WO2011038691A1 - Authentication method and device - Google Patents

Authentication method and device Download PDF

Info

Publication number
WO2011038691A1
WO2011038691A1 PCT/CN2010/077516 CN2010077516W WO2011038691A1 WO 2011038691 A1 WO2011038691 A1 WO 2011038691A1 CN 2010077516 W CN2010077516 W CN 2010077516W WO 2011038691 A1 WO2011038691 A1 WO 2011038691A1
Authority
WO
WIPO (PCT)
Prior art keywords
application server
authentication information
authentication
ims network
message
Prior art date
Application number
PCT/CN2010/077516
Other languages
French (fr)
Chinese (zh)
Inventor
谢国军
谢秀洪
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2011038691A1 publication Critical patent/WO2011038691A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration

Definitions

  • the present invention relates to the field of communications, and in particular, to an authentication method and apparatus.
  • Background Art In an IMS (IP multimedia subsystem) network, in addition to network devices that provide basic telecommunication services, there are many application servers that provide value-added services. Such application servers can operate independently of the IMS network. To ensure legitimate service usage and correct billing, many application servers need to separately authenticate the UE (User Equipment). For example, an application server GROUP that provides address book storage and management, regardless of whether the UE has authenticated through the IMS network, the UE must provide the correct username and password to pass the authentication of the GROUP before using the services provided by the GROUP.
  • UE User Equipment
  • FIG. 1 is a flow chart of the prior art IMS network authentication and application server authentication.
  • S101-S104 is a prior art IMS network standard authentication process
  • S105-S107 is a prior art application server authentication process, where S105 requires the user to manually input authentication information again.
  • Embodiments of the present invention provide an authentication method, an authentication information transmission method, and an apparatus.
  • the embodiment of the present invention provides an authentication method, where the method includes: receiving an IP multimedia subsystem IMS network authentication request sent by a user equipment UE; and, according to the IMS network authentication request, from a home subscriber server HSS Obtaining application server authentication information; sending an IMS network authentication response message including the application server authentication information to the UE, to trigger the UE to use the application server authentication information to perform authentication on the application server.
  • an embodiment of the present invention provides a method for transmitting an authentication information, where the method includes: receiving a first message sent by a call session control function entity CSCF, where the first message includes requesting authentication of an IMS network. Determining, according to the first message, whether there is application server authentication information corresponding to the UE; when there is application server authentication information corresponding to the UE, sending, by the CSCF, the UE corresponding to the UE The second message of the application server authentication information.
  • an embodiment of the present invention provides an authentication method, where the authentication method includes: sending an IP multimedia subsystem IMS network authentication request to a call session control function entity CSCF; receiving an IMS network sent by the CSCF The authentication response message, the IMS network authentication response message carries the application server authentication information, and the application server authentication information is used to perform the authentication on the application server.
  • the embodiment of the present invention provides a call session control.
  • the call session control function entity CSCF includes: an authentication request receiving unit, configured to receive an IP multimedia subsystem IMS network authentication request sent by the user equipment UE, and an authentication information obtaining unit, configured to: according to the IMS network authentication request, The home subscriber server HSS obtains the application server authentication information, and the authentication response sending unit is configured to send an IMS network authentication response message including the application server authentication information to the UE, to trigger the UE to use the application server.
  • the authentication information is authenticated to the application server.
  • the embodiment of the present invention provides a home subscriber server, where the home subscriber server includes: a receiving unit, configured to receive a first message sent by a call session control function entity CSCF, where the first message includes a request a UE identifier for the IMS network authentication, a determining unit, configured to determine whether there is application server authentication information corresponding to the UE, and a sending unit, configured to: when there is application server authentication information corresponding to the UE, The CSCF sends a second message including application server authentication information corresponding to the UE.
  • a receiving unit configured to receive a first message sent by a call session control function entity CSCF, where the first message includes a request a UE identifier for the IMS network authentication
  • a determining unit configured to determine whether there is application server authentication information corresponding to the UE
  • a sending unit configured to: when there is application server authentication information corresponding to the UE, The CSCF sends a second message including application server authentication information corresponding to the UE.
  • the embodiment of the present invention provides a user equipment, where the user equipment includes: a first authentication request sending unit, configured to send an IP multimedia subsystem IMS network authentication request to a call session control function entity CSCF;
  • the right response receiving unit is configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries application server authentication information, and a second authentication request sending unit is configured to use the application server
  • the authentication information is authenticated to the application server.
  • the technical solution provided by the embodiment of the present invention is carried in the result returned by the IMS network authentication.
  • the authentication information of the application server realizes the unified authentication of the IMS network and the application server, and realizes the automatic authentication of the application server, that is, the user does not need to intervene in the authentication process, and both the user and the operator management are brought It is very convenient; make full use of the existing IMS network authentication process to achieve simplicity.
  • FIG. 3 is a functional block diagram of a system according to Embodiment 1 of the present invention.
  • Figure 4a is a specific flowchart 1 of the method of Embodiment 2 of the present invention.
  • Figure 5 is a flowchart of a method according to Embodiment 3 of the present invention.
  • FIG. 6 is a schematic structural diagram of an extension of a User Profile according to Embodiment 3 of the present invention
  • 7 is a diagram showing an example of an in-line format of a user profile according to Embodiment 3 of the present invention
  • FIG. 8 is a schematic structural diagram of application server authentication information according to Embodiment 3 of the present invention.
  • Figure 10b is a specific flowchart 2 of the method of Embodiment 4 of the present invention.
  • FIG. 11 is a functional block diagram of a call session control function entity according to Embodiment 5 of the present invention.
  • 11a is a functional block diagram of an authentication information acquiring unit according to Embodiment 5 of the present invention.
  • FIG. 1 is a functional block diagram of an authentication response sending unit according to Embodiment 5 of the present invention.
  • FIG. 12 is a functional block diagram of a home subscriber server according to Embodiment 6 of the present invention.
  • FIG. 13 is a block diagram showing the overall function of a user equipment according to Embodiment 7 of the present invention.
  • FIG. 14 is a detailed functional block diagram of a user equipment according to Embodiment 7 of the present invention.
  • the technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention.
  • the embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive scope are the scope of the present invention.
  • the application server according to the embodiment of the present invention mainly refers to an application server that is independent of the IMS network and needs independent authentication.
  • Such an application server usually provides value-added services independently, such as a "WEB domain application server.”
  • the interface between the HSS (Home Subscriber System) and the CSCF (Call Session Control Functions) includes a Cx interface, and its main functions include location management, user data download/update processing, and user authentication.
  • Embodiment 1 The embodiment 1 of the present invention provides a method and system for unified authentication of an IP multimedia subsystem IMS network and an application server.
  • Embodiment 1 of the present invention utilizes existing IMS devices and processes, and performs appropriate extension to support unified authentication of the IMS network and the application server. That is, after the UE is authenticated by the IMS network, the UE uses the authentication information acquired in the IMS network authentication process to automatically authenticate other application servers used by the authorized UE, and the user does not need to intervene.
  • FIG. 2 is a flowchart of signaling interaction of a system according to Embodiment 1 of the present invention. As shown in Figure 2, the signaling interaction process includes:
  • the S20K user equipment performs the IP multimedia subsystem IMS network authentication, and the UE sends an IMS network authentication request to the CSCF;
  • the authentication algorithms include: IMS AKA (Authentication and Key Agreement) Key negotiation), Early AKA, or HTTP Digest (HTTP digest authentication algorithm), etc.
  • the CSCF sends a SAR message to the HSS to obtain a user subscription information of the UE.
  • the HSS returns the user subscription information of the UE to the CSCF through the extended SAA message; if the corresponding IMPU (IP Multimedia Public Identity) or IRS (Implicit Registered Set) has an associated application
  • the server authentication information includes the application server authentication information in the User Profile; otherwise, the application server authentication information is not included in the User Profile;
  • the CSCF determines whether the User Profile is accompanied by the application server authentication information. If not, the CSMS returns an IMS network authentication response message 200 OK that is consistent with the prior art. If yes, the IMS network authentication response message is returned to the UE. 200 OK, and the 200 ⁇ carries the above application server authentication information;
  • the Bay ijUE checks whether the p-aso-uri-spec list is accompanied by http- Usemame, http-token and other parameters. From the first URI with the http-usemame parameter, take the http-token and other parameters; and use CK (Check Bit) to decrypt; if the UE and IMS network use HTTP Digest authentication, Then use HA1 for decryption.
  • S206 The UE performs authentication on the application server according to the returned authentication information.
  • the application server uses the HTTP Digest authentication method to authenticate the user.
  • the UE uses the HTTP usemame and HTTP Token (WEB Password) obtained from the IMS network to calculate the authentication Digest response and complete the authentication.
  • WEB Password HTTP usemame and HTTP Token
  • the application server returns an authentication result.
  • S206-S207 is repeatedly executed.
  • Embodiment 1 of the present invention implements unified authentication of the IMS network and the application server by using the existing authentication process.
  • a system 10 for IP multimedia subsystem IMS network and application server unified authentication according to Embodiment 1 of the present invention includes:
  • the user equipment UE101 is configured to send an IP multimedia subsystem IMS network authentication request to the call session control function entity CSCF102, and receive an IMS network authentication response message 200 OK sent by the CSCF 102, where the 200 OK carries the application server authentication information. Applying the application server authentication information to the application server for authentication;
  • the call session control function entity CSCF102 is configured to receive an IP multimedia subsystem IMS network authentication request sent by the user equipment UE101, send a SAR message to the home subscriber server HSS103, to obtain the user subscription information User Profile of the UE101, and receive the HSS103.
  • the SAA message sent, the SAA message includes the User Profile, and the User Profile carries application server authentication information; and sends an IMS network profile including the application server authentication information to the UE 101
  • the right response message 200 OK to trigger the UE 101 to use the application server authentication information to authenticate to the application server 104;
  • the home subscriber server HSS 103 is configured to receive the SAR message sent by the call session control function entity CSCF 102.
  • the application server authentication information corresponding to the UE 101 is stored, send the SAA containing the user subscription information User Profile of the U101E to the CSCF 102. a message, and the user profile carries the application server authentication information;
  • the application server AS104 is configured to receive an authentication request sent by the UE 101, perform authentication on the UE 101, and return an authentication response to the UE 101.
  • the HSS adds the application server authentication information structure at the end of the User Profile structure by extending the User Profile structure carried in the SAA message on the Cx interface, thereby transmitting the application server authentication information to the CSCF through the SAA message. .
  • the CSCF encrypts the application server authentication information by using the bit check CK or HA1 during the transmission of the 200 OK message, thereby ensuring the security of the application server authentication information transmission.
  • the UE authenticates to the application server by using the application server authentication information carried by the 200 OK message, without manually inputting the application server authentication information manually, thereby reducing the operation burden of the user and realizing automatic authentication.
  • Embodiment 2 provides an authentication method, which is a method for unified authentication of an IP multimedia subsystem IMS network and an application server, and an execution body of the method may be a CSCF.
  • Figure 4 is a general flow chart of the method of Embodiment 2 of the present invention. As shown in FIG. 4, the method includes: S40K receiving an IP multimedia subsystem IMS network authentication request sent by a user equipment UE;
  • S402 Obtain application server authentication information from the home subscriber server HSS according to the IMS network authentication request.
  • the application server authentication information includes: an authentication username of the application server, HTTP-Username, an authentication password of the application server (expandable to an authentication credential:) HTTP-Token, and an additional parameter Add-ons of the application server (for example, the IP address of the application server).
  • Add-ons is an optional parameter
  • the above Add-ons parameter includes one or more server parameters Sever-parameter.
  • the UE has defined which application servers need to be authenticated, but the UE does not know the necessary information required for authentication, such as an IP address, a username, a password, etc., once the IMS network returns the information.
  • the UE can authenticate to the application server.
  • 4a is a specific flowchart 1 of the method according to Embodiment 2 of the present invention.
  • the method may include:
  • the SAR message includes a Server-Assignment-Request message.
  • the Server-Assignment-Request is a command sent by the CSCF to the HSS in the Cx interface, and the SAR message may carry the IMPU and/or IMPI (IP Multimedia Private Identity) of the UE, so that the HSS is based on the IMPU of the UE. / or IMPI to query whether the application server authentication information corresponding to the UE is stored.
  • IMPU IP Multimedia Private Identity
  • the SAA message is sent by the HSS, where the SAA message includes the user profile, and the user profile carries application server authentication information.
  • the SAA message is a Server-Assignment-Answer message, which is a response of the HSS to the SAR command in the Cx interface.
  • application server authentication information may be delivered through other messages in other processes customized between the CSCF and the HSS.
  • the IMS network authentication response message 200 OK including the application server authentication information is sent to the UE, to trigger the UE to use the application server authentication information to authenticate to the application server.
  • FIG. 4b is a specific flowchart 2 of the method of Embodiment 2 of the present invention. The difference between Fig. 4b and Fig. 4a lies in S404b.
  • S404b may also include:
  • the value of one or more server parameters Server-parameter included in the Add-ons may be respectively assigned to other corresponding ai-param parameters included in the P-Associated-URI header field;
  • the IMS network authentication response message 200 OK may also be sent to the UE, where the 200 ⁇ includes an associated uniform resource identifier P-Associated-URI header field, where the P-Associated-URI header field includes the first An ai-param parameter, the second ai-param parameter, and other plurality of ai-param parameters carrying values of the plurality of Server-parameters.
