WO2011038691A1 - Procédé et dispositif d'authentification - Google Patents

Procédé et dispositif d'authentification Download PDF

Info

Publication number
WO2011038691A1
WO2011038691A1 PCT/CN2010/077516 CN2010077516W WO2011038691A1 WO 2011038691 A1 WO2011038691 A1 WO 2011038691A1 CN 2010077516 W CN2010077516 W CN 2010077516W WO 2011038691 A1 WO2011038691 A1 WO 2011038691A1
Authority
WO
WIPO (PCT)
Prior art keywords
application server
authentication information
authentication
ims network
message
Prior art date
Application number
PCT/CN2010/077516
Other languages
English (en)
Chinese (zh)
Inventor
谢国军
谢秀洪
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2011038691A1 publication Critical patent/WO2011038691A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • H04W12/069Authentication using certificates or pre-shared keys
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1073Registration or de-registration

Definitions

  • the present invention relates to the field of communications, and in particular, to an authentication method and apparatus.
  • Background Art In an IMS (IP multimedia subsystem) network, in addition to network devices that provide basic telecommunication services, there are many application servers that provide value-added services. Such application servers can operate independently of the IMS network. To ensure legitimate service usage and correct billing, many application servers need to separately authenticate the UE (User Equipment). For example, an application server GROUP that provides address book storage and management, regardless of whether the UE has authenticated through the IMS network, the UE must provide the correct username and password to pass the authentication of the GROUP before using the services provided by the GROUP.
  • UE User Equipment
  • FIG. 1 is a flow chart of the prior art IMS network authentication and application server authentication.
  • S101-S104 is a prior art IMS network standard authentication process
  • S105-S107 is a prior art application server authentication process, where S105 requires the user to manually input authentication information again.
  • Embodiments of the present invention provide an authentication method, an authentication information transmission method, and an apparatus.
  • the embodiment of the present invention provides an authentication method, where the method includes: receiving an IP multimedia subsystem IMS network authentication request sent by a user equipment UE; and, according to the IMS network authentication request, from a home subscriber server HSS Obtaining application server authentication information; sending an IMS network authentication response message including the application server authentication information to the UE, to trigger the UE to use the application server authentication information to perform authentication on the application server.
  • an embodiment of the present invention provides a method for transmitting an authentication information, where the method includes: receiving a first message sent by a call session control function entity CSCF, where the first message includes requesting authentication of an IMS network. Determining, according to the first message, whether there is application server authentication information corresponding to the UE; when there is application server authentication information corresponding to the UE, sending, by the CSCF, the UE corresponding to the UE The second message of the application server authentication information.
  • an embodiment of the present invention provides an authentication method, where the authentication method includes: sending an IP multimedia subsystem IMS network authentication request to a call session control function entity CSCF; receiving an IMS network sent by the CSCF The authentication response message, the IMS network authentication response message carries the application server authentication information, and the application server authentication information is used to perform the authentication on the application server.
  • the embodiment of the present invention provides a call session control.
  • the call session control function entity CSCF includes: an authentication request receiving unit, configured to receive an IP multimedia subsystem IMS network authentication request sent by the user equipment UE, and an authentication information obtaining unit, configured to: according to the IMS network authentication request, The home subscriber server HSS obtains the application server authentication information, and the authentication response sending unit is configured to send an IMS network authentication response message including the application server authentication information to the UE, to trigger the UE to use the application server.
  • the authentication information is authenticated to the application server.
  • the embodiment of the present invention provides a home subscriber server, where the home subscriber server includes: a receiving unit, configured to receive a first message sent by a call session control function entity CSCF, where the first message includes a request a UE identifier for the IMS network authentication, a determining unit, configured to determine whether there is application server authentication information corresponding to the UE, and a sending unit, configured to: when there is application server authentication information corresponding to the UE, The CSCF sends a second message including application server authentication information corresponding to the UE.
  • a receiving unit configured to receive a first message sent by a call session control function entity CSCF, where the first message includes a request a UE identifier for the IMS network authentication
  • a determining unit configured to determine whether there is application server authentication information corresponding to the UE
  • a sending unit configured to: when there is application server authentication information corresponding to the UE, The CSCF sends a second message including application server authentication information corresponding to the UE.
  • the embodiment of the present invention provides a user equipment, where the user equipment includes: a first authentication request sending unit, configured to send an IP multimedia subsystem IMS network authentication request to a call session control function entity CSCF;
