr) Système de protocole d'ouverture de session, moyen pour établir un canal de sécurité et procédé correspondant
WO2008089699A1 (fr) Procédé et système d'authentification d'un terminal utilisateur dans un réseau ims
WO2006072219A1 (fr) Systeme d'authentification d'un reseau de sous-systeme multimedia ip et procede associe
WO2007022800A1 (fr) Procede et dispositif assurant la securite d'acces dans un reseau de communications
CN101106457B (zh) Ip多媒体子系统网络中确定用户终端鉴权方式的方法
WO2011035579A1 (fr) Procédé, système et terminal d'authentification pour un terminal d'infrastructure d'authentification et de confidentialité de réseau local sans fil (wapi) accédant à un réseau de sous-système ip multimédia (ims)
WO2007098669A1 (fr) Procédé, système et dispositif d'authentification de terminal d'utilisateur
WO2011147258A1 (fr) Procédé, système et équipement utilisateur pour l'authentification d'une carte

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700806

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08700806

Country of ref document: EP

Kind code of ref document: A1