  • FIG. 4c is a specific flowchart 3 of the method of Embodiment 2 of the present invention.
  • Figure 4c differs from Figure 4 in S404c and S405c.
  • S404c encrypt the application server authentication information by using a check bit CK or HA1;
  • the method for carrying the application server authentication information in the foregoing 200 Ok response may include: transmitting the application server authentication information as an ai-param parameter of the P-Associated-URI header field.
  • P-Associated-URI is defined in the standard as:
  • P-aso-url-spec name-addr *(SEMI ai-param)
  • Ai-param genenc-param
  • the following example illustrates the process of carrying "application server authentication information" by parameters defined by P-Associated-URI.
  • the CSCF takes the HTTP-username cell of the application server authentication information, copies its contents into the http-usemame parameter, and uses http-usemame as an ai-param#3 ⁇ 4 of the P-Associated-URI;
  • the CSCF takes the HTTP-Token cell of the application server authentication information, copies the content to the http-token parameter, and uses the http-token as an ai-param parameter of the P-Associated-URI; for example, extracting the application server authentication information.
  • the application server authentication information can be encrypted by CK; if the UE and IMS use HTTP Digest authentication, then HA1 (HTTP)
  • the intermediate calculation result of the Digest authentication process is encrypted.
  • the method of the embodiment of the present invention receives the SAA message that is sent by the HSS and includes the application server authentication information, and sends the application server authentication information to the UE by using a 200 OK response, so that the UE can receive the response according to the response received from the 200 OK.
  • Application server authentication information is applied to the application server for authentication. This process does not require manual intervention, and implements automatic authentication of the application server, and also implements IMS.
  • the unified authentication of the network and the application server facilitates the use of the user.
  • Embodiment 3 of the present invention provides a method for transmitting authentication information of an application server, and the execution subject of the method may be an HSS.
  • FIG. 5 is a flowchart of a method according to Embodiment 3 of the present invention. As shown in Figure 5, the method includes:
  • the S50K receives the first message sent by the call session control function entity CSCF, where the first message includes a UE identifier that requests authentication of the IMS network;
  • S502 Determine, according to the first message, whether there is application server authentication information corresponding to the UE;
  • the first message may be a SAR message
  • the second message may be an SAA message
  • the UE identifier includes: an IP multimedia public identifier of the UE, an IMPU or an IMPI.
  • the process of S503 may specifically include:
  • the SAA message includes a user subscription information User Profile of the UE, and the user profile carries the application server authentication information.
  • the SAR message may carry the IMPU and/or the IMPI of the UE, so that the HSS queries the application server authentication information corresponding to the UE according to the IMPU and/or IMPI of the UE.
  • the multiple IMPUs may form one IRS.
  • the authentication information of the application server is stored in the HSS.
  • the authentication information of the application server may be associated with one or more IMPUs, that is, the authentication information of the application server may correspond to one or more IMPUs and may belong to one or more IMPUs.
  • the associated IMPU can be registered as an IRS in the HSS, which is equivalent to associating the application server authentication information with the IRS.
  • the multiple IMPUs are set in one set, so that when the UE has multiple IMPUs, the application server authentication information can be obtained regardless of which IMPU is logged in, without the application server authentication information being saved on the HSS multiple times.
  • the application server contains the application server authentication information.
  • the user profile structure carried in the SAA message is extended in the Cx interface, and the application server authentication information structure is added at the end of the User Profile structure, and is represented by UML (Unified Model Language) as Figure 6, Figure 6 A schematic diagram of an expanded structure of the User Profile of Embodiment 3 of the present invention.
  • UML Unified Model Language
  • an IMPI of an IMS user may correspond to one or more "Service Profiles" and may correspond to one or 0 "application server authentication information".
  • "l...n” in Fig. 6 indicates one or more, and "0...1" indicates no or one.
  • FIG. 7 is a diagram showing an example of an in-line format of a user profile according to Embodiment 3 of the present invention. Only two Service profiles are shown in Figure 7. For different applications, more than two Service profiles can be used. Only three Public ids are shown in Figure 7. For different applications, more than three Public ids can be used. .
  • the IFC in Figure 7 represents the initial filter criteria.
  • the service profile is the same as defined in the original user profile.
  • FIG. 8 is a schematic structural diagram of application server authentication information according to Embodiment 3 of the present invention.
  • HTTP-Username indicates the authentication user name of the application server
  • HTTP-Token indicates the authentication password of the application server (expandable to authentication credentials)
  • Add-ons stores additional parameters of the application server. (eg the IP address of the application server).
  • an application server authentication information may include, for example, an HTTP-Usemame, an HTTP-Token, one or zero Add-ons. In other applications, you can also include multiple HTTP-Usemame, multiple HTTP-Token, and more. Add-ons.
  • the application server authentication information structure may also be extended, and different authentication user names and authentication passwords may be specified for multiple application servers.
  • the Add-ons field of the application server authentication information structure can be defined as shown in FIG. Figure 9 is a diagram showing the definition of the Add-ons field in Embodiment 3 of the present invention.
  • the HSS adds the application server authentication information structure at the end of the User Profile structure by extending the User Profile information structure included in the SAA message, and returns an SAA message carrying the application server authentication information to the CSCF, thereby transmitting the application server authentication information.
  • CSCF a shared secret for the User Profile structure.
  • an application server authentication information structure can also be added in front of the User Profile structure.
  • Embodiment 3 of the present invention adds an application server authentication information structure to the end of the User Profile structure by extending the User Profile structure carried in the SAA message, so that the application server authentication information can be sent to the CSCF through the SAA message, so that the CSCF can
  • the application server authentication information is sent to the UE, so that the UE performs the authentication according to the application server authentication information to the application server.
  • Embodiment 4 provides an authentication method, where the authentication method includes a method for unified authentication of an IMS multimedia subsystem network and an application server.
  • the execution body of the method may be a UE.
  • Figure 10 is a general flow chart of the method of Embodiment 4 of the present invention. As shown in FIG. 10, the method includes: S100K sending an IMS network authentication request to a call session control function entity CSCF;
  • FIG. 10a is a specific flowchart 1 of the method according to Embodiment 4 of the present invention.
  • Figure 10a differs from Figure 10 in that S 1002a.
  • the SI 002a receives the IMS network authentication response message 200 OK sent by the CSCF, where the 200 OK includes an associated uniform resource identifier P-Associated-URI header field, and the P-Associated-URI header field carries application server authentication information.
  • the process of S1002a may include:
  • the P-Associated-URI header field includes an associated uniform resource identifier, and the plurality of ai-param parameters included in the P-Associated-URI header field carry an authentication username of the application server, HTTP-Usemame, and an authentication password of the application server. -Token and one or zero additional application server add-ons.
  • FIG. 10b is a specific flowchart 2 of the method in Embodiment 4 of the present invention. As shown in Figure 10b, the method includes:
  • SlOOlb sending an IMS network authentication request to the call session control function entity CSCF;
  • S1002b receiving an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries an application encrypted by using a check bit CK or HA1 Server authentication information;
  • S1003b decrypting the application server authentication information by using the check bit CK or HA1;
  • S1004b using the application server authentication information to the application server for authentication.
  • the method of Embodiment 4 of the present invention by carrying the application server authentication information in the IMS network authentication response message, enables the UE to obtain the application server authentication information from the received IMS network authentication response message, and according to the application server The authentication information is automatically authenticated to the application server.
  • Embodiment 5 of the present invention provides a call session control function entity CSCF. This CSCF is formed corresponding to the method of Embodiment 2.
  • FIG. 11 is a functional block diagram of a call session control function entity according to Embodiment 5 of the present invention.
  • the CSCF20 includes:
  • the authentication request receiving unit 201 is configured to receive an IP multimedia subsystem IMS network authentication request sent by the user equipment UE;
  • the authentication information obtaining unit 202 is configured to obtain application server authentication information from the home subscriber server HSS according to the IMS network authentication request.
  • the authentication response sending unit 203 is configured to send an IMS network authentication response message that includes the application server authentication information to the UE, to trigger the UE to use the application server authentication information to perform the authentication to the application server. right.
  • Figure 11a is a functional block diagram of an authentication information acquisition unit.
  • the authentication information obtaining unit 202 may include:
  • the requesting sub-unit 2021 is configured to send a SAR message to the home subscriber server HSS, to obtain a user subscription information of the UE;
  • the receiving subunit 2022 is configured to receive an SAA message sent by the HSS, where the SAA message includes the User Profile, and the User Profile carries application server authentication information.
  • the authentication response sending unit 203 is configured to send an IMS network authentication response message 200 OK to the UE, where the associated unified resource identifier P-Associated-URI is added in the 200 OK a header field, where the P-Associated-URI header field carries the application server authentication information.
  • Figure l ib is a functional block diagram of the authentication response sending unit.
  • the authentication response sending unit 203 may include: an encryption subunit 2031, configured to encrypt the application server authentication information by using a check bit CK or HA1; and a sending subunit 2032, configured to The UE sends an IMS network authentication response message, where the IMS network authentication response message includes the application server authentication information encrypted by using CK or HA1.
  • the application server authentication information includes: an authentication user name of the application server, HTTP-Usemame, and an authentication password of the application server, HTTP-Token; optionally, the application server authentication information may further include an additional parameter Add-ons of the application server.
  • the Add-ons includes one or more server parameters.
  • the CSCF entity provided by the embodiment 5 of the present invention receives the SAA message extended by the User Profile structure, and the application server authentication information is added to the end of the User Profile structure. Structure, so that the corresponding application server authentication information can be obtained from the HSS.
  • the CSCF entity encrypts the application server by using the CK during the transmission of the application server authentication information, or when the UE and the IMS use the HTTP Digest authentication, the HA1 encrypts the application server authentication information, thereby ensuring the security of the transmission.
  • the CSCF entity carries the application server authentication information in the 200 OK message returned to the UE, so that the UE can use the application server authentication information to authenticate to the application server.
  • This process realizes automatic authentication without manual intervention.
  • unified authentication of the IMS and the application server is realized, which brings great convenience to the user and the operator management. At the same time, the operator investment is saved, and no additional authentication is needed.
  • Embodiment 6 The embodiment of the present invention provides a home subscriber server, which is formed correspondingly by the method of Embodiment 3.
  • Figure 12 is a functional block diagram of a home subscriber server according to Embodiment 6 of the present invention. As shown in FIG.
  • the home subscriber server 30 includes: a receiving unit 301, configured to receive a first message sent by a call session control function entity CSCF, where the first message includes a UE identifier that requests authentication of an IMS network; a unit, configured to determine whether there is application server authentication information corresponding to the UE, where the sending unit 302 is configured to: when the application server authentication information corresponding to the UE exists, send, to the CSCF, the UE corresponding to the The second message of the application server authentication information.
  • the first message may be a SAR message
  • the second message may be an SAA message
  • the identifier of the UE includes an IP multimedia public identity (IMPU) or an IMPI of the UE.
  • the sending unit 302 may be configured to: when the application server authentication information corresponding to the UE exists, send an SAA message to the CSCF, where the SAA message includes a user subscription information User Profile of the UE, and the The User Profile carries the application server authentication information.
  • the SAA message includes a user subscription information User Profile of the UE
  • the User Profile carries the application server authentication information.
  • Embodiment 7 of the present invention provides a user equipment which is formed by the method of Embodiment 4.
  • FIG. 13 is a functional block diagram of a user equipment according to Embodiment 7 of the present invention. As shown in FIG. 13, the user device 40 includes:
  • the first authentication request sending unit 401 is configured to send an IP multimedia subsystem IMS network authentication request to the call session control function entity CSCF;
  • the authentication response receiving unit 402 is configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries the authentication information of the application server;
  • the second authentication request sending unit 403 is configured to use the application server authentication information to authenticate to the application server.
  • the authentication response receiving unit 401 is further configured to receive an IMS network authentication response message 200 OK sent by the CSCF, where the 200 OK includes an associated unified resource identifier.
  • the authentication response receiving unit 401 is further configured to receive an IMS network authentication response message sent by the CSCF, where the associated unified resource identifier of the IMS network authentication response message is a P-Associated-URI header field.
  • the plurality of included ai-param parameters carry the value of the authentication server name HTTP-Usemame of the application server, the value of the authentication password HTTP-Token of the application server, and the value of the additional parameter Add-ons of one or zero application servers.
  • the authentication response receiving unit 401 is further configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries an application server encrypted by using a check bit CK or HA1. Authentication information.
  • FIG. 14 is a detailed functional block diagram of a user equipment according to Embodiment 7 of the present invention.
  • the user equipment 40 may further include:
  • the decryption unit 404 is configured to decrypt the application server authentication information by using the check bit CK or HA1.
  • the user equipment provided in Embodiment 7 of the present invention can use the application server authentication information carried by the 200 OK message to authenticate the application server, and does not need to manually input the application server authentication information by manually manually, thereby facilitating the user.
  • the method of the embodiment of the present invention implements the IMS by carrying the authentication information of the application server in the result returned by the IMS network authentication. Unified authentication of network and application servers.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