  • the right response receiving unit is configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries application server authentication information, and a second authentication request sending unit is configured to use the application server
  • the authentication information is authenticated to the application server.
  • the technical solution provided by the embodiment of the present invention is carried in the result returned by the IMS network authentication.
  • the authentication information of the application server realizes the unified authentication of the IMS network and the application server, and realizes the automatic authentication of the application server, that is, the user does not need to intervene in the authentication process, and both the user and the operator management are brought It is very convenient; make full use of the existing IMS network authentication process to achieve simplicity.
  • FIG. 3 is a functional block diagram of a system according to Embodiment 1 of the present invention.
  • Figure 4a is a specific flowchart 1 of the method of Embodiment 2 of the present invention.
  • Figure 5 is a flowchart of a method according to Embodiment 3 of the present invention.
  • FIG. 6 is a schematic structural diagram of an extension of a User Profile according to Embodiment 3 of the present invention
  • 7 is a diagram showing an example of an in-line format of a user profile according to Embodiment 3 of the present invention
  • FIG. 8 is a schematic structural diagram of application server authentication information according to Embodiment 3 of the present invention.
  • Figure 10b is a specific flowchart 2 of the method of Embodiment 4 of the present invention.
  • FIG. 11 is a functional block diagram of a call session control function entity according to Embodiment 5 of the present invention.
  • 11a is a functional block diagram of an authentication information acquiring unit according to Embodiment 5 of the present invention.
  • FIG. 1 is a functional block diagram of an authentication response sending unit according to Embodiment 5 of the present invention.
  • FIG. 12 is a functional block diagram of a home subscriber server according to Embodiment 6 of the present invention.
  • FIG. 13 is a block diagram showing the overall function of a user equipment according to Embodiment 7 of the present invention.
  • FIG. 14 is a detailed functional block diagram of a user equipment according to Embodiment 7 of the present invention.
  • the technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention.
  • the embodiments are a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without departing from the inventive scope are the scope of the present invention.
  • the application server according to the embodiment of the present invention mainly refers to an application server that is independent of the IMS network and needs independent authentication.
  • Such an application server usually provides value-added services independently, such as a "WEB domain application server.”
  • the interface between the HSS (Home Subscriber System) and the CSCF (Call Session Control Functions) includes a Cx interface, and its main functions include location management, user data download/update processing, and user authentication.
  • Embodiment 1 The embodiment 1 of the present invention provides a method and system for unified authentication of an IP multimedia subsystem IMS network and an application server.
  • Embodiment 1 of the present invention utilizes existing IMS devices and processes, and performs appropriate extension to support unified authentication of the IMS network and the application server. That is, after the UE is authenticated by the IMS network, the UE uses the authentication information acquired in the IMS network authentication process to automatically authenticate other application servers used by the authorized UE, and the user does not need to intervene.
  • FIG. 2 is a flowchart of signaling interaction of a system according to Embodiment 1 of the present invention. As shown in Figure 2, the signaling interaction process includes:
  • the S20K user equipment performs the IP multimedia subsystem IMS network authentication, and the UE sends an IMS network authentication request to the CSCF;
  • the authentication algorithms include: IMS AKA (Authentication and Key Agreement) Key negotiation), Early AKA, or HTTP Digest (HTTP digest authentication algorithm), etc.
  • the CSCF sends a SAR message to the HSS to obtain a user subscription information of the UE.
  • the HSS returns the user subscription information of the UE to the CSCF through the extended SAA message; if the corresponding IMPU (IP Multimedia Public Identity) or IRS (Implicit Registered Set) has an associated application
  • the server authentication information includes the application server authentication information in the User Profile; otherwise, the application server authentication information is not included in the User Profile;
  • the CSCF determines whether the User Profile is accompanied by the application server authentication information. If not, the CSMS returns an IMS network authentication response message 200 OK that is consistent with the prior art. If yes, the IMS network authentication response message is returned to the UE. 200 OK, and the 200 ⁇ carries the above application server authentication information;
  • the Bay ijUE checks whether the p-aso-uri-spec list is accompanied by http- Usemame, http-token and other parameters. From the first URI with the http-usemame parameter, take the http-token and other parameters; and use CK (Check Bit) to decrypt; if the UE and IMS network use HTTP Digest authentication, Then use HA1 for decryption.
  • S206 The UE performs authentication on the application server according to the returned authentication information.
  • the application server uses the HTTP Digest authentication method to authenticate the user.
  • the UE uses the HTTP usemame and HTTP Token (WEB Password) obtained from the IMS network to calculate the authentication Digest response and complete the authentication.
  • WEB Password HTTP usemame and HTTP Token
  • the application server returns an authentication result.
  • S206-S207 is repeatedly executed.
  • Embodiment 1 of the present invention implements unified authentication of the IMS network and the application server by using the existing authentication process.
  • a system 10 for IP multimedia subsystem IMS network and application server unified authentication according to Embodiment 1 of the present invention includes:
  • the user equipment UE101 is configured to send an IP multimedia subsystem IMS network authentication request to the call session control function entity CSCF102, and receive an IMS network authentication response message 200 OK sent by the CSCF 102, where the 200 OK carries the application server authentication information. Applying the application server authentication information to the application server for authentication;
  • the call session control function entity CSCF102 is configured to receive an IP multimedia subsystem IMS network authentication request sent by the user equipment UE101, send a SAR message to the home subscriber server HSS103, to obtain the user subscription information User Profile of the UE101, and receive the HSS103.
  • the SAA message sent, the SAA message includes the User Profile, and the User Profile carries application server authentication information; and sends an IMS network profile including the application server authentication information to the UE 101
  • the right response message 200 OK to trigger the UE 101 to use the application server authentication information to authenticate to the application server 104;
  • the home subscriber server HSS 103 is configured to receive the SAR message sent by the call session control function entity CSCF 102.
  • the application server authentication information corresponding to the UE 101 is stored, send the SAA containing the user subscription information User Profile of the U101E to the CSCF 102. a message, and the user profile carries the application server authentication information;
  • the application server AS104 is configured to receive an authentication request sent by the UE 101, perform authentication on the UE 101, and return an authentication response to the UE 101.
  • the HSS adds the application server authentication information structure at the end of the User Profile structure by extending the User Profile structure carried in the SAA message on the Cx interface, thereby transmitting the application server authentication information to the CSCF through the SAA message. .
  • the CSCF encrypts the application server authentication information by using the bit check CK or HA1 during the transmission of the 200 OK message, thereby ensuring the security of the application server authentication information transmission.
  • the UE authenticates to the application server by using the application server authentication information carried by the 200 OK message, without manually inputting the application server authentication information manually, thereby reducing the operation burden of the user and realizing automatic authentication.
  • Embodiment 2 provides an authentication method, which is a method for unified authentication of an IP multimedia subsystem IMS network and an application server, and an execution body of the method may be a CSCF.
  • Figure 4 is a general flow chart of the method of Embodiment 2 of the present invention. As shown in FIG. 4, the method includes: S40K receiving an IP multimedia subsystem IMS network authentication request sent by a user equipment UE;
  • S402 Obtain application server authentication information from the home subscriber server HSS according to the IMS network authentication request.
  • the application server authentication information includes: an authentication username of the application server, HTTP-Username, an authentication password of the application server (expandable to an authentication credential:) HTTP-Token, and an additional parameter Add-ons of the application server (for example, the IP address of the application server).
  • Add-ons is an optional parameter
  • the above Add-ons parameter includes one or more server parameters Sever-parameter.
  • the UE has defined which application servers need to be authenticated, but the UE does not know the necessary information required for authentication, such as an IP address, a username, a password, etc., once the IMS network returns the information.
  • the UE can authenticate to the application server.
  • 4a is a specific flowchart 1 of the method according to Embodiment 2 of the present invention.
  • the method may include:
  • the SAR message includes a Server-Assignment-Request message.
  • the Server-Assignment-Request is a command sent by the CSCF to the HSS in the Cx interface, and the SAR message may carry the IMPU and/or IMPI (IP Multimedia Private Identity) of the UE, so that the HSS is based on the IMPU of the UE. / or IMPI to query whether the application server authentication information corresponding to the UE is stored.
  • IMPU IP Multimedia Private Identity
  • the SAA message is sent by the HSS, where the SAA message includes the user profile, and the user profile carries application server authentication information.
  • the SAA message is a Server-Assignment-Answer message, which is a response of the HSS to the SAR command in the Cx interface.
  • application server authentication information may be delivered through other messages in other processes customized between the CSCF and the HSS.
  • the IMS network authentication response message 200 OK including the application server authentication information is sent to the UE, to trigger the UE to use the application server authentication information to authenticate to the application server.
  • FIG. 4b is a specific flowchart 2 of the method of Embodiment 2 of the present invention. The difference between Fig. 4b and Fig. 4a lies in S404b.
  • S404b may also include:
  • the value of one or more server parameters Server-parameter included in the Add-ons may be respectively assigned to other corresponding ai-param parameters included in the P-Associated-URI header field;