An authentication method and device are provided in the embodiments of the present invention, said method including the following steps: receiving an Internet Protocol (IP) Multimedia Subsystem (IMS) network authentication request sent by a User Equipment (UE); according to said IMS network authentication request, obtaining the authentication information of an application server from a Home Subscriber Server (HSS); sending the IMS network authentication response message containing the authentication information of said application server to the UE, so as to trigger said UE to utilize the authentication information of said application server to carry out authentication in said application server. By carrying the authentication information of the application server in the returned result of the IMS network authentication, the method of the embodiments of the invention enables uniform authentication of the IMS and the application server without requiring the user's manually intervening the authentication process of the application server. The method brings great convenience to the usage of users and the management of operators; and in addition, the existing IMS authentication flow is fully utilized to implement the method in a simple manner.

Description

鉴权方法及装置 技术领域 本发明涉及通信领域, 具体地涉及一种鉴权方法及装置。 背景技术 在 IMS ( IP multimedia subsystem , IP多媒体子系统) 网络中, 除了提供 基本电信类业务的网络设备外, 还有很多提供增值业务的应用服务器。这类应 用服务器可以独立于 IMS网络运行, 为保证合法的业务使用以及正确的计费, 很多应用服务器都需要单独对 UE ( User Equipment ,用户设备)进行鉴权。 比如一个提供通讯录存储和管理的应用服务器 GROUP,无论 UE是否已经通过 IMS网络的鉴权, UE在正常使用 GROUP提供的服务前, 都必须提供正确的用 户名和密码以通过 GROUP的鉴权。  The present invention relates to the field of communications, and in particular, to an authentication method and apparatus. Background Art In an IMS (IP multimedia subsystem) network, in addition to network devices that provide basic telecommunication services, there are many application servers that provide value-added services. Such application servers can operate independently of the IMS network. To ensure legitimate service usage and correct billing, many application servers need to separately authenticate the UE (User Equipment). For example, an application server GROUP that provides address book storage and management, regardless of whether the UE has authenticated through the IMS network, the UE must provide the correct username and password to pass the authentication of the GROUP before using the services provided by the GROUP.
图 1为现有技术的 IMS网络鉴权和应用服务器鉴权流程图。如图 1所示, 其中 S101-S104为现有技术的 IMS网络标准鉴权流程; S105-S107为现有技术 的应用服务器鉴权流程, 其中 S105需要用户再次手动输入鉴权信息。  FIG. 1 is a flow chart of the prior art IMS network authentication and application server authentication. As shown in FIG. 1 , S101-S104 is a prior art IMS network standard authentication process; S105-S107 is a prior art application server authentication process, where S105 requires the user to manually input authentication information again.
发明人在实现本发明的过程中发现,现有技术至少存在以下不足: 现有技 术在每次的鉴权过程中都需要用户进行干预, 无法实现自动鉴权, 不方便用户 的使用; 现有技术的方法无法实现对 IMS网络和应用服务器的统一鉴权。 发明内容 本发明实施例提供了一种鉴权方法、 鉴权信息传输方法及装置。 In the process of implementing the present invention, the inventor has found that the prior art has at least the following deficiencies: The prior art requires user intervention in each authentication process, and cannot implement automatic authentication, which is inconvenient for the user to use; The technical approach cannot achieve unified authentication of the IMS network and the application server. SUMMARY OF THE INVENTION Embodiments of the present invention provide an authentication method, an authentication information transmission method, and an apparatus.
一方面, 本发明实施例提供了一种鉴权方法, 所述方法包括: 接收用户设 备 UE发送的 IP多媒体子系统 IMS网络鉴权请求; 根据所述 IMS网络鉴权请 求, 从归属用户服务器 HSS获取应用服务器鉴权信息; 向所述 UE发送包含 所述应用服务器鉴权信息的 IMS网络鉴权响应消息,以触发所述 UE利用所述 应用服务器鉴权信息到所述应用服务器进行鉴权。  In an aspect, the embodiment of the present invention provides an authentication method, where the method includes: receiving an IP multimedia subsystem IMS network authentication request sent by a user equipment UE; and, according to the IMS network authentication request, from a home subscriber server HSS Obtaining application server authentication information; sending an IMS network authentication response message including the application server authentication information to the UE, to trigger the UE to use the application server authentication information to perform authentication on the application server.
又一方面, 本发明实施例提供了一种鉴权信息传输方法, 所述方法包括: 接收呼叫会话控制功能实体 CSCF发送的第一消息,所述第一消息中包含 请求进行 IMS网络鉴权的 UE标识;根据所述第一消息,判断是否存在与所述 UE对应的应用服务器鉴权信息; 当存在与所述 UE对应的应用服务器鉴权信 息时,向所述 CSCF发送包含所述 UE对应的应用服务器鉴权信息的第二消息。  In another aspect, an embodiment of the present invention provides a method for transmitting an authentication information, where the method includes: receiving a first message sent by a call session control function entity CSCF, where the first message includes requesting authentication of an IMS network. Determining, according to the first message, whether there is application server authentication information corresponding to the UE; when there is application server authentication information corresponding to the UE, sending, by the CSCF, the UE corresponding to the UE The second message of the application server authentication information.
还有一方面, 本发明实施例提供了一种鉴权方法, 所述鉴权方法包括: 向 呼叫会话控制功能实体 CSCF发送 IP多媒体子系统 IMS网络鉴权请求; 接收 所述 CSCF发送的 IMS网络鉴权响应消息, 所述 IMS网络鉴权响应消息携带 应用服务器鉴权信息;利用所述应用服务器鉴权信息到所述应用服务器进行鉴 另一方面, 本发明实施例提供了一种呼叫会话控制功能实体 CSCF, 所述 呼叫会话控制功能实体 CSCF包括: 鉴权请求接收单元, 用于接收用户设备 UE发送的 IP多媒体子系统 IMS网络鉴权请求; 鉴权信息获取单元, 用于根 据所述 IMS网络鉴权请求,从归属用户服务器 HSS获取应用服务器鉴权信息; 鉴权响应发送单元,用于向所述 UE发送包含所述应用服务器鉴权信息的 IMS 网络鉴权响应消息, 以触发所述 UE利用所述应用服务器鉴权信息到所述应用 服务器进行鉴权。 In another aspect, an embodiment of the present invention provides an authentication method, where the authentication method includes: sending an IP multimedia subsystem IMS network authentication request to a call session control function entity CSCF; receiving an IMS network sent by the CSCF The authentication response message, the IMS network authentication response message carries the application server authentication information, and the application server authentication information is used to perform the authentication on the application server. In another aspect, the embodiment of the present invention provides a call session control. Functional entity CSCF, said The call session control function entity CSCF includes: an authentication request receiving unit, configured to receive an IP multimedia subsystem IMS network authentication request sent by the user equipment UE, and an authentication information obtaining unit, configured to: according to the IMS network authentication request, The home subscriber server HSS obtains the application server authentication information, and the authentication response sending unit is configured to send an IMS network authentication response message including the application server authentication information to the UE, to trigger the UE to use the application server. The authentication information is authenticated to the application server.
再一方面, 本发明实施例提供了一种归属用户服务器,所述归属用户服务 器包括: 接收单元, 用于接收呼叫会话控制功能实体 CSCF发送的第一消息, 所述第一消息中包含请求进行 IMS网络鉴权的 UE标识;判断单元,用于判断 是否存在与所述 UE对应的应用服务器鉴权信息; 发送单元, 用于当存在与所 述 UE对应的应用服务器鉴权信息时, 向所述 CSCF发送包含所述 UE对应的 应用服务器鉴权信息的第二消息。  In a further aspect, the embodiment of the present invention provides a home subscriber server, where the home subscriber server includes: a receiving unit, configured to receive a first message sent by a call session control function entity CSCF, where the first message includes a request a UE identifier for the IMS network authentication, a determining unit, configured to determine whether there is application server authentication information corresponding to the UE, and a sending unit, configured to: when there is application server authentication information corresponding to the UE, The CSCF sends a second message including application server authentication information corresponding to the UE.
最后一方面, 本发明实施例提供了一种用户设备, 所述用户设备包括: 第 一鉴权请求发送单元, 用于向呼叫会话控制功能实体 CSCF发送 IP多媒体子 系统 IMS网络鉴权请求;鉴权响应接收单元,用于接收所述 CSCF发送的 IMS 网络鉴权响应消息, 所述 IMS 网络鉴权响应消息携带应用服务器鉴权信息; 第二鉴权请求发送单元,用于利用所述应用服务器鉴权信息到所述应用服务器 进行鉴权。  In a final aspect, the embodiment of the present invention provides a user equipment, where the user equipment includes: a first authentication request sending unit, configured to send an IP multimedia subsystem IMS network authentication request to a call session control function entity CSCF; The right response receiving unit is configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries application server authentication information, and a second authentication request sending unit is configured to use the application server The authentication information is authenticated to the application server.
本发明实施例提供的技术方案, 通过在 IMS 网络鉴权返回的结果中携带 应用服务器的鉴权信息, 实现了 IMS 网络和应用服务器的统一鉴权, 同时实 现了对应用服务器的自动鉴权, 即在鉴权过程中无需用户进行干预, 给用户使 用和运营商管理都带来很大方便; 充分利用现有 IMS 网络鉴权流程, 实现简 单。 附图说明 为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施 例或现有技术描述中所需要使用的附图作一简单地介绍, 显而易见地,下面描 述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲, 在不 付出创造性劳动性的前提下, 还可以根据这些附图获得其他的附图。 The technical solution provided by the embodiment of the present invention is carried in the result returned by the IMS network authentication. The authentication information of the application server realizes the unified authentication of the IMS network and the application server, and realizes the automatic authentication of the application server, that is, the user does not need to intervene in the authentication process, and both the user and the operator management are brought It is very convenient; make full use of the existing IMS network authentication process to achieve simplicity. BRIEF DESCRIPTION OF THE DRAWINGS In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, a brief description of the drawings used in the embodiments or the prior art description will be briefly described below, obviously, in the following description The drawings are only some of the embodiments of the present invention, and those skilled in the art can obtain other drawings based on these drawings without any inventive labor.
图 1为现有技术的 IMS网络鉴权和应用服务器鉴权流程图;  1 is a flow chart of authentication of an IMS network and application server in the prior art;
图 2为本发明实施例 1的系统的信令交互流程图;  2 is a flowchart of signaling interaction of a system according to Embodiment 1 of the present invention;
图 3为本发明实施例 1的系统功能框图;  3 is a functional block diagram of a system according to Embodiment 1 of the present invention;
图 4为本发明实施例 2的方法的整体流程图;  4 is an overall flowchart of a method according to Embodiment 2 of the present invention;
图 4a本发明实施例 2的方法的具体流程图一;  Figure 4a is a specific flowchart 1 of the method of Embodiment 2 of the present invention;
图 4b为本发明实施例 2的方法的具体流程图二;  4b is a specific flowchart 2 of the method of Embodiment 2 of the present invention;
图 4c为本发明实施例 2的方法的具体流程图三;  4c is a specific flowchart 3 of the method of Embodiment 2 of the present invention;
图 5为本发明实施例 3的方法流程图;  Figure 5 is a flowchart of a method according to Embodiment 3 of the present invention;
图 6为本发明实施例 3的 User Profile的扩展结构示意图; 图 7为本发明实施例 3的 user profile的 in-line格式示例图; 6 is a schematic structural diagram of an extension of a User Profile according to Embodiment 3 of the present invention; 7 is a diagram showing an example of an in-line format of a user profile according to Embodiment 3 of the present invention;
图 8为本发明实施例 3的应用服务器鉴权信息的结构示意图;  8 is a schematic structural diagram of application server authentication information according to Embodiment 3 of the present invention;
图 9为本发明实施例 3的 Add-ons字段的定义图;  9 is a definition diagram of an Add-ons field according to Embodiment 3 of the present invention;
图 10为本发明实施例 4的方法的整体流程图;  10 is an overall flowchart of a method according to Embodiment 4 of the present invention;
图 10a为本发明实施例 4的方法的具体流程图一;  10a is a specific flowchart 1 of the method according to Embodiment 4 of the present invention;
图 10b为本发明实施例 4的方法的具体流程图二;  Figure 10b is a specific flowchart 2 of the method of Embodiment 4 of the present invention;
图 11为本发明实施例 5的呼叫会话控制功能实体的功能框图;  11 is a functional block diagram of a call session control function entity according to Embodiment 5 of the present invention;
图 11a为本发明实施例 5的鉴权信息获取单元的功能框图;  11a is a functional block diagram of an authentication information acquiring unit according to Embodiment 5 of the present invention;
图 l ib为本发明实施例 5的鉴权响应发送单元的功能框图;  FIG. 1 is a functional block diagram of an authentication response sending unit according to Embodiment 5 of the present invention;
图 12为本发明实施例 6的归属用户服务器的功能框图;  12 is a functional block diagram of a home subscriber server according to Embodiment 6 of the present invention;
图 13为本发明实施例 7的用户设备的整体功能框图;  13 is a block diagram showing the overall function of a user equipment according to Embodiment 7 of the present invention;
图 14为本发明实施例 7的用户设备的细化功能框图。 具体实施方式 为使本发明实施例的目的、技术方案和优点更加清楚, 下面将结合本发明 实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然, 所描述的实施例是本发明一部分实施例, 而不是全部的实施例。基于本发明中 的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其 他实施例, 都属于本发明保护的范围。 本发明实施例所述的应用服务器主要指其独立于 IMS 网络, 需要独立鉴 权的应用服务器, 这类应用服务器通常独立提供增值业务, 例如 "WEB域应 用服务器"。 FIG. 14 is a detailed functional block diagram of a user equipment according to Embodiment 7 of the present invention. The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. The embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive scope are the scope of the present invention. The application server according to the embodiment of the present invention mainly refers to an application server that is independent of the IMS network and needs independent authentication. Such an application server usually provides value-added services independently, such as a "WEB domain application server."