  • the IMS network authentication response message 200 OK may also be sent to the UE, where the 200 ⁇ includes an associated uniform resource identifier P-Associated-URI header field, where the P-Associated-URI header field includes the first An ai-param parameter, the second ai-param parameter, and other plurality of ai-param parameters carrying values of the plurality of Server-parameters.
  • FIG. 4c is a specific flowchart 3 of the method of Embodiment 2 of the present invention.
  • Figure 4c differs from Figure 4 in S404c and S405c.
  • S404c encrypt the application server authentication information by using a check bit CK or HA1;
  • the method for carrying the application server authentication information in the foregoing 200 Ok response may include: transmitting the application server authentication information as an ai-param parameter of the P-Associated-URI header field.
  • P-Associated-URI is defined in the standard as:
  • P-aso-url-spec name-addr *(SEMI ai-param)
  • Ai-param genenc-param
  • the following example illustrates the process of carrying "application server authentication information" by parameters defined by P-Associated-URI.
  • the CSCF takes the HTTP-username cell of the application server authentication information, copies its contents into the http-usemame parameter, and uses http-usemame as an ai-param#3 ⁇ 4 of the P-Associated-URI;
  • the CSCF takes the HTTP-Token cell of the application server authentication information, copies the content to the http-token parameter, and uses the http-token as an ai-param parameter of the P-Associated-URI; for example, extracting the application server authentication information.
  • the application server authentication information can be encrypted by CK; if the UE and IMS use HTTP Digest authentication, then HA1 (HTTP)
  • the intermediate calculation result of the Digest authentication process is encrypted.
  • the method of the embodiment of the present invention receives the SAA message that is sent by the HSS and includes the application server authentication information, and sends the application server authentication information to the UE by using a 200 OK response, so that the UE can receive the response according to the response received from the 200 OK.
  • Application server authentication information is applied to the application server for authentication. This process does not require manual intervention, and implements automatic authentication of the application server, and also implements IMS.
  • the unified authentication of the network and the application server facilitates the use of the user.
  • Embodiment 3 of the present invention provides a method for transmitting authentication information of an application server, and the execution subject of the method may be an HSS.
  • FIG. 5 is a flowchart of a method according to Embodiment 3 of the present invention. As shown in Figure 5, the method includes:
  • the S50K receives the first message sent by the call session control function entity CSCF, where the first message includes a UE identifier that requests authentication of the IMS network;
  • S502 Determine, according to the first message, whether there is application server authentication information corresponding to the UE;
  • the first message may be a SAR message
  • the second message may be an SAA message
  • the UE identifier includes: an IP multimedia public identifier of the UE, an IMPU or an IMPI.
  • the process of S503 may specifically include:
  • the SAA message includes a user subscription information User Profile of the UE, and the user profile carries the application server authentication information.
  • the SAR message may carry the IMPU and/or the IMPI of the UE, so that the HSS queries the application server authentication information corresponding to the UE according to the IMPU and/or IMPI of the UE.
  • the multiple IMPUs may form one IRS.
  • the authentication information of the application server is stored in the HSS.
  • the authentication information of the application server may be associated with one or more IMPUs, that is, the authentication information of the application server may correspond to one or more IMPUs and may belong to one or more IMPUs.
  • the associated IMPU can be registered as an IRS in the HSS, which is equivalent to associating the application server authentication information with the IRS.
  • the multiple IMPUs are set in one set, so that when the UE has multiple IMPUs, the application server authentication information can be obtained regardless of which IMPU is logged in, without the application server authentication information being saved on the HSS multiple times.
  • the application server contains the application server authentication information.
  • the user profile structure carried in the SAA message is extended in the Cx interface, and the application server authentication information structure is added at the end of the User Profile structure, and is represented by UML (Unified Model Language) as Figure 6, Figure 6 A schematic diagram of an expanded structure of the User Profile of Embodiment 3 of the present invention.
  • UML Unified Model Language
  • an IMPI of an IMS user may correspond to one or more "Service Profiles" and may correspond to one or 0 "application server authentication information".
  • "l...n” in Fig. 6 indicates one or more, and "0...1" indicates no or one.
  • FIG. 7 is a diagram showing an example of an in-line format of a user profile according to Embodiment 3 of the present invention. Only two Service profiles are shown in Figure 7. For different applications, more than two Service profiles can be used. Only three Public ids are shown in Figure 7. For different applications, more than three Public ids can be used. .
  • the IFC in Figure 7 represents the initial filter criteria.
  • the service profile is the same as defined in the original user profile.
  • FIG. 8 is a schematic structural diagram of application server authentication information according to Embodiment 3 of the present invention.
  • HTTP-Username indicates the authentication user name of the application server
  • HTTP-Token indicates the authentication password of the application server (expandable to authentication credentials)
  • Add-ons stores additional parameters of the application server. (eg the IP address of the application server).