HSS (Home Subscriber System, 归属用户服务器) 与 CSCF (Call Session Control Functions, 呼叫会话控制功能) 之间的接口包括 Cx接口, 其主要功 能包括位置管理、 用户数据下载 /更新处理、 用户鉴权等。 实施例 1 : 本发明实施例 1提供了一种 IP多媒体子系统 IMS网络和应用服务器统一 鉴权的方法与系统。  The interface between the HSS (Home Subscriber System) and the CSCF (Call Session Control Functions) includes a Cx interface, and its main functions include location management, user data download/update processing, and user authentication. Embodiment 1 The embodiment 1 of the present invention provides a method and system for unified authentication of an IP multimedia subsystem IMS network and an application server.
本发明实施例 1利用现有 IMS设备和流程, 进行适当扩展, 支持 IMS网 络和应用服务器的统一鉴权。 即 UE在 IMS网络鉴权通过后, 利用在 IMS网 络鉴权过程中获取到的鉴权信息,对已授权的 UE所使用的其它应用服务器进 行自动鉴权, 用户不需要进行干预。  Embodiment 1 of the present invention utilizes existing IMS devices and processes, and performs appropriate extension to support unified authentication of the IMS network and the application server. That is, after the UE is authenticated by the IMS network, the UE uses the authentication information acquired in the IMS network authentication process to automatically authenticate other application servers used by the authorized UE, and the user does not need to intervene.
图 2为本发明实施例 1的系统的信令交互流程图。如图 2所示, 该信令交 互流程包括:  2 is a flowchart of signaling interaction of a system according to Embodiment 1 of the present invention. As shown in Figure 2, the signaling interaction process includes:
S20K 用户设备 UE进行 IP多媒体子系统 IMS网络鉴权, UE向 CSCF 发送 IMS网络鉴权请求;  The S20K user equipment performs the IP multimedia subsystem IMS network authentication, and the UE sends an IMS network authentication request to the CSCF;
鉴权算法包括: IMS AKA (Authentication and Key Agreement, 认证和密 钥协商)、 Early AKA、 或 HTTP Digest (HTTP摘要鉴权算法) 等;The authentication algorithms include: IMS AKA (Authentication and Key Agreement) Key negotiation), Early AKA, or HTTP Digest (HTTP digest authentication algorithm), etc.
5202、 CSCF向 HSS发送 SAR消息, 以获取 UE的用户签约信息 User Profile; 5202. The CSCF sends a SAR message to the HSS to obtain a user subscription information of the UE.
5203、 HSS通过扩展的 SAA消息向 CSCF返回 UE的用户签约信息 User Profile; 如果对应的 IMPU ( IP Multimedia Public Identity, IP多媒体公有标识) 或 IRS ( Implicitly Registered Set, 隐式注册集) 存在关联的应用服务器鉴权 信息, 则在 User Profile中包含应用服务器鉴权信息; 否则在 User Profile中不 包含应用服务器鉴权信息;  5203. The HSS returns the user subscription information of the UE to the CSCF through the extended SAA message; if the corresponding IMPU (IP Multimedia Public Identity) or IRS (Implicit Registered Set) has an associated application The server authentication information includes the application server authentication information in the User Profile; otherwise, the application server authentication information is not included in the User Profile;
5204、 CSCF判断 User Profile是否附带应用服务器鉴权信息, 如不附带, 则向 UE返回与现有技术一致的 IMS网络鉴权响应消息 200 OK; 如附带, 则向 UE返回 IMS网络鉴权响应消息 200 OK,并且该 200 ΟΚ携带上述应用服务器鉴 权信息;  5204. The CSCF determines whether the User Profile is accompanied by the application server authentication information. If not, the CSMS returns an IMS network authentication response message 200 OK that is consistent with the prior art. If yes, the IMS network authentication response message is returned to the UE. 200 OK, and the 200 ΟΚ carries the above application server authentication information;
5205、 UE接收 200 OK时, 取出应用服务器鉴权信息;  5205. When the UE receives the 200 OK, the application server authentication information is removed.
如果在 200 OK中增加关联统一资源标识 P-Associated-URI头域, 并且采 用 P-Associated-URI头域携带应用服务器鉴权信息, 贝 ijUE检查 p-aso-uri-spec 列表中是否附带 http-usemame、 http-token等参数。 从第一个带有 http-usemame参数的 URI中, 取出 http-token及其后的其他参数; 并使用 CK (Check Bit, 校验比特) 进行解密; 如果 UE和 IMS网络采用 HTTP Digest鉴 权时, 则采用 HA1进行解密。 5206、 UE根据返回的鉴权信息到应用服务器进行鉴权; If the associated Uniform Resource Identifier P-Associated-URI header field is added in the 200 OK, and the P-Associated-URI header field is used to carry the application server authentication information, the Bay ijUE checks whether the p-aso-uri-spec list is accompanied by http- Usemame, http-token and other parameters. From the first URI with the http-usemame parameter, take the http-token and other parameters; and use CK (Check Bit) to decrypt; if the UE and IMS network use HTTP Digest authentication, Then use HA1 for decryption. S206: The UE performs authentication on the application server according to the returned authentication information.
如果应用服务器采用 HTTP Digest鉴权方法对用户鉴权。 UE使用从 IMS网 络得到的 HTTP usemame、 HTTP Token (WEB Password), 计算鉴权 Digest 响应, 完成鉴权。  If the application server uses the HTTP Digest authentication method to authenticate the user. The UE uses the HTTP usemame and HTTP Token (WEB Password) obtained from the IMS network to calculate the authentication Digest response and complete the authentication.
5207、 应用服务器返回鉴权结果。  5207. The application server returns an authentication result.
当 UE需要到多个应用服务器进行鉴权时, 重复执行 S206-S207。  When the UE needs to authenticate to multiple application servers, S206-S207 is repeatedly executed.
本发明实施例 1的系统, 利用现有的鉴权流程实现了对 IMS网络和应用服 务器的统一鉴权。  The system of Embodiment 1 of the present invention implements unified authentication of the IMS network and the application server by using the existing authentication process.
图 3为本发明实施例 1的系统功能框图。 如图 3所示, 本发明实施例 1的一 种 IP多媒体子系统 IMS网络和应用服务器统一鉴权的系统 10包括:  3 is a functional block diagram of a system according to Embodiment 1 of the present invention. As shown in FIG. 3, a system 10 for IP multimedia subsystem IMS network and application server unified authentication according to Embodiment 1 of the present invention includes:
用户设备 UE101,用于向呼叫会话控制功能实体 CSCF102发送 IP多媒体 子系统 IMS网络鉴权请求;接收所述 CSCF102发送的 IMS网络鉴权响应消息 200 OK, 所述 200 OK携带应用服务器的鉴权信息; 利用所述应用服务器鉴权 信息到应用服务器进行鉴权;  The user equipment UE101 is configured to send an IP multimedia subsystem IMS network authentication request to the call session control function entity CSCF102, and receive an IMS network authentication response message 200 OK sent by the CSCF 102, where the 200 OK carries the application server authentication information. Applying the application server authentication information to the application server for authentication;
呼叫会话控制功能实体 CSCF102 ,用于接收用户设备 UE101发送的 IP多 媒体子系统 IMS网络鉴权请求; 向归属用户服务器 HSS103发送 SAR消息, 以获取所述 UE101的用户签约信息 User Profile;接收所述 HSS103发送的 SAA 消息, 所述 SAA消息包含所述 User Profile, 且所述 User Profile携带应用服务 器鉴权信息; 向所述 UE101发送包含所述应用服务器鉴权信息的 IMS网络鉴 权响应消息 200 OK, 以触发所述 UE101利用所述应用服务器鉴权信息到应用 服务器 104进行鉴权; The call session control function entity CSCF102 is configured to receive an IP multimedia subsystem IMS network authentication request sent by the user equipment UE101, send a SAR message to the home subscriber server HSS103, to obtain the user subscription information User Profile of the UE101, and receive the HSS103. The SAA message sent, the SAA message includes the User Profile, and the User Profile carries application server authentication information; and sends an IMS network profile including the application server authentication information to the UE 101 The right response message 200 OK, to trigger the UE 101 to use the application server authentication information to authenticate to the application server 104;
归属用户服务器 HSS103 ,用于接收呼叫会话控制功能实体 CSCF102发送 的 SAR 消息; 当存储了与 UE101 对应的应用服务器鉴权信息时, 向所述 CSCF102发送包含所述 U101E的用户签约信息 User Profile的 SAA消息, 且 所述 User Profile携带所述应用服务器鉴权信息;  The home subscriber server HSS 103 is configured to receive the SAR message sent by the call session control function entity CSCF 102. When the application server authentication information corresponding to the UE 101 is stored, send the SAA containing the user subscription information User Profile of the U101E to the CSCF 102. a message, and the user profile carries the application server authentication information;
应用服务器 AS104,用于接收所述 UE101发送的鉴权请求,对所述 UE101 进行鉴权, 并向所述 UE101返回鉴权响应。  The application server AS104 is configured to receive an authentication request sent by the UE 101, perform authentication on the UE 101, and return an authentication response to the UE 101.
采用本发明实施例 1的系统, HSS通过在 Cx接口中扩展 SAA消息携带的 User Profile结构, 在 User Profile结构末尾添加应用服务器鉴权信息结构, 从 而将应用服务器鉴权信息通过 SAA消息传递给 CSCF。  With the system of Embodiment 1 of the present invention, the HSS adds the application server authentication information structure at the end of the User Profile structure by extending the User Profile structure carried in the SAA message on the Cx interface, thereby transmitting the application server authentication information to the CSCF through the SAA message. .
CSCF通过在传输 200 OK消息的过程中,对应用服务器鉴权信息使用比特 校验 CK或 HA1方式进行加密,从而保证了应用服务器鉴权信息传输的安全性。  The CSCF encrypts the application server authentication information by using the bit check CK or HA1 during the transmission of the 200 OK message, thereby ensuring the security of the application server authentication information transmission.
UE通过使用 200 OK消息携带过来的应用服务器鉴权信息到应用服务器 进行鉴权, 而无需人工手动多次地输入应用服务器鉴权信息,减轻了用户的操 作负担, 实现了自动鉴权。  The UE authenticates to the application server by using the application server authentication information carried by the 200 OK message, without manually inputting the application server authentication information manually, thereby reducing the operation burden of the user and realizing automatic authentication.
综上所述, 本发明实施例 1 的系统实现了对 IMS网络和应用服务器的统 一鉴权, 给用户使用和运营商管理都带来很大方便; 充分利用现有 IMS鉴权 流程, 实现简单, 不需要另外新增鉴权专有设备; 对现有应用服务器没有特殊 要求, 不需要改变现有鉴权流程。 实施例 2: 本发明实施例 2提供了一种鉴权方法, 该鉴权方法是一种 IP多媒体子系 统 IMS网络和应用服务器统一鉴权的方法, 该方法的执行主体可以为 CSCF。 In summary, the system in the first embodiment of the present invention implements unified authentication for the IMS network and the application server, which brings great convenience to both the user and the operator management; fully utilizes the existing IMS authentication process, and is simple to implement. , no need to add additional authentication proprietary devices; no special for existing application servers Requirements, there is no need to change the existing authentication process. Embodiment 2: Embodiment 2 of the present invention provides an authentication method, which is a method for unified authentication of an IP multimedia subsystem IMS network and an application server, and an execution body of the method may be a CSCF.
图 4为本发明实施例 2的方法的整体流程图。 如图 4所示, 该方法包括: S40K 接收用户设备 UE发送的 IP多媒体子系统 IMS网络鉴权请求; Figure 4 is a general flow chart of the method of Embodiment 2 of the present invention. As shown in FIG. 4, the method includes: S40K receiving an IP multimedia subsystem IMS network authentication request sent by a user equipment UE;
5402、 根据所述 IMS网络鉴权请求, 从归属用户服务器 HSS获取应用服 务器鉴权信息; S402: Obtain application server authentication information from the home subscriber server HSS according to the IMS network authentication request.
具体地, 上述应用服务器鉴权信息包括: 应用服务器的鉴权用户名 HTTP-Username, 应用服务器的鉴权密码 (可扩展为鉴权凭证:) HTTP-Token、 应用服务器的附加参数 Add-ons (例如应用服务器的 IP地址)。 其中 Add-ons 为可选参数, 上述 Add-ons参数包括一个或多个月艮务器参数 Sever-parameter。  Specifically, the application server authentication information includes: an authentication username of the application server, HTTP-Username, an authentication password of the application server (expandable to an authentication credential:) HTTP-Token, and an additional parameter Add-ons of the application server ( For example, the IP address of the application server). Where Add-ons is an optional parameter, and the above Add-ons parameter includes one or more server parameters Sever-parameter.
5403、 向所述 UE发送包含所述应用服务器鉴权信息的 IMS网络鉴权响 应消息, 以触发所述 UE利用所述应用服务器鉴权信息到所述应用服务器进行 鉴权。  S403. Send an IMS network authentication response message that includes the application server authentication information to the UE, to trigger the UE to use the application server authentication information to perform authentication on the application server.
需要说明的是,一般情况是 UE已经定义好需要向哪些应用服务器进行鉴 权, 只是 UE不知道鉴权所需要的必要信息, 例如 IP地址、 用户名、 密码等, 一旦 IMS网络把这些信息返回给 UE, UE就可以到应用服务器进行鉴权了。 图 4a为本发明实施例 2的方法的具体流程图一。 可选地, 如图 4a所示, 该方法可以包括: It should be noted that, in general, the UE has defined which application servers need to be authenticated, but the UE does not know the necessary information required for authentication, such as an IP address, a username, a password, etc., once the IMS network returns the information. For the UE, the UE can authenticate to the application server. 4a is a specific flowchart 1 of the method according to Embodiment 2 of the present invention. Optionally, as shown in FIG. 4a, the method may include:
S401a、 接收用户设备 UE发送的 IP多媒体子系统 IMS网络鉴权请求; S401a, receiving an IP multimedia subsystem IMS network authentication request sent by the user equipment UE;
S402a、向归属用户服务器 HSS发送 SAR消息, 以获取所述 UE的用户签 约信息 User Profile; S402a, sending a SAR message to the home subscriber server HSS, to obtain the user subscription information User Profile of the UE;
具体地, 所述 SAR 消息包括 Server-Assignment-Request 消息。 Server-Assignment-Request为 Cx接口中 CSCF向 HSS发送的命令, 所述 SAR 消息中可以携带 UE的 IMPU和 /或 IMPI (IP Multimedia Private Identity, IP多 媒体私有标识),以使 HSS根据 UE的 IMPU和 /或 IMPI去查询是否存储了 UE 对应的应用服务器鉴权信息。  Specifically, the SAR message includes a Server-Assignment-Request message. The Server-Assignment-Request is a command sent by the CSCF to the HSS in the Cx interface, and the SAR message may carry the IMPU and/or IMPI (IP Multimedia Private Identity) of the UE, so that the HSS is based on the IMPU of the UE. / or IMPI to query whether the application server authentication information corresponding to the UE is stored.
S403a、 接收所述 HSS发送的 SAA消息, 所述 SAA消息包含所述 User Profile, 且所述 User Profile携带应用服务器鉴权信息;  S403. The SAA message is sent by the HSS, where the SAA message includes the user profile, and the user profile carries application server authentication information.
具体地, 所述 SAA消息即为 Server-Assignment-Answer消息, 其为 Cx接 口中 HSS对 SAR命令的响应。  Specifically, the SAA message is a Server-Assignment-Answer message, which is a response of the HSS to the SAR command in the Cx interface.
本发明实施例的 User Profile的扩展结构及应用服务器鉴权信息的结构将 在后面的实施例中详细描述, 在此暂不描述。  The extension structure of the User Profile and the structure of the application server authentication information in the embodiment of the present invention will be described in detail in the following embodiments, and will not be described here.
可选地, 也可以发送其它消息来获取应用服务器鉴权信息, 例如可以通过 CSCF和 HSS之间自定义的其他过程中的其它消息来传递应用服务器鉴权信 息。 S404a、 向所述 UE发送包含所述应用服务器鉴权信息的 IMS网络鉴权响 应消息 200 OK, 以触发所述 UE利用所述应用服务器鉴权信息到应用服务器 进行鉴权。 Optionally, other messages may also be sent to obtain application server authentication information, for example, application server authentication information may be delivered through other messages in other processes customized between the CSCF and the HSS. S404. The IMS network authentication response message 200 OK including the application server authentication information is sent to the UE, to trigger the UE to use the application server authentication information to authenticate to the application server.
图 4b为本发明实施例 2的方法的具体流程图二。 图 4b与图 4a的不同之 处在于 S404b。  FIG. 4b is a specific flowchart 2 of the method of Embodiment 2 of the present invention. The difference between Fig. 4b and Fig. 4a lies in S404b.
S404b、 向所述 UE发送 IMS网络鉴权响应消息 200 OK, 所述 200 OK消 息包含关联统一资源标识 P-Associated-URI头域, 所述 P-Associated-URI头域 携带所述应用服务器鉴权信息的, 以触发所述 UE利用所述应用服务器鉴权信 息到应用服务器进行鉴权。  S404b, sending an IMS network authentication response message 200 OK to the UE, where the 200 OK message includes an associated uniform resource identifier P-Associated-URI header field, and the P-Associated-URI header field carries the application server authentication The information is triggered to trigger the UE to use the application server authentication information to authenticate to the application server.
具体地, S404b的具体过程也可以包括:  Specifically, the specific process of S404b may also include:
将所述 HTTP-Username的值赋予所述 P-Associated-URI头域包含的第一 ai-param参数;  And assigning the value of the HTTP-Username to the first ai-param parameter included in the P-Associated-URI header field;
将所述 HTTP-Token 的值赋予所述 P-Associated-URI 头域包含的第二 ai-param参数;  And assigning the value of the HTTP-Token to the second ai-param parameter included in the P-Associated-URI header field;
向所述 UE发送 IMS网络鉴权响应消息 200 OK, 所述 200 ΟΚ包含关联 统一资源标识 P-Associated-URI头域, 所述 P-Associated-URI头域包含所述第 一 ai-param参数禾口所述第二 ai-param参数。  Sending an IMS network authentication response message 200 OK to the UE, where the 200 ΟΚ includes an associated uniform resource identifier P-Associated-URI header field, where the P-Associated-URI header field includes the first ai-param parameter The second ai-param parameter described in the mouth.
可选地,还可以将 Add-ons包含的一个或多个服务器参数 Server-parameter 的值分别赋予 P-Associated-URI头域包含的其它对应多个 ai-param参数; 可选地,还可以向所述 UE发送 IMS网络鉴权响应消息 200 OK,所述 200 ΟΚ包含关联统一资源标识 P-Associated-URI头域, 所述 P-Associated-URI头 域包含所述第一 ai-param 参数、 所述第二 ai-param 参数以及携带多个 Server-parameter的值的其它多个 ai-param参数。 Optionally, the value of one or more server parameters Server-parameter included in the Add-ons may be respectively assigned to other corresponding ai-param parameters included in the P-Associated-URI header field; Optionally, the IMS network authentication response message 200 OK may also be sent to the UE, where the 200 ΟΚ includes an associated uniform resource identifier P-Associated-URI header field, where the P-Associated-URI header field includes the first An ai-param parameter, the second ai-param parameter, and other plurality of ai-param parameters carrying values of the plurality of Server-parameters.
图 4c为本发明实施例 2的方法的具体流程图三。图 4c与图 4的不同之处 在于 S404c和 S405c。  4c is a specific flowchart 3 of the method of Embodiment 2 of the present invention. Figure 4c differs from Figure 4 in S404c and S405c.
S404c、 采用校验比特 CK或 HA1对所述应用服务器鉴权信息进行加密; S404c: encrypt the application server authentication information by using a check bit CK or HA1;
S405c、 向所述 UE发送 IMS网络鉴权响应消息 200 OK, 所述 200 OK包 含采用校验比特 CK或 HA1加密后的所述应用服务器鉴权信息, 以触发所述 UE利用所述应用服务器鉴权信息到应用服务器进行鉴权。 S405, sending an IMS network authentication response message 200 OK to the UE, where the 200 OK includes the application server authentication information encrypted by using the check bit CK or HA1, to trigger the UE to use the application server The right information is authenticated to the application server.
在上述 200 Ok响应中携带应用服务器鉴权信息的方法可以包括: 将应用 服务器鉴权信息作为 P-Associated-URI头域的 ai-param参数进行传递。  The method for carrying the application server authentication information in the foregoing 200 Ok response may include: transmitting the application server authentication information as an ai-param parameter of the P-Associated-URI header field.
例如: 利用标准中 P-Associated-URI定义的参数来携带 "应用服务器鉴权 信息" 。  For example: Use the parameters defined in the standard P-Associated-URI to carry "application server authentication information".
P-Associated-URI在标准中的定义为:  P-Associated-URI is defined in the standard as:
P-Associated-URI = "P-Associated-URI" HCOLON  P-Associated-URI = "P-Associated-URI" HCOLON
(p-aso-uri-spec)  (p-aso-uri-spec)
*(COMMA p-aso-uri-spec)  *(COMMA p-aso-uri-spec)
p-aso-url-spec = name-addr *(SEMI ai-param) ai-param = genenc-param P-aso-url-spec = name-addr *(SEMI ai-param) Ai-param = genenc-param
以下举例说明通过 P-Associated-URI定义的参数来携带"应用服务器鉴权 信息" 的过程。  The following example illustrates the process of carrying "application server authentication information" by parameters defined by P-Associated-URI.
CSCF取出应用服务器鉴权信息的 HTTP-username信元,将其内容复制到 http-usemame参数中, 将 http-usemame作为 P-Associated-URI 的一个 ai-param#¾;  The CSCF takes the HTTP-username cell of the application server authentication information, copies its contents into the http-usemame parameter, and uses http-usemame as an ai-param#3⁄4 of the P-Associated-URI;
例如, 取出应用服务器鉴权信息的 HTTP-username信元, 将该信元的内 容 "user1 @home1.net"复制到 http-usemame参数中, 使得 http-usemame= " user @home1.net,, , 并将该 http-usemame作为 P-Associated-URI 的一 个 si-psrsm参数。  For example, take the HTTP-username cell of the application server authentication information, copy the content of the cell "user1 @home1.net" to the http-usemame parameter, so that http-usemame=" user @home1.net,, , And use the http-usemame as a si-psrsm parameter of the P-Associated-URI.
CSCF取出应用服务器鉴权信息的 HTTP-Token信元, 将其内容复制到 http-token参数中,将 http-token作为 P-Associated-URI 的一个 ai-param参数; 例如, 取出应用服务器鉴权信息的 HTTP-Token信元, 将该信元的内容 "PWD"复制到 http-token参数中, 使得 http-token= "PWD", 并将 http-token 作为 P-Associated-URI 的一个 ai-param参数。  The CSCF takes the HTTP-Token cell of the application server authentication information, copies the content to the http-token parameter, and uses the http-token as an ai-param parameter of the P-Associated-URI; for example, extracting the application server authentication information. HTTP-Token cell, copy the content of the cell "PWD" into the http-token parameter, making http-token= "PWD", and using http-token as an ai-param parameter of the P-Associated-URI .
CSCF取出应用服务器鉴权信息的 Add-ons信元, 将上述 Add-ons信元包 含的 1个或多个 Server-parameter中的每一个 Server-parameter分别作为单独 一个 ai-param参数, 如果有多个 Server-parameter, 则分别 对应多个 例如, 取出应用服务器鉴权信息的 Add-ons信元, 将该信元包含的第 1个 Server-parameter中内容" group-domain-address"复制到 group-uri参数中, 使得 group-uri= ,, group-domain-address ,, , 并将 group-uri 作 为 P-Associated-URI 的一个 ai-param参数; The CSCF takes out the Add-ons cell of the application server authentication information, and uses each of the one or more Server-parameters included in the Add-ons cell as a single ai-param parameter, if any Server-parameter, corresponding to multiple For example, the Add-ons cell of the application server authentication information is extracted, and the content "group-domain-address" in the first server-parameter included in the cell is copied into the group-uri parameter, so that group-uri= , group-domain-address ,, , and group-uri as an ai-param parameter of the P-Associated-URI;
将该信元包含的第 2个 Server-parameter中内容" AP-domain-address" 复制到 ap-uri参数中, 使得 ap-uri=,, AP-domain-address" ; 并将 ap-uri作为 P-Associated-URI 的一个 ai-param参数。  Copy the content "AP-domain-address" in the second Server-parameter contained in the cell to the ap-uri parameter, so that ap-uri=,, AP-domain-address" ; and ap-uri as P - an ai-param parameter of the Associated-URI.
因此,一个携带应用服务器鉴权信息的 P-Associated-URI的例子形成为如 下:  Therefore, an example of a P-Associated-URI carrying application server authentication information is formed as follows:
P-Associated-URI:  P-Associated-URI:
Sip:user1 @home1.net;http-username="user1 @home1.net";http-token= " PWD";group-uri=" group-domain-address";ap-uri="AP-domain-address" 进一歩地, 为保证传输过程的安全性, 可以对应用服务器鉴权信息采用 CK进行加密; 如果 UE和 IMS采用 HTTP Digest鉴权时, 则采用 HA1 ( HTTP Sip:user1 @home1.net;http-username="user1 @home1.net";http-token= " PWD";group-uri=" group-domain-address";ap-uri="AP-domain-address "In order to ensure the security of the transmission process, the application server authentication information can be encrypted by CK; if the UE and IMS use HTTP Digest authentication, then HA1 (HTTP)
Digest鉴权过程的中间计算结果) 进行加密。 The intermediate calculation result of the Digest authentication process) is encrypted.
本发明实施例的方法, 通过接收 HSS发送的包含应用服务器鉴权信息的 SAA消息, 并将该应用服务器鉴权信息通过 200 OK响应发送给 UE, 从而使 UE可以根据从 200 OK响应接收到的应用服务器鉴权信息到应用服务器进行 鉴权,这个过程无须人工干预,实现了对应用服务器的自动鉴权,也实现了 IMS 网络和应用服务器的统一鉴权, 方便了用户的使用。 The method of the embodiment of the present invention receives the SAA message that is sent by the HSS and includes the application server authentication information, and sends the application server authentication information to the UE by using a 200 OK response, so that the UE can receive the response according to the response received from the 200 OK. Application server authentication information is applied to the application server for authentication. This process does not require manual intervention, and implements automatic authentication of the application server, and also implements IMS. The unified authentication of the network and the application server facilitates the use of the user.
通过采用 CK或 HA1对传输过程中的应用服务器鉴权信息进行加密, 有 效地保证了数据传递的安全性。  By using CK or HA1 to encrypt the application server authentication information during transmission, the security of data transmission is effectively guaranteed.
由于本发明实施例的方法, 并未新增鉴权专用设备, 而是在已有设备及已 有流程的基础上进行改进, 提供了一种实现简单的 IMS 网络和应用服务器的 统一鉴权流程, 从而有利于运营商管理和节省运营商的投资。 实施例 3 : 本发明实施例 3提供了一种应用服务器鉴权信息的传输方法,该方法的执 行主体可以为 HSS。  The method of the embodiment of the present invention does not add an authentication special device, but improves on the basis of the existing device and the existing process, and provides a unified authentication process for implementing a simple IMS network and an application server. This will help operators manage and save operators' investment. Embodiment 3: Embodiment 3 of the present invention provides a method for transmitting authentication information of an application server, and the execution subject of the method may be an HSS.
图 5为本发明实施例 3的方法流程图。 如图 5所示, 该方法包括:  FIG. 5 is a flowchart of a method according to Embodiment 3 of the present invention. As shown in Figure 5, the method includes:
S50K接收呼叫会话控制功能实体 CSCF发送的第一消息, 所述第一消息 中包含请求进行 IMS网络鉴权的 UE标识;  The S50K receives the first message sent by the call session control function entity CSCF, where the first message includes a UE identifier that requests authentication of the IMS network;
5502、 根据所述第一消息, 判断是否存在与所述 UE对应的应用服务器鉴 权信息;  S502: Determine, according to the first message, whether there is application server authentication information corresponding to the UE;
5503、 当存在与所述 UE对应的应用服务器鉴权信息时, 向所述 CSCF发 送包含所述 UE对应的应用服务器鉴权信息的第二消息。  5503. When there is application server authentication information corresponding to the UE, send, to the CSCF, a second message that includes application server authentication information corresponding to the UE.
可选地,所述第一消息可以为 SAR消息,所述第二消息可以为 SAA消息, 所述 UE标识包括: UE的 IP多媒体公有标识 IMPU或 IMPI。 S503的过程具体可以包括: Optionally, the first message may be a SAR message, and the second message may be an SAA message, where the UE identifier includes: an IP multimedia public identifier of the UE, an IMPU or an IMPI. The process of S503 may specifically include:
当存在与所述 UE对应的应用服务器鉴权信息时,向所述 CSCF发送 SAA 消息, 所述 SAA消息包含所述 UE的用户签约信息 User Profile, 且所述 User Profile携带所述应用服务器鉴权信息。  Sending an SAA message to the CSCF when the application server authentication information corresponding to the UE is present, the SAA message includes a user subscription information User Profile of the UE, and the user profile carries the application server authentication information.