  • an application server authentication information may include, for example, an HTTP-Usemame, an HTTP-Token, one or zero Add-ons. In other applications, you can also include multiple HTTP-Usemame, multiple HTTP-Token, and more. Add-ons.
  • the application server authentication information structure may also be extended, and different authentication user names and authentication passwords may be specified for multiple application servers.
  • the Add-ons field of the application server authentication information structure can be defined as shown in FIG. Figure 9 is a diagram showing the definition of the Add-ons field in Embodiment 3 of the present invention.
  • the HSS adds the application server authentication information structure at the end of the User Profile structure by extending the User Profile information structure included in the SAA message, and returns an SAA message carrying the application server authentication information to the CSCF, thereby transmitting the application server authentication information.
  • CSCF a shared secret for the User Profile structure.
  • an application server authentication information structure can also be added in front of the User Profile structure.
  • Embodiment 3 of the present invention adds an application server authentication information structure to the end of the User Profile structure by extending the User Profile structure carried in the SAA message, so that the application server authentication information can be sent to the CSCF through the SAA message, so that the CSCF can
  • the application server authentication information is sent to the UE, so that the UE performs the authentication according to the application server authentication information to the application server.
  • Embodiment 4 provides an authentication method, where the authentication method includes a method for unified authentication of an IMS multimedia subsystem network and an application server.
  • the execution body of the method may be a UE.
  • Figure 10 is a general flow chart of the method of Embodiment 4 of the present invention. As shown in FIG. 10, the method includes: S100K sending an IMS network authentication request to a call session control function entity CSCF;
  • FIG. 10a is a specific flowchart 1 of the method according to Embodiment 4 of the present invention.
  • Figure 10a differs from Figure 10 in that S 1002a.
  • the SI 002a receives the IMS network authentication response message 200 OK sent by the CSCF, where the 200 OK includes an associated uniform resource identifier P-Associated-URI header field, and the P-Associated-URI header field carries application server authentication information.
  • the process of S1002a may include:
  • the P-Associated-URI header field includes an associated uniform resource identifier, and the plurality of ai-param parameters included in the P-Associated-URI header field carry an authentication username of the application server, HTTP-Usemame, and an authentication password of the application server. -Token and one or zero additional application server add-ons.
  • FIG. 10b is a specific flowchart 2 of the method in Embodiment 4 of the present invention. As shown in Figure 10b, the method includes:
  • SlOOlb sending an IMS network authentication request to the call session control function entity CSCF;
  • S1002b receiving an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries an application encrypted by using a check bit CK or HA1 Server authentication information;
  • S1003b decrypting the application server authentication information by using the check bit CK or HA1;
  • S1004b using the application server authentication information to the application server for authentication.
  • the method of Embodiment 4 of the present invention by carrying the application server authentication information in the IMS network authentication response message, enables the UE to obtain the application server authentication information from the received IMS network authentication response message, and according to the application server The authentication information is automatically authenticated to the application server.
  • Embodiment 5 of the present invention provides a call session control function entity CSCF. This CSCF is formed corresponding to the method of Embodiment 2.
  • FIG. 11 is a functional block diagram of a call session control function entity according to Embodiment 5 of the present invention.
  • the CSCF20 includes:
  • the authentication request receiving unit 201 is configured to receive an IP multimedia subsystem IMS network authentication request sent by the user equipment UE;
  • the authentication information obtaining unit 202 is configured to obtain application server authentication information from the home subscriber server HSS according to the IMS network authentication request.
  • the authentication response sending unit 203 is configured to send an IMS network authentication response message that includes the application server authentication information to the UE, to trigger the UE to use the application server authentication information to perform the authentication to the application server. right.
  • Figure 11a is a functional block diagram of an authentication information acquisition unit.
  • the authentication information obtaining unit 202 may include:
  • the requesting sub-unit 2021 is configured to send a SAR message to the home subscriber server HSS, to obtain a user subscription information of the UE;
  • the receiving subunit 2022 is configured to receive an SAA message sent by the HSS, where the SAA message includes the User Profile, and the User Profile carries application server authentication information.
  • the authentication response sending unit 203 is configured to send an IMS network authentication response message 200 OK to the UE, where the associated unified resource identifier P-Associated-URI is added in the 200 OK a header field, where the P-Associated-URI header field carries the application server authentication information.
  • Figure l ib is a functional block diagram of the authentication response sending unit.
  • the authentication response sending unit 203 may include: an encryption subunit 2031, configured to encrypt the application server authentication information by using a check bit CK or HA1; and a sending subunit 2032, configured to The UE sends an IMS network authentication response message, where the IMS network authentication response message includes the application server authentication information encrypted by using CK or HA1.
  • the application server authentication information includes: an authentication user name of the application server, HTTP-Usemame, and an authentication password of the application server, HTTP-Token; optionally, the application server authentication information may further include an additional parameter Add-ons of the application server.
  • the Add-ons includes one or more server parameters.
  • the CSCF entity provided by the embodiment 5 of the present invention receives the SAA message extended by the User Profile structure, and the application server authentication information is added to the end of the User Profile structure. Structure, so that the corresponding application server authentication information can be obtained from the HSS.
  • the CSCF entity encrypts the application server by using the CK during the transmission of the application server authentication information, or when the UE and the IMS use the HTTP Digest authentication, the HA1 encrypts the application server authentication information, thereby ensuring the security of the transmission.
  • the CSCF entity carries the application server authentication information in the 200 OK message returned to the UE, so that the UE can use the application server authentication information to authenticate to the application server.
  • This process realizes automatic authentication without manual intervention.
  • unified authentication of the IMS and the application server is realized, which brings great convenience to the user and the operator management. At the same time, the operator investment is saved, and no additional authentication is needed.
  • Embodiment 6 The embodiment of the present invention provides a home subscriber server, which is formed correspondingly by the method of Embodiment 3.
  • Figure 12 is a functional block diagram of a home subscriber server according to Embodiment 6 of the present invention. As shown in FIG.
  • the home subscriber server 30 includes: a receiving unit 301, configured to receive a first message sent by a call session control function entity CSCF, where the first message includes a UE identifier that requests authentication of an IMS network; a unit, configured to determine whether there is application server authentication information corresponding to the UE, where the sending unit 302 is configured to: when the application server authentication information corresponding to the UE exists, send, to the CSCF, the UE corresponding to the The second message of the application server authentication information.
  • the first message may be a SAR message
  • the second message may be an SAA message
  • the identifier of the UE includes an IP multimedia public identity (IMPU) or an IMPI of the UE.
  • the sending unit 302 may be configured to: when the application server authentication information corresponding to the UE exists, send an SAA message to the CSCF, where the SAA message includes a user subscription information User Profile of the UE, and the The User Profile carries the application server authentication information.
  • the SAA message includes a user subscription information User Profile of the UE
  • the User Profile carries the application server authentication information.
  • Embodiment 7 of the present invention provides a user equipment which is formed by the method of Embodiment 4.
  • FIG. 13 is a functional block diagram of a user equipment according to Embodiment 7 of the present invention. As shown in FIG. 13, the user device 40 includes:
  • the first authentication request sending unit 401 is configured to send an IP multimedia subsystem IMS network authentication request to the call session control function entity CSCF;
  • the authentication response receiving unit 402 is configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries the authentication information of the application server;
  • the second authentication request sending unit 403 is configured to use the application server authentication information to authenticate to the application server.
  • the authentication response receiving unit 401 is further configured to receive an IMS network authentication response message 200 OK sent by the CSCF, where the 200 OK includes an associated unified resource identifier.
  • the authentication response receiving unit 401 is further configured to receive an IMS network authentication response message sent by the CSCF, where the associated unified resource identifier of the IMS network authentication response message is a P-Associated-URI header field.
  • the plurality of included ai-param parameters carry the value of the authentication server name HTTP-Usemame of the application server, the value of the authentication password HTTP-Token of the application server, and the value of the additional parameter Add-ons of one or zero application servers.
  • the authentication response receiving unit 401 is further configured to receive an IMS network authentication response message sent by the CSCF, where the IMS network authentication response message carries an application server encrypted by using a check bit CK or HA1. Authentication information.
  • FIG. 14 is a detailed functional block diagram of a user equipment according to Embodiment 7 of the present invention.
  • the user equipment 40 may further include:
  • the decryption unit 404 is configured to decrypt the application server authentication information by using the check bit CK or HA1.
  • the user equipment provided in Embodiment 7 of the present invention can use the application server authentication information carried by the 200 OK message to authenticate the application server, and does not need to manually input the application server authentication information by manually manually, thereby facilitating the user.
  • the method of the embodiment of the present invention implements the IMS by carrying the authentication information of the application server in the result returned by the IMS network authentication. Unified authentication of network and application servers.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