可选地, 所述 SAR消息中可以携带 UE的 IMPU和 /或 IMPI, 以使 HSS 根据 UE的 IMPU和 /或 IMPI去查询 UE对应的应用服务器鉴权信息。 其中当 UE包含多个 IMPU时, 上述多个 IMPU可以形成一个 IRS。  Optionally, the SAR message may carry the IMPU and/or the IMPI of the UE, so that the HSS queries the application server authentication information corresponding to the UE according to the IMPU and/or IMPI of the UE. When the UE includes multiple IMPUs, the multiple IMPUs may form one IRS.
具体地, 在 IMS用户开户或申请新业务时, 如果由局方人工或 BOSS (Business and Operation Supporting System , 电信业务运营支撑系统) 进 行判断后发现, 有需要独立鉴权的应用服务器, 则把该应用服务器的鉴权信息 存放在 HSS中。 应用服务器的鉴权信息可以和一个或多个 IMPU相关联, 即应 用服务器的鉴权信息可以和一个或多个 IMPU相对应, 可以属于一个或多个 IMPU。  Specifically, when an IMS user opens an account or applies for a new service, if the office or the BOSS (Business and Operation Supporting System) determines that there is an application server that needs independent authentication, The authentication information of the application server is stored in the HSS. The authentication information of the application server may be associated with one or more IMPUs, that is, the authentication information of the application server may correspond to one or more IMPUs and may belong to one or more IMPUs.
当应用服务器的鉴权信息和多个 IMPU关联时, 可以在 HSS中把相关联的 IMPU注册为一个 IRS, 即相当于把应用服务器鉴权信息和 IRS相关联。 通过多 个 IMPU设置在一个集合中,这样当 UE有多个 IMPU时,无论以哪个 IMPU登录, 都可以得到应用服务器鉴权信息,而不需要把应用服务器鉴权信息在 HSS上保 存多次。  When the authentication information of the application server is associated with multiple IMPUs, the associated IMPU can be registered as an IRS in the HSS, which is equivalent to associating the application server authentication information with the IRS. The multiple IMPUs are set in one set, so that when the UE has multiple IMPUs, the application server authentication information can be obtained regardless of which IMPU is logged in, without the application server authentication information being saved on the HSS multiple times.
当 HSS判断对应的 IMPU或 IRS存在关联的应用服务器鉴权信息时, 则在 User Profile中包含该应用服务器鉴权信息。 When the HSS determines that the corresponding IMPU or IRS has associated application server authentication information, then The application server contains the application server authentication information.
例如, 在 Cx接口中扩展 SAA消息携带的 User Profile结构, 在该 User Profile结构末尾添加应用服务器鉴权信息结构, 使用 UML ( Unified Model Language, 统一建模语言) 表示为图 6, 图 6为本发明实施例 3的 User Profile 的扩展结构示意图。  For example, the user profile structure carried in the SAA message is extended in the Cx interface, and the application server authentication information structure is added at the end of the User Profile structure, and is represented by UML (Unified Model Language) as Figure 6, Figure 6 A schematic diagram of an expanded structure of the User Profile of Embodiment 3 of the present invention.
如图 6所示,一个 IMS用户的 IMPI可以对应一个或多个 " Service Profile "、 且可以对应一个或 0个 "应用服务器鉴权信息"。 图 6中的 " l...n"表示一个 或多个,"0...1 "表示没有或一个。图 7为本发明实施例 3的 user profile的 in-line 格式示例图。 图 7中仅示出 2个 Service profile, 对于不同的应用, 可以采用 多于 2个的 Service profile; 图 7中仅示出 3个 Public id, 对于不同的应用, 可 以采用多于 3 个 Public id。 图 7 中的 IFC 表示初始过滤标准 (initial filter criteria )。 Service profile与原 user profile中的定义相同。  As shown in FIG. 6, an IMPI of an IMS user may correspond to one or more "Service Profiles" and may correspond to one or 0 "application server authentication information". "l...n" in Fig. 6 indicates one or more, and "0...1" indicates no or one. FIG. 7 is a diagram showing an example of an in-line format of a user profile according to Embodiment 3 of the present invention. Only two Service profiles are shown in Figure 7. For different applications, more than two Service profiles can be used. Only three Public ids are shown in Figure 7. For different applications, more than three Public ids can be used. . The IFC in Figure 7 represents the initial filter criteria. The service profile is the same as defined in the original user profile.
本发明实施例 3的应用服务器鉴权信息的结构, 使用 UML表示为图 8, 图 8 为本发明实施例 3的应用服务器鉴权信息的结构示意图。 如图 8所示, HTTP-Username指示了应用服务器的鉴权用户名; HTTP-Token指示了应用 服务器的鉴权密码 (可扩展为鉴权凭证); Add-ons则存储了应用服务器的附加 参数 (例如应用服务器的 IP地址) 。 由图 8可知, 一个应用服务器鉴权信息例 如可以包括一个 HTTP-Usemame、 一个 HTTP-Token、 1个或 0个 Add-ons。 在其它应用中, 也可以包括多个 HTTP-Usemame、 多个 HTTP-Token以及多 个 Add-ons。 The structure of the application server authentication information of the embodiment 3 of the present invention is represented by FIG. 8 using UML, and FIG. 8 is a schematic structural diagram of application server authentication information according to Embodiment 3 of the present invention. As shown in Figure 8, HTTP-Username indicates the authentication user name of the application server; HTTP-Token indicates the authentication password of the application server (expandable to authentication credentials); Add-ons stores additional parameters of the application server. (eg the IP address of the application server). As can be seen from FIG. 8, an application server authentication information may include, for example, an HTTP-Usemame, an HTTP-Token, one or zero Add-ons. In other applications, you can also include multiple HTTP-Usemame, multiple HTTP-Token, and more. Add-ons.
如果有多个应用服务器, 则在开户、 申请新业务或其它应用场景, 指定相 同的鉴权用户名和鉴权密码,对不同的附加参数(例如应用服务器的 IP地址), 在 Add-ons字段中进行存储。 可选地, 应用服务器鉴权信息结构也可以进行扩 展, 可以为多个应用服务器指定不相同的鉴权用户名和鉴权密码。  If there are multiple application servers, specify the same authentication username and authentication password for opening an account, applying for a new service or other application scenarios, and for different additional parameters (such as the IP address of the application server) in the Add-ons field. Store. Optionally, the application server authentication information structure may also be extended, and different authentication user names and authentication passwords may be specified for multiple application servers.
应用服务器鉴权信息结构的 Add-ons字段可采用图 9所示的定义。图 9为本 发明实施例 3的 Add-ons字段的定义图。 如图 9所示, 其中 " 1 ...n"表示一个或 多个, gp i个 Add-ons字段可以包括 1个或多个 Server-parameter , 在每个 Server-parameter 中 , 保 存 了 参 数 的 名 称 和 参 数 值 ; 例 如 group-uri="group-domain-address"形式, 其中 group-uri表示参数名称, group-domain-address表示相应的参数值。  The Add-ons field of the application server authentication information structure can be defined as shown in FIG. Figure 9 is a diagram showing the definition of the Add-ons field in Embodiment 3 of the present invention. As shown in FIG. 9, where "1 ... n" represents one or more, gp i Add-ons fields may include one or more Server-parameters, and in each Server-parameter, parameters are saved. Name and parameter value; for example, group-uri="group-domain-address", where group-uri indicates the parameter name and group-domain-address indicates the corresponding parameter value.
总之, HSS通过扩展 SAA消息包含的 User Profile信息结构, 在该 User Profile结构末尾添加应用服务器鉴权信息结构, 并向 CSCF返回携带应用服务 器鉴权信息的 SAA消息, 从而将应用服务器鉴权信息传递 CSCF。 可选地, 也 可以在 User Profile结构的前面添加应用服务器鉴权信息结构。  In summary, the HSS adds the application server authentication information structure at the end of the User Profile structure by extending the User Profile information structure included in the SAA message, and returns an SAA message carrying the application server authentication information to the CSCF, thereby transmitting the application server authentication information. CSCF. Optionally, an application server authentication information structure can also be added in front of the User Profile structure.
本发明实施例 3的方法, 通过扩展 SAA消息携带的 User Profile结构, 在 User Profile结构末尾添加应用服务器鉴权信息结构, 从而可以将应用服务器 鉴权信息通过 SAA消息发送给 CSCF, 从而 CSCF可以将该应用服务器鉴权信 息进一歩发送给 UE, 以使 UE根据该应用服务器鉴权信息到应用服务器进行鉴 权, 而不需要用户手动干预应用服务器的鉴权过程。该方法给用户使用和运营 商管理都带来很大方便。 通过上述技术方案, 本发明实施例 3的方法有利于实 现 IMS网络和应用服务器的统一鉴权。 实施例 4: 本发明实施例 4提供了一种鉴权方法, 该鉴权方法包括一种 IMS多媒体 子系统网络和应用服务器统一鉴权的方法。 该方法的执行主体可以为 UE。 The method of Embodiment 3 of the present invention adds an application server authentication information structure to the end of the User Profile structure by extending the User Profile structure carried in the SAA message, so that the application server authentication information can be sent to the CSCF through the SAA message, so that the CSCF can The application server authentication information is sent to the UE, so that the UE performs the authentication according to the application server authentication information to the application server. Right, without requiring the user to manually intervene in the application server's authentication process. This method brings great convenience to both user usage and operator management. Through the above technical solution, the method of Embodiment 3 of the present invention is advantageous for implementing unified authentication of the IMS network and the application server. Embodiment 4: Embodiment 4 of the present invention provides an authentication method, where the authentication method includes a method for unified authentication of an IMS multimedia subsystem network and an application server. The execution body of the method may be a UE.
图 10为本发明实施例 4的方法的整体流程图。如图 10所示,该方法包括: S100K 向呼叫会话控制功能实体 CSCF发送 IMS网络鉴权请求;  Figure 10 is a general flow chart of the method of Embodiment 4 of the present invention. As shown in FIG. 10, the method includes: S100K sending an IMS network authentication request to a call session control function entity CSCF;
51002,接收所述 CSCF发送的 IMS网络鉴权响应消息,所述 IMS网络鉴 权响应消息携带应用服务器的鉴权信息;  51002: Receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries authentication information of the application server.
51003, 利用所述应用服务器鉴权信息到所述应用服务器进行鉴权。  51003. Perform authentication by using the application server authentication information to the application server.
图 10a为本发明实施例 4的方法的具体流程图一。 图 10a与图 10的不同 之处在于 S 1002a.  FIG. 10a is a specific flowchart 1 of the method according to Embodiment 4 of the present invention. Figure 10a differs from Figure 10 in that S 1002a.
SI 002a接收所述 CSCF发送的 IMS网络鉴权响应消息 200 OK,所述 200 OK包含关联统一资源标识 P-Associated-URI头域, 所述 P-Associated-URI头 域携带应用服务器鉴权信息。  The SI 002a receives the IMS network authentication response message 200 OK sent by the CSCF, where the 200 OK includes an associated uniform resource identifier P-Associated-URI header field, and the P-Associated-URI header field carries application server authentication information.
具体地, S1002a的过程可以包括:  Specifically, the process of S1002a may include:
接收所述 CSCF发送的 IMS网络鉴权响应消息 200 OK, 所述 200 OK包 含关联统一资源标识 P-Associated-URI头域, 所述 P-Associated-URI头域所包 含的多个 ai-param参数携带应用服务器的鉴权用户名 HTTP-Usemame、 应用 服务器的鉴权密码 HTTP-Token 和一个或零个应用服务器的附加参数 Add-ons。 Receiving an IMS network authentication response message 200 OK sent by the CSCF, the 200 OK packet The P-Associated-URI header field includes an associated uniform resource identifier, and the plurality of ai-param parameters included in the P-Associated-URI header field carry an authentication username of the application server, HTTP-Usemame, and an authentication password of the application server. -Token and one or zero additional application server add-ons.
图 10b为本发明实施例 4的方法的具体流程图二。如图 10b所示, 该方法 包括:  FIG. 10b is a specific flowchart 2 of the method in Embodiment 4 of the present invention. As shown in Figure 10b, the method includes:
SlOOlb, 向呼叫会话控制功能实体 CSCF发送 IMS网络鉴权请求; S1002b、 接收所述 CSCF发送的 IMS网络鉴权响应消息, 所述 IMS网络 鉴权响应消息携带采用校验比特 CK或 HA1加密的应用服务器鉴权信息; S1003b、 采用校验比特 CK或 HA1解密所述应用服务器鉴权信息; S1004b、 利用所述应用服务器鉴权信息到所述应用服务器进行鉴权。 本发明实施例 4的方法, 通过在 IMS网络鉴权响应消息中携带应用服务 器鉴权信息,使 UE可以从接收到的 IMS网络鉴权响应消息中获得应用服务器 鉴权信息, 并根据该应用服务器鉴权信息到应用服务器进行自动鉴权。该方法 简化了鉴权流程, 方便了用户使用, 用户不需要进行干预, 该方法给用户使用 和运营商管理都带来很大方便。同时通过对传输过程中的应用服务器鉴权信息 使用 CK或 HA1进行加密, 保证了数据传递的安全性。 实施例 5: 本发明实施例 5提供了一种呼叫会话控制功能实体 CSCF。 该 CSCF为对 应于实施例 2的方法而形成。 SlOOlb, sending an IMS network authentication request to the call session control function entity CSCF; S1002b, receiving an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries an application encrypted by using a check bit CK or HA1 Server authentication information; S1003b, decrypting the application server authentication information by using the check bit CK or HA1; S1004b, using the application server authentication information to the application server for authentication. The method of Embodiment 4 of the present invention, by carrying the application server authentication information in the IMS network authentication response message, enables the UE to obtain the application server authentication information from the received IMS network authentication response message, and according to the application server The authentication information is automatically authenticated to the application server. The method simplifies the authentication process, is convenient for the user to use, and the user does not need to intervene, and the method brings great convenience to the user and the operator management. At the same time, the application server authentication information in the transmission process is encrypted by using CK or HA1 to ensure the security of data transmission. Example 5: Embodiment 5 of the present invention provides a call session control function entity CSCF. This CSCF is formed corresponding to the method of Embodiment 2.
图 11 为本发明实施例 5 的呼叫会话控制功能实体的功能框图。 如图 11 所示, 该 CSCF20包括:  11 is a functional block diagram of a call session control function entity according to Embodiment 5 of the present invention. As shown in Figure 11, the CSCF20 includes:
鉴权请求接收单元 201, 用于接收用户设备 UE发送的 IP多媒体子系统 IMS网络鉴权请求;  The authentication request receiving unit 201 is configured to receive an IP multimedia subsystem IMS network authentication request sent by the user equipment UE;
鉴权信息获取单元 202,用于根据所述 IMS网络鉴权请求,从归属用户服 务器 HSS获取应用服务器鉴权信息;  The authentication information obtaining unit 202 is configured to obtain application server authentication information from the home subscriber server HSS according to the IMS network authentication request.
鉴权响应发送单元 203, 用于向所述 UE发送包含所述应用服务器鉴权信 息的 IMS网络鉴权响应消息,以触发所述 UE利用所述应用服务器鉴权信息到 所述应用服务器进行鉴权。  The authentication response sending unit 203 is configured to send an IMS network authentication response message that includes the application server authentication information to the UE, to trigger the UE to use the application server authentication information to perform the authentication to the application server. right.
图 11a为鉴权信息获取单元的功能框图。可选地, 所述鉴权信息获取单元 202可以包括:  Figure 11a is a functional block diagram of an authentication information acquisition unit. Optionally, the authentication information obtaining unit 202 may include:
请求子单元 2021,用于向归属用户服务器 HSS发送 SAR消息, 以获取所 述 UE的用户签约信息 User Profile;  The requesting sub-unit 2021 is configured to send a SAR message to the home subscriber server HSS, to obtain a user subscription information of the UE;
接收子单元 2022, 用于接收所述 HSS发送的 SAA消息, 所述 SAA消息 包含所述 User Profile, 且所述 User Profile携带应用服务器鉴权信息。  The receiving subunit 2022 is configured to receive an SAA message sent by the HSS, where the SAA message includes the User Profile, and the User Profile carries application server authentication information.
可选地, 所述鉴权响应发送单元 203, 用于向所述 UE发送 IMS网络鉴权 响应消息 200 OK, 所述 200 OK中增加关联统一资源标识 P-Associated-URI 头域, 所述 P-Associated-URI头域携带所述应用服务器鉴权信息。 图 l ib为鉴权响应发送单元的功能框图。可选地,所述鉴权响应发送单元 203可以包括: 加密子单元 2031, 用于采用校验比特 CK或 HA1对所述应用服务器鉴权信 息进行加密; 发送子单元 2032,用于向所述 UE发送 IMS网络鉴权响应消息,所述 IMS 网络鉴权响应消息包含采用 CK或 HA1加密后的所述应用服务器鉴权信息。 所述应用服务器鉴权信息包括:应用服务器的鉴权用户名 HTTP-Usemame 和应用服务器的鉴权密码 HTTP-Token; 可选地, 应用服务器鉴权信息还可以 包括应用服务器的附加参数 Add-ons, 所述 Add-ons包括 1个或多个服务器参 数 Server-parameter 本发明实施例 5提供的 CSCF实体, 通过接收扩展了 User Profile结构的 SAA消息, 该 User Profile结构末尾添加了应用服务器鉴权信息结构, 从而可 以从 HSS获取相应的应用服务器鉴权信息。 Optionally, the authentication response sending unit 203 is configured to send an IMS network authentication response message 200 OK to the UE, where the associated unified resource identifier P-Associated-URI is added in the 200 OK a header field, where the P-Associated-URI header field carries the application server authentication information. Figure l ib is a functional block diagram of the authentication response sending unit. Optionally, the authentication response sending unit 203 may include: an encryption subunit 2031, configured to encrypt the application server authentication information by using a check bit CK or HA1; and a sending subunit 2032, configured to The UE sends an IMS network authentication response message, where the IMS network authentication response message includes the application server authentication information encrypted by using CK or HA1. The application server authentication information includes: an authentication user name of the application server, HTTP-Usemame, and an authentication password of the application server, HTTP-Token; optionally, the application server authentication information may further include an additional parameter Add-ons of the application server. The Add-ons includes one or more server parameters. The CSCF entity provided by the embodiment 5 of the present invention receives the SAA message extended by the User Profile structure, and the application server authentication information is added to the end of the User Profile structure. Structure, so that the corresponding application server authentication information can be obtained from the HSS.
CSCF实体通过在应用服务器鉴权信息的传输过程中使用 CK进行加密,或 当 UE和 IMS采用 HTTP Digest鉴权时, 则采用 HA1对应用服务器鉴权信息进行 加密, 从而有利于保障传输的安全性。 The CSCF entity encrypts the application server by using the CK during the transmission of the application server authentication information, or when the UE and the IMS use the HTTP Digest authentication, the HA1 encrypts the application server authentication information, thereby ensuring the security of the transmission.
CSCF实体通过在向 UE返回的 200 OK消息中携带应用服务器鉴权信息, 使 UE可以利用该应用服务器鉴权信息到应用服务器进行鉴权,这个过程无需 人工干预, 实现了自动鉴权。 总之, 通过采用本发明实施例的 CSCF, 实现了对 IMS和应用服务器的统 一鉴权给用户使用和运营商管理都带来很大方便; 同时节省运营商投资, 不需 要另外新增鉴权专有设备。 实施例 6: 本发明实施例提供了一种归属用户服务器,其为由实施例 3的方法而对应 形成。 图 12为本发明实施例 6的归属用户服务器的功能框图。如图 12所示, 该 归属用户服务器 30包括: 接收单元 301, 用于接收呼叫会话控制功能实体 CSCF发送的第一消息, 所述第一消息中包含请求进行 IMS网络鉴权的 UE标识; 判断单元, 用于判断是否存在与所述 UE对应的应用服务器鉴权信息; 发送单元 302, 用于当存在与所述 UE对应的应用服务器鉴权信息时, 向 所述 CSCF发送包含所述 UE对应的应用服务器鉴权信息的第二消息。 可选地,所述第一消息可以为 SAR消息,所述第二消息可以为 SAA消息, 所述 UE的标识包括 UE的 IP多媒体公有标识 IMPU或 IMPI。 所述发送单元 302,可以用于当存在与所述 UE对应的应用服务器鉴权信息时, 向所述 CSCF 发送 SAA消息, 所述 SAA消息包含所述 UE的用户签约信息 User Profile, 且 所述 User Profile携带所述应用服务器鉴权信息。 关于扩展的 User Profile的结构以及应用服务器鉴权信息的结构请参阅图 6-图 9, 及相应描述, 在此不赘述。 The CSCF entity carries the application server authentication information in the 200 OK message returned to the UE, so that the UE can use the application server authentication information to authenticate to the application server. This process realizes automatic authentication without manual intervention. In summary, by adopting the CSCF of the embodiment of the present invention, unified authentication of the IMS and the application server is realized, which brings great convenience to the user and the operator management. At the same time, the operator investment is saved, and no additional authentication is needed. There are devices. Embodiment 6 The embodiment of the present invention provides a home subscriber server, which is formed correspondingly by the method of Embodiment 3. Figure 12 is a functional block diagram of a home subscriber server according to Embodiment 6 of the present invention. As shown in FIG. 12, the home subscriber server 30 includes: a receiving unit 301, configured to receive a first message sent by a call session control function entity CSCF, where the first message includes a UE identifier that requests authentication of an IMS network; a unit, configured to determine whether there is application server authentication information corresponding to the UE, where the sending unit 302 is configured to: when the application server authentication information corresponding to the UE exists, send, to the CSCF, the UE corresponding to the The second message of the application server authentication information. Optionally, the first message may be a SAR message, the second message may be an SAA message, and the identifier of the UE includes an IP multimedia public identity (IMPU) or an IMPI of the UE. The sending unit 302 may be configured to: when the application server authentication information corresponding to the UE exists, send an SAA message to the CSCF, where the SAA message includes a user subscription information User Profile of the UE, and the The User Profile carries the application server authentication information. For the structure of the extended User Profile and the structure of the application server authentication information, please refer to the figure. 6- Figure 9, and corresponding description, will not be described here.
本发明实施例 6的归属用户服务器,通过预先存储 UE对应的应用服务器鉴 权信息, 并通过扩展 User Profile, 即在 User Profile信息结构的末尾添加在应 用服务器鉴权信息结构, 从而可以通过 SAA消息向 CSCF传递应用服务器的鉴 权信息, 有利于实现 IMS和应用服务器的统一鉴权。 实施例 7: 本发明实施例 7提供了一种用户设备,该用户设备由实施例 4的方法而对 应形成。  The home subscriber server of Embodiment 6 of the present invention can store the authentication information of the application server corresponding to the UE in advance, and add the application server authentication information structure at the end of the User Profile information structure by extending the User Profile, so that the SAA message can be passed. Passing the authentication information of the application server to the CSCF facilitates unified authentication of the IMS and the application server. Embodiment 7: Embodiment 7 of the present invention provides a user equipment which is formed by the method of Embodiment 4.
图 13为本发明实施例 7的用户设备的功能框图。如图 13所示, 该用户设 备 40包括:  Figure 13 is a functional block diagram of a user equipment according to Embodiment 7 of the present invention. As shown in FIG. 13, the user device 40 includes:
第一鉴权请求发送单元 401,用于向呼叫会话控制功能实体 CSCF发送 IP 多媒体子系统 IMS网络鉴权请求;  The first authentication request sending unit 401 is configured to send an IP multimedia subsystem IMS network authentication request to the call session control function entity CSCF;
鉴权响应接收单元 402,用于接收所述 CSCF发送的 IMS网络鉴权响应消 息, 所述 IMS网络鉴权响应消息携带应用服务器的鉴权信息;  The authentication response receiving unit 402 is configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries the authentication information of the application server;
第二鉴权请求发送单元 403, 用于利用所述应用服务器鉴权信息到所述应 用服务器进行鉴权。  The second authentication request sending unit 403 is configured to use the application server authentication information to authenticate to the application server.
可选地, 所述鉴权响应接收单元 401, 还可以用于接收所述 CSCF发送的 IMS 网络鉴权响应消息 200 OK , 所述 200 OK 包含关联统一资源标识 P-Associated-URI头域,所述 P-Associated-URI头域携带应用服务器鉴权信息。 可选地, 所述鉴权响应接收单元 401, 还可以用于接收所述 CSCF发送的 IMS 网络鉴权响应消息, 所述 IMS 网络鉴权响应消息的关联统一资源标识 P-Associated-URI头域所包含的多个 ai-param参数携带应用服务器的鉴权用户 名 HTTP-Usemame的值、 应用服务器的鉴权密码 HTTP-Token的值和一个或 零个应用服务器的附加参数 Add-ons的值。 Optionally, the authentication response receiving unit 401 is further configured to receive an IMS network authentication response message 200 OK sent by the CSCF, where the 200 OK includes an associated unified resource identifier. A P-Associated-URI header field, the P-Associated-URI header field carrying application server authentication information. Optionally, the authentication response receiving unit 401 is further configured to receive an IMS network authentication response message sent by the CSCF, where the associated unified resource identifier of the IMS network authentication response message is a P-Associated-URI header field. The plurality of included ai-param parameters carry the value of the authentication server name HTTP-Usemame of the application server, the value of the authentication password HTTP-Token of the application server, and the value of the additional parameter Add-ons of one or zero application servers.
关于通过 200 OK新增的 P-Associated-URI头域来携带应用服务器鉴权信 息的具体方法, 请参阅实施例 2中的相应描述, 在此不赘述。  For a specific method for carrying the application server authentication information by using the P-Associated-URI header field added by the 200 OK, refer to the corresponding description in Embodiment 2, and details are not described herein.
可选地, 所述鉴权响应接收单元 401, 还可以用于接收所述 CSCF发送的 IMS 网络鉴权响应消息, 所述 IMS 网络鉴权响应消息携带采用校验比特 CK 或 HA1加密的应用服务器鉴权信息。  Optionally, the authentication response receiving unit 401 is further configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries an application server encrypted by using a check bit CK or HA1. Authentication information.
图 14为本发明实施例 7的用户设备的细化功能框图。 可选地, 所述用户 设备 40还可以包括:  FIG. 14 is a detailed functional block diagram of a user equipment according to Embodiment 7 of the present invention. Optionally, the user equipment 40 may further include:
解密单元 404,用于采用校验比特 CK或 HA1解密所述应用服务器鉴权信 息。  The decryption unit 404 is configured to decrypt the application server authentication information by using the check bit CK or HA1.
本发明实施例 7提供的用户设备, 可以使用 200 OK消息携带过来的应用 服务器鉴权信息到应用服务器进行鉴权,而无需通过人工多次手动的方式来输 入应用服务器鉴权信息, 方便了用户使用和运营商管理; 本发明实施例的方法 通过在 IMS网络鉴权返回的结果中携带应用服务器的鉴权信息,实现了对 IMS 网络和应用服务器的统一鉴权。 The user equipment provided in Embodiment 7 of the present invention can use the application server authentication information carried by the 200 OK message to authenticate the application server, and does not need to manually input the application server authentication information by manually manually, thereby facilitating the user. The method of the embodiment of the present invention implements the IMS by carrying the authentication information of the application server in the result returned by the IMS network authentication. Unified authentication of network and application servers.
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流程, 是可以通过计算机程序来指令相关的硬件来完成,所述的程序可存储于一计算 机可读取存储介质中,该程序在执行时,可包括如上述各方法的实施例的流程。 其中,所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory, ROM) 或随机存储记忆体 (Random Access Memory, RAM) 等。  A person skilled in the art can understand that all or part of the process of implementing the above embodiment method can be completed by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium, the program When executed, the flow of an embodiment of the methods as described above may be included. The storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).
以上实施例仅用以说明本发明实施例的技术方案, 而非对其限制; 尽管参 照前述实施例对本发明实施例进行了详细的说明,本领域的普通技术人员应当 理解: 其依然可以对前述各实施例所记载的技术方案进行修改, 或者对其中部 分技术特征进行等同替换; 而这些修改或者替换, 并不使相应技术方案的本质 脱离本发明实施例各实施例技术方案的精神和范围。  The above embodiments are only used to explain the technical solutions of the embodiments of the present invention, and are not limited thereto. Although the embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that The technical solutions described in the embodiments are modified, or the equivalents of the technical features are replaced by the equivalents. The modifications and substitutions of the embodiments do not depart from the spirit and scope of the technical solutions of the embodiments of the embodiments of the present invention.