La présente invention se rapporte, dans les modes de réalisation, à un procédé et à un dispositif d'authentification. Ledit procédé comprend les étapes consistant à : recevoir une demande d'authentification de réseau de sous-système multimédia (IMS) de protocole Internet (IP) envoyée par un équipement utilisateur (UE); selon ladite demande d'authentification de réseau de sous-système IMS, obtenir d'un serveur d'abonné résidentiel (HSS) les informations d'authentification d'un serveur d'application; envoyer audit UE le message de réponse d'authentification de réseau de sous-système IMS de sorte à amener ledit UE à utiliser les informations d'authentification dudit serveur d'application pour effectuer une authentification dans ledit serveur d'application. En transmettant les informations d'authentification du serveur d'application dans le résultat renvoyé de l'authentification de réseau de sous-système IMS, le procédé des modes de réalisation de l'invention permet une authentification uniforme du sous-système IMS et du serveur d'application sans avoir besoin d'une intervention manuelle de l'utilisateur dans le processus d'authentification du serveur d'application. Le procédé apporte une grande commodité à l'usage des utilisateurs et à la gestion des opérateurs; et, de plus, le flux d'authentification de sous-système IMS existant est complètement utilisé pour mettre en œuvre de manière simple le procédé.
PCT/CN2010/077516 2009-09-30 2010-09-30 Procédé et dispositif d'authentification WO2011038691A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200910174570.1 2009-09-30
CN200910174570A CN101668016B (zh) 2009-09-30 2009-09-30 鉴权方法及装置

Publications (1)

Publication Number Publication Date
WO2011038691A1 true WO2011038691A1 (fr) 2011-04-07

Family

ID=41804456

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2010/077516 WO2011038691A1 (fr) 2009-09-30 2010-09-30 Procédé et dispositif d'authentification

Country Status (2)

Country Link
CN (1) CN101668016B (fr)
WO (1) WO2011038691A1 (fr)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101668016B (zh) * 2009-09-30 2012-10-03 华为技术有限公司 鉴权方法及装置
WO2012103735A1 (fr) * 2011-06-30 2012-08-09 华为技术有限公司 Procédé et appareil d'authentification d'équipement utilisateur dans une architecture d'authentification générale
CN102916966A (zh) * 2012-10-30 2013-02-06 青岛百灵信息科技有限公司 基于云计算和c2d的his通讯拨号模块
CN105636034A (zh) * 2014-10-30 2016-06-01 南京悠信网络科技有限公司 一种用户设备的鉴权方法及装置
CN106713249A (zh) * 2015-11-18 2017-05-24 大唐移动通信设备有限公司 一种鉴权方法和设备
CN107172494B (zh) * 2017-06-29 2019-07-16 深圳市茁壮网络股份有限公司 一种鉴权方法及鉴权系统
CN110741613B (zh) 2017-10-16 2021-01-12 Oppo广东移动通信有限公司 一种加密数据流的识别方法、设备、存储介质及系统
CN109618194B (zh) * 2018-12-10 2021-05-11 贝尔合控(深圳)科技有限责任公司 一种基于点播平台端的鉴权点播方法及其装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812322A (zh) * 2005-01-28 2006-08-02 华为技术有限公司 一种鉴权系统及处理方法
CN1859099A (zh) * 2006-03-08 2006-11-08 华为技术有限公司 一种gprs网络中在线应用鉴权的方法
CN1866823A (zh) * 2006-02-08 2006-11-22 华为技术有限公司 一种ims网络中的鉴权方法、鉴权装置和鉴权系统
CN1968138A (zh) * 2006-06-07 2007-05-23 华为技术有限公司 Ims网络用户注册信息的管理方法和装置
CN101668016A (zh) * 2009-09-30 2010-03-10 华为技术有限公司 鉴权方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1812322A (zh) * 2005-01-28 2006-08-02 华为技术有限公司 一种鉴权系统及处理方法
CN1866823A (zh) * 2006-02-08 2006-11-22 华为技术有限公司 一种ims网络中的鉴权方法、鉴权装置和鉴权系统
CN1859099A (zh) * 2006-03-08 2006-11-08 华为技术有限公司 一种gprs网络中在线应用鉴权的方法
CN1968138A (zh) * 2006-06-07 2007-05-23 华为技术有限公司 Ims网络用户注册信息的管理方法和装置
CN101668016A (zh) * 2009-09-30 2010-03-10 华为技术有限公司 鉴权方法及装置

Also Published As

Publication number Publication date
CN101668016A (zh) 2010-03-10
CN101668016B (zh) 2012-10-03

Similar Documents

Publication Publication Date Title
JP5496907B2 (ja) セキュアな通信のための鍵管理
WO2011038691A1 (fr) Procédé et dispositif d'authentification
JP5269916B2 (ja) ローカル・ネットワークへのリモート・アクセスの方法および装置
JP4860756B2 (ja) ユーザデバイス、その制御方法、及びimsユーザ装置
US8613058B2 (en) Systems, methods and computer program products for providing additional authentication beyond user equipment authentication in an IMS network
US8959343B2 (en) Authentication system, method and device
JP5580401B2 (ja) Imsベースのマルチメディアブロードキャスト及びマルチキャストサービス(mbms)におけるセキュリティキー管理
CN101635823B (zh) 一种终端对视频会议数据进行加密的方法及系统
WO2009062415A1 (fr) Procédé d'authentification de message de demande et appareil associé
WO2007003140A1 (fr) Procede d'authentification de sous-systeme multimedia sous protocole ip
WO2006047925A1 (fr) Procede permettant de selectionner le mode d'authentification cote reseau
WO2012151312A1 (fr) Système et procédé de fourniture d'identifiants d'accès
WO2011079522A1 (fr) Procédé, système et dispositif d'authentification
WO2005112338A1 (fr) Procede de distribution de cles
WO2008006312A1 (fr) Procédé de fourniture de service push de gaa et dispositif associé
WO2010081313A1 (fr) Procédé et système de gestion de la sécurité pour un terminal wapi accédant à un réseau ims
WO2008089698A1 (fr) Procédé et système permettant de distribuer des clés secrètes du flux multimédia
WO2006072209A1 (fr) Procede de negociation d'une cle dans un sous-systeme multimedia ip
WO2021093997A1 (fr) Procédé de prise en charge d'authentification d'un équipement d'utilisateur
WO2012129934A1 (fr) Procédé, appareil et système d'authentification permettant l'interconnexion d'un cdn
JP6496405B2 (ja) Sipシグナリング復号化パラメータの取得方法及び装置
JP5308527B2 (ja) プロキシサーバ、その制御方法、コンテンツサーバ、及びその制御方法
CN103067345A (zh) 一种变异gba的引导方法及系统
WO2011035579A1 (fr) Procédé, système et terminal d'authentification pour un terminal d'infrastructure d'authentification et de confidentialité de réseau local sans fil (wapi) accédant à un réseau de sous-système ip multimédia (ims)
WO2008089699A1 (fr) Procédé et système d'authentification d'un terminal utilisateur dans un réseau ims

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10819920

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10819920

Country of ref document: EP

Kind code of ref document: A1