Claims

权 利 要 求 书 Claim
1、 一种鉴权方法, 其特征在于, 所述鉴权方法包括: An authentication method, wherein the authentication method comprises:
接收用户设备 UE发送的 IP多媒体子系统 IMS网络鉴权请求;  Receiving an IP multimedia subsystem IMS network authentication request sent by the user equipment UE;
根据所述 IMS网络鉴权请求, 从归属用户服务器 HSS获取应用服务器鉴 权信息;  Obtaining application server authentication information from the home subscriber server HSS according to the IMS network authentication request;
向所述 UE发送包含所述应用服务器鉴权信息的 IMS网络鉴权响应消息, 以触发所述 UE利用所述应用服务器鉴权信息到所述应用服务器进行鉴权。  And sending, by the UE, an IMS network authentication response message that includes the application server authentication information, to trigger the UE to use the application server authentication information to perform authentication on the application server.
2、 根据权利要求 1所述的方法, 其特征在于, 根据所述 IMS网络鉴权请 求, 从归属用户服务器 HSS获取应用服务器鉴权信息包括:  The method according to claim 1, wherein the obtaining the application server authentication information from the home subscriber server HSS according to the IMS network authentication request comprises:
向归属用户服务器 HSS发送 Server- Assignment-Request, SAR消息, 以获 取所述 UE的用户签约信息 User Profile;  Sending a Server-Assignment-Request, SAR message to the home subscriber server HSS, to obtain the user subscription information of the UE;
接收所述 HSS发送的 Server- Assignment- Answer , SAA消息, 所述 SAA 消息包含所述 User Profile, 且所述 User Profile携带应用服务器鉴权信息。  Receiving a Server-Assignment-Ask, SAA message sent by the HSS, the SAA message includes the User Profile, and the User Profile carries application server authentication information.
3、 根据权利要求 2所述的方法, 其特征在于, 所述 SAR消息中携带所述 UE的 IP多媒体公有标识 IMPU和 /或 IP多媒体私有标识 IMPI, 以使 HSS根 据 UE的 IMPU和 /或 IMPI去查询是否存储了 UE对应的应用服务器鉴权信息。  3. The method according to claim 2, wherein the SAR message carries an IP multimedia public identity IMPU and/or an IP multimedia private identity IMPI of the UE, so that the HSS is based on the UE's IMPU and/or IMPI. To query whether the application server authentication information corresponding to the UE is stored.
4、 根据权利要求 1所述的方法, 其特征在于, 向所述 UE发送包含所述 应用服务器鉴权信息的 IMS网络鉴权响应消息包括:  The method according to claim 1, wherein the sending the IMS network authentication response message including the application server authentication information to the UE comprises:
向所述 UE发送 IMS网络鉴权响应消息 200 OK, 所述 200 ΟΚ中增加关 联统一资源标识 P-Associated-URI头域, 所述 P-Associated-URI头域携带所述 应用服务器鉴权信息。 Sending an IMS network authentication response message 200 OK to the UE, where the associated unified resource identifier P-Associated-URI header field is added, and the P-Associated-URI header field carries the Application server authentication information.
5、 根据权利要求 4所述的方法, 其特征在于, 所述 P-Associated-URI头 域所包含的多个 ai-pamm参数携带所述应用服务器鉴权信息。  The method according to claim 4, wherein the plurality of ai-pamm parameters included in the P-Associated-URI header field carry the application server authentication information.
6、 根据权利要求 1所述的方法, 其特征在于, 向所述 UE发送包含所述 应用服务器鉴权信息的 IMS网络鉴权响应消息包括:  The method according to claim 1, wherein the sending the IMS network authentication response message including the application server authentication information to the UE comprises:
采用校验比特 CK或 HA1对所述应用服务器鉴权信息进行加密; 向所述 UE发送 IMS网络鉴权响应消息, 所述 IMS网络鉴权响应消息包 含采用 CK或 HA1加密后的所述应用服务器鉴权信息。  Encrypting the application server authentication information by using the check bit CK or HA1; sending an IMS network authentication response message to the UE, where the IMS network authentication response message includes the application server encrypted by CK or HA1 Authentication information.
7、 根据权利要求 1至 6任一所述的方法, 其特征在于, 所述应用服务器 鉴权信息包括: 应用服务器的鉴权用户名 HTTP-Usemame和应用服务器的鉴 权密码 HTTP-Token。  The method according to any one of claims 1 to 6, wherein the application server authentication information comprises: an authentication username of the application server, HTTP-Usemame, and an authentication password of the application server, HTTP-Token.
8、 根据权利要求 7所述的方法, 其特征在于, 所述应用服务器鉴权信息 进一歩包括: 应用服务器的附加参数 Add-ons, 所述 Add-ons参数包括一个或 多个月艮务器参数 Sever—parameter。  The method according to claim 7, wherein the application server authentication information further includes: an additional parameter Add-ons of the application server, where the Add-ons parameter includes one or more servers Parameter Sever—parameter.
9、 一种鉴权信息传输方法, 其特征在于, 所述方法包括:  9. A method for transmitting authentication information, the method comprising:
接收呼叫会话控制功能实体 CSCF发送的第一消息,所述第一消息中包含 请求进行 IP多媒体子系统 IMS网络鉴权的用户设备 UE标识;  And receiving, by the call session control function entity, a first message sent by the CSCF, where the first message includes a user equipment UE identifier that is requested to perform an IP multimedia subsystem IMS network authentication;
根据所述第一消息,判断是否存在与所述 UE对应的应用服务器鉴权信息; 当存在与所述 UE对应的应用服务器鉴权信息时, 向所述 CSCF发送包含 所述 UE对应的应用服务器鉴权信息的第二消息。 Determining, according to the first message, whether there is application server authentication information corresponding to the UE; when there is application server authentication information corresponding to the UE, sending, to the CSCF, a second message of the application server authentication information corresponding to the UE.
10、 根据权利要求 9 所述的方法, 其特征在于, 所述第一消息为 Server-Assignment-Request , SAR 消 息 , 所 述 第 二 消 息 为 Server- Assignment- Answer , SAA消息;  The method according to claim 9, wherein the first message is a Server-Assignment-Request, a SAR message, and the second message is a Server-Assignment-Answer, an SAA message;
向所述 CSCF发送包含所述应用服务器鉴权信息的第二消息包括:向所述 CSCF 发送 SAA 消息, 所述 SAA消息包含所述 UE 的用户签约信息 User Profile, 且所述 User Profile携带所述应用服务器鉴权信息。  Sending the second message that includes the application server authentication information to the CSCF includes: sending an SAA message to the CSCF, where the SAA message includes a user subscription information User Profile of the UE, and the user profile carries the Application server authentication information.
11、 根据权利要求 10所述的方法, 其特征在于, 通过在 Cx接口中扩展 SAA消息携带的 User Profile结构,在 User Profile结构中添加应用服务器鉴权 信息结构, 从而将所述应用服务器鉴权信息通过 SAA消息传递给 CSCF。  The method according to claim 10, wherein the application server authentication information structure is added in the User Profile structure by extending the User Profile structure carried in the SAA message in the Cx interface, thereby authenticating the application server. The information is passed to the CSCF via the SAA message.
12、 一种鉴权方法, 其特征在于, 所述鉴权方法包括:  12. An authentication method, wherein the authentication method comprises:
向呼叫会话控制功能实体 CSCF发送 IP多媒体子系统 IMS网络鉴权请求; 接收所述 CSCF发送的 IMS网络鉴权响应消息, 所述 IMS网络鉴权响应 消息携带应用服务器鉴权信息;  Sending an IP multimedia subsystem IMS network authentication request to the call session control function entity CSCF; receiving an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries application server authentication information;
利用所述应用服务器鉴权信息到所述应用服务器进行鉴权。  The application server authentication information is used to authenticate to the application server.
13、 根据权利要求 12所述的方法, 其特征在于, 接收所述 CSCF发送的 IMS网络鉴权响应消息, 所述 IMS网络鉴权响应消息携带应用服务器鉴权信 息包括:  The method of claim 12, wherein the IMS network authentication response message sent by the CSCF is received, where the IMS network authentication response message carrying the application server authentication information includes:
接收所述 CSCF发送的 IMS网络鉴权响应消息 200 OK, 所述 200 OK包 含关联统一资源标识 P-Associated-URI头域, 所述 P-Associated-URI头域携带 应用服务器鉴权信息。 Receiving an IMS network authentication response message 200 OK sent by the CSCF, the 200 OK packet The P-Associated-URI header field is associated with the associated uniform resource identifier, and the P-Associated-URI header field carries application server authentication information.
14、 根据权利要求 12所述的方法, 其特征在于, 接收所述 CSCF发送的 IMS网络鉴权响应消息, 所述 IMS网络鉴权响应消息携带应用服务器鉴权信 息包括:  The IMS network authentication response message sent by the CSCF, the IMS network authentication response message carrying the application server authentication information includes:
接收所述 CSCF发送的 IMS网络鉴权响应消息, 所述 IMS网络鉴权响应 消息携带采用校验比特 CK或 HA1加密的应用服务器鉴权信息。  Receiving an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries application server authentication information encrypted by using the check bit CK or HA1.
15、 根据权利要求 14所述的方法, 其特征在于, 利用所述应用服务器鉴 权信息到所述应用服务器进行鉴权之前还包括:  The method according to claim 14, wherein before the authenticating the application server authentication information to the application server, the method further comprises:
采用校验比特 CK或 HA1解密所述应用服务器鉴权信息。  The application server authentication information is decrypted by using the check bit CK or HA1.
16、 一种呼叫会话控制功能实体 CSCF, 其特征在于, 所述呼叫会话控制 功能实体 CSCF包括:  A call session control function entity CSCF, wherein the call session control function entity CSCF comprises:
鉴权请求接收单元, 用于接收用户设备 UE发送的 IP多媒体子系统 IMS 网络鉴权请求;  An authentication request receiving unit, configured to receive an IP multimedia subsystem IMS network authentication request sent by the user equipment UE;
鉴权信息获取单元, 用于根据所述 IMS 网络鉴权请求, 从归属用户服务 器 HSS获取应用服务器鉴权信息;  An authentication information obtaining unit, configured to acquire application server authentication information from the home subscriber server HSS according to the IMS network authentication request;
鉴权响应发送单元,用于向所述 UE发送包含所述应用服务器鉴权信息的 IMS网络鉴权响应消息, 以触发所述 UE利用所述应用服务器鉴权信息到所述 应用服务器进行鉴权。 An authentication response sending unit, configured to send an IMS network authentication response message that includes the application server authentication information to the UE, to trigger the UE to use the application server authentication information to perform authentication on the application server .
17、 根据权利要求 16所述的呼叫会话控制功能实体 CSCF, 其特征在于, 所述鉴权信息获取单元包括: The call session control function entity CSCF according to claim 16, wherein the authentication information acquiring unit comprises:
请求子单元,用于向归属用户服务器 HSS发送 Server- Assignment-Request, SAR消息, 以获取所述 UE的用户签约信息 User Profile;  a requesting sub-unit, configured to send a Server-Assignment-Request, a SAR message to the home subscriber server HSS, to obtain a user subscription information of the UE;
接收子单元, 用于接收所述 HSS发送的 Server-Assignment-Answer, SAA 消息, 所述 SAA消息包含所述 User Profile, 且所述 User Profile携带应用服务 器鉴权信息。  The receiving subunit is configured to receive a Server-Assignment-Answer, SAA message sent by the HSS, where the SAA message includes the User Profile, and the User Profile carries application server authentication information.
18、 根据权利要求 16所述的呼叫会话控制功能实体 CSCF, 其特征在于, 所述鉴权响应发送单元,用于向所述 UE发送 IMS网络鉴权响应消息 200 The call session control function entity CSCF according to claim 16, wherein the authentication response sending unit is configured to send an IMS network authentication response message to the UE.
OK, 所述 200 OK 中增加关联统一资源标识 P-Associated-URI 头域, 所述 P-Associated-URI头域携带所述应用服务器鉴权信息。 OK, the associated unified resource identifier P-Associated-URI header field is added to the 200 OK, and the P-Associated-URI header field carries the application server authentication information.
19、 根据权利要求 16所述的呼叫会话控制功能实体 CSCF, 其特征在于, 所述鉴权响应发送单元包括:  The call session control function entity CSCF according to claim 16, wherein the authentication response sending unit comprises:
加密子单元,用于采用校验比特 CK或 HA1对所述应用服务器鉴权信息进行 加密;  An encryption subunit, configured to encrypt the application server authentication information by using a check bit CK or HA1;
发送子单元, 用于向所述 UE发送 IMS网络鉴权响应消息, 所述 IMS网 络鉴权响应消息包含采用 CK或 HA1加密后的所述应用服务器鉴权信息。  And a sending subunit, configured to send an IMS network authentication response message to the UE, where the IMS network authentication response message includes the application server authentication information encrypted by using CK or HA1.
20、 一种归属用户服务器, 其特征在于, 所述归属用户服务器包括: 接收单元, 用于接收呼叫会话控制功能实体 CSCF发送的第一消息, 所述 第一消息中包含请求进行 IMS网络鉴权的 UE标识; A home subscriber server, where the home subscriber server includes: a receiving unit, configured to receive a first message sent by a call session control function entity CSCF, where The first message includes a UE identifier that requests authentication of the IMS network;
判断单元, 用于判断是否存在与所述 UE对应的应用服务器鉴权信息; 发送单元, 用于当存在与所述 UE对应的应用服务器鉴权信息时, 向所述 a determining unit, configured to determine whether there is application server authentication information corresponding to the UE, and a sending unit, configured to: when there is application server authentication information corresponding to the UE,
CSCF发送包含所述 UE对应的应用服务器鉴权信息的第二消息。 The CSCF sends a second message including application server authentication information corresponding to the UE.
21、 根据权利要求 20所述的归属用户服务器, 其特征在于, 所述第一消 息 为 Server-Assignment-Request, SAR 消 息 , 所述第 二 消 息 为 Server- Assignment- Answer, SAA消息,  The home subscriber server according to claim 20, wherein the first message is a Server-Assignment-Request, a SAR message, and the second message is a Server-Assignment-Ask, SAA message,
所述发送单元, 用于当存在与所述 UE对应的应用服务器鉴权信息时, 向 所述 CSCF发送 SAA消息,所述 SAA消息包含所述 UE的用户签约信息 User Profile, 且所述 User Profile携带所述应用服务器鉴权信息。  The sending unit is configured to send an SAA message to the CSCF when the application server authentication information corresponding to the UE is present, where the SAA message includes a user subscription information User Profile of the UE, and the user profile Carrying the application server authentication information.
22、 一种用户设备, 其特征在于, 所述用户设备包括:  22. A user equipment, where the user equipment includes:
第一鉴权请求发送单元, 用于向呼叫会话控制功能实体 CSCF发送 IP多 媒体子系统 IMS网络鉴权请求;  a first authentication request sending unit, configured to send an IP multimedia subsystem IMS network authentication request to the call session control function entity CSCF;
鉴权响应接收单元, 用于接收所述 CSCF发送的 IMS网络鉴权响应消息, 所述 IMS网络鉴权响应消息携带应用服务器鉴权信息;  An authentication response receiving unit, configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries application server authentication information;
第二鉴权请求发送单元,用于利用所述应用服务器鉴权信息到所述应用服 务器进行鉴权。  And a second authentication request sending unit, configured to use the application server authentication information to perform authentication on the application server.
23、 根据权利要求 22所述的用户设备, 其特征在于,  23. The user equipment according to claim 22, wherein
所述鉴权响应接收单元, 用于接收所述 CSCF发送的 IMS网络鉴权响应 消息 200 OK, 所述 200 OK包含关联统一资源标识 P-Associated-URI头域,所 述 P-Associated-URI头域携带应用服务器鉴权信息。 The authentication response receiving unit is configured to receive an IMS network authentication response sent by the CSCF The message 200 OK, the 200 OK includes an associated uniform resource identifier P-Associated-URI header field, and the P-Associated-URI header field carries application server authentication information.
24、 根据权利要求 22所述的用户设备, 其特征在于,  24. The user equipment of claim 22, wherein
所述鉴权响应接收单元, 用于接收所述 CSCF发送的 IMS网络鉴权响应 消息, 所述 IMS网络鉴权响应消息携带采用校验比特 CK或 HA1加密的应用 服务器鉴权信息。  The authentication response receiving unit is configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries application server authentication information encrypted by using the check bit CK or HA1.
25、根据权利要求 24所述的用户设备, 其特征在于, 所述用户设备还包括: 解密单元,用于采用校验比特 CK或 HA1解密所述应用服务器鉴权信息。  The user equipment according to claim 24, wherein the user equipment further comprises: a decryption unit, configured to decrypt the application server authentication information by using a check bit CK or HA1.
PCT/CN2010/077516 2009-09-30 2010-09-30 Authentication method and device WO2011038691A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910174570.1 2009-09-30
CN200910174570A CN101668016B (en) 2009-09-30 2009-09-30 Authentication method and device

Publications (1)

Publication Number Publication Date
WO2011038691A1 true WO2011038691A1 (en) 2011-04-07

Family

ID=41804456

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/077516 WO2011038691A1 (en) 2009-09-30 2010-09-30 Authentication method and device

Country Status (2)

Country Link
CN (1) CN101668016B (en)
WO (1) WO2011038691A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101668016B (en) * 2009-09-30 2012-10-03 华为技术有限公司 Authentication method and device
CN102440018A (en) * 2011-06-30 2012-05-02 华为技术有限公司 User device authentication method and authentication device under general authentication framework
CN102916966A (en) * 2012-10-30 2013-02-06 青岛百灵信息科技有限公司 Cloud computing and C2D (core 2 duo) based HIS (hospital information system) communication dialing module
CN105636034A (en) * 2014-10-30 2016-06-01 南京悠信网络科技有限公司 Authentication method and device for user equipment
CN106713249A (en) * 2015-11-18 2017-05-24 大唐移动通信设备有限公司 Authentication method and device
CN107172494B (en) * 2017-06-29 2019-07-16 深圳市茁壮网络股份有限公司 A kind of method for authenticating and right discriminating system
WO2019075608A1 (en) * 2017-10-16 2019-04-25 Oppo广东移动通信有限公司 Method and device for identifying encrypted data stream, storage medium, and system
CN109618194B (en) * 2018-12-10 2021-05-11 贝尔合控(深圳)科技有限责任公司 Authentication on-demand method and device based on-demand platform end

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812322A (en) * 2005-01-28 2006-08-02 华为技术有限公司 Right discriminating system and processing method
CN1859099A (en) * 2006-03-08 2006-11-08 华为技术有限公司 Online weight discriminating method in GPRS network
CN1866823A (en) * 2006-02-08 2006-11-22 华为技术有限公司 Authentication method, device and system in IMS network
CN1968138A (en) * 2006-06-07 2007-05-23 华为技术有限公司 Subscriber registration information management method and apparatus in IMS network
CN101668016A (en) * 2009-09-30 2010-03-10 华为技术有限公司 Authentication method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812322A (en) * 2005-01-28 2006-08-02 华为技术有限公司 Right discriminating system and processing method
CN1866823A (en) * 2006-02-08 2006-11-22 华为技术有限公司 Authentication method, device and system in IMS network
CN1859099A (en) * 2006-03-08 2006-11-08 华为技术有限公司 Online weight discriminating method in GPRS network
CN1968138A (en) * 2006-06-07 2007-05-23 华为技术有限公司 Subscriber registration information management method and apparatus in IMS network
CN101668016A (en) * 2009-09-30 2010-03-10 华为技术有限公司 Authentication method and device

Also Published As

Publication number Publication date
CN101668016A (en) 2010-03-10
CN101668016B (en) 2012-10-03

Similar Documents

Publication Publication Date Title
WO2011038691A1 (en) Authentication method and device
JP5269916B2 (en) Method and apparatus for remote access to a local network
JP5106682B2 (en) Method and apparatus for machine-to-machine communication
JP4860756B2 (en) User device, control method thereof, and IMS user apparatus
JP5580401B2 (en) Security key management in IMS-based multimedia broadcast and multicast services (MBMS)
US8959343B2 (en) Authentication system, method and device
US8136144B2 (en) Apparatus and method for controlling communication through firewall, and computer program product
JP2011508991A (en) Key management for secure communication
WO2009062415A1 (en) An authentication method for request message and the apparatus thereof
WO2007003140A1 (en) An authentication method of internet protocol multimedia subsystem
WO2006047925A1 (en) A method for selecting the authentication manner at the network side
WO2012151312A1 (en) System and method for providing access credentials
WO2011079522A1 (en) Authentication method, system and device
WO2005112338A1 (en) Key distribution method
WO2010081313A1 (en) Security management method and system for wapi terminal accessing ims network
WO2008006312A1 (en) A realizing method for push service of gaa and a device
WO2008089698A1 (en) A method and system for distributing secret keys of media stream
WO2006072209A1 (en) A method for agreeing upon the key in the ip multimedia sub-system
JP2017502624A (en) Apparatus, system and method for webRTC
WO2021093997A1 (en) A method for supporting authentication of a user equipment
WO2012129934A1 (en) Authentication method, apparatus and system for achieving cdn interconnection
JP6496405B2 (en) Method and apparatus for obtaining SIP signaling decoding parameters
JP5308527B2 (en) Proxy server, control method therefor, content server, and control method therefor
WO2011035579A1 (en) Authentication method, system and terminal for wireless local area network authentication and privacy infrastructure (wapi) terminal accessing ip multimedia subsystem (ims) network
WO2008089699A1 (en) A method and a system for authenticating a user terminal in ims network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10819920

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10819920

Country of ref document: EP

Kind code of ref document: A1