WO2022100666A1 - Information sending method and apparatus - Google Patents

Information sending method and apparatus Download PDF

Info

Publication number
WO2022100666A1
WO2022100666A1 PCT/CN2021/130084 CN2021130084W WO2022100666A1 WO 2022100666 A1 WO2022100666 A1 WO 2022100666A1 CN 2021130084 W CN2021130084 W CN 2021130084W WO 2022100666 A1 WO2022100666 A1 WO 2022100666A1
Authority
WO
WIPO (PCT)
Prior art keywords
identity
identification
terminal device
key
identifier
Prior art date
Application number
PCT/CN2021/130084
Other languages
French (fr)
Chinese (zh)
Inventor
李飞
何承东
赵绪文
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2022100666A1 publication Critical patent/WO2022100666A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/183Processing at user equipment or user record carrier
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/18Processing of user or subscriber data, e.g. subscribed services, user preferences or user profiles; Transfer of user or subscriber data
    • H04W8/20Transfer of user or subscriber data
    • H04W8/205Transfer to or from user equipment or user record carrier

Definitions

  • the present application relates to the field of communication technologies, and in particular, to a method and apparatus for sending information.
  • the present application provides an information sending method and device, which can reduce the risk of information leakage, thereby improving security.
  • the method includes: the second subscription server receives first identification information from the first server, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal device, the third identification The identity is obtained by encrypting the first identity, the fourth identity is the identity obtained by encrypting the second identity, or the first identity information includes one of the first identity and the second identity, and the second identity is encrypted.
  • the encrypted first identification and/or the second identification are used for transmission between the air interface and the core network. , avoiding the risk of the first identity and/or the second identity being leaked in the air interface and the core network, thereby improving security.
  • the sixth identification is an identification obtained by encrypting the first identification with a fourth key
  • the seventh identification is an identification obtained by encrypting the second identification with a fifth key
  • the eighth identification is an identification obtained by encrypting the other one of the first identification and the second identification using the sixth key.
  • At least one of the fourth key, the fifth key and the sixth key is a shared key between the second signing server and the second terminal device; At least one of the key and the sixth key is a key generated by a long-term key of the second terminal device and a random number. It can be seen that the first identity and/or the second identity are encrypted by the shared key between the second signing server and the second terminal device, and the network device that obtains the shared key can encrypt the sixth identity, the seventh identity or the third identity. 8.
  • Decryption of the identities to obtain the first identity and/or the second identity to prevent the first identity and/or the second identity from being acquired by other network devices during the routing process, and to realize the encrypted first identity and/or The second identity can be correctly routed to the second terminal device.
  • the present application provides a method for sending information, the method is applied to a communication system including a first terminal device and a second terminal device; the communication system further includes a second subscription server corresponding to the second terminal device, the first terminal device having a first identity identifier, the second terminal device having a second identity identifier, the first terminal device being the calling party of the communication, and the second terminal device being the called party of the communication; the method provided in the second aspect may be executed by the first subscription server, Alternatively, it may also be executed by a chip configured in the first subscription server, which is not limited in this application.
  • the above-mentioned first server determines the second subscription server according to the parameters in the fourth identity identifier. Another possible way is that, in the case where the above-mentioned fifth identification is obtained by encrypting the second identification, the first server may determine the second signing server according to at least one of the parameters in the fifth identification. .
  • the parameter may also include a country code and a country destination code, or a country code, a country destination code, and a routing indication.
  • the fourth identity is an identity obtained by the first terminal device using the second key to encrypt the second identity; the third identity is the first terminal using the first identity for the first identity.
  • the identity identifier obtained by encryption with the key; or, the third identity identifier is the identity identifier obtained by the first signing server encrypting the first identity identifier with the first key.
  • the fifth identity is an identity obtained by the first terminal device using the third key to encrypt the other of the first identity and the second identity, or the fifth identity is the first contract
  • the server encrypts the other one of the first identity and the second identity using the third key to obtain the identity.
  • the beneficial effects of the second aspect can be found in the beneficial effects of the first aspect.
  • the third identity is an identity obtained by encrypting the first identity with a first key
  • the fourth identity is an identity obtained by encrypting the second identity with a second key
  • the fifth identification is an identification obtained by encrypting the other of the first identification and the second identification with a third key.
  • the fourth identity is an identity obtained by the first terminal device using the second key to encrypt the second identity; the third identity is the first terminal using the first identity for the first identity.
  • the identity identifier obtained by encryption with the key; or, the third identity identifier is the identity identifier obtained by the first signing server encrypting the first identity identifier with the first key.
  • the present application provides an information sending method, which is applied to a communication system including a first terminal device and a second terminal device; the first terminal device has a first identity, and the second terminal has a second identity , the first terminal device is the calling party of the communication, and the second terminal device is the called party of the communication;
  • the method includes: the first terminal device determines first identification information, the first identification information includes a third identification of the first terminal and a fourth identification of the second terminal, and the third identification is for the first identification
  • the fourth identity identifier is the identity identifier obtained by encrypting the second identity identifier
  • the first identifier information includes one of the first identity identifier and the second identity identifier, and the first identity identifier and the second identity identifier.
  • the other of the two identifications is a fifth identification obtained by encryption; the first terminal device sends the first identification information to the first server.
  • the first subscription server is a subscription server corresponding to the first terminal device
  • the fifth identity is that the first terminal device uses a third key for the other of the first identity and the second identity
  • the encrypted identification, or the fifth identification is an identification obtained by the first signing server encrypting the other of the first identification and the second identification with the third key.
  • the first server is a query call session control function of the network where the second terminal device is located, or is a routing proxy node of the network where the second terminal device is located.
  • the present application provides an information sending method, which is applied to a communication system including a first terminal device and a second terminal device; the first terminal device has a first identity, and the second terminal has a second identity , the first terminal device is the calling party of the communication, and the second terminal device is the called party of the communication;
  • the seventh key is a private key corresponding to the public key of the second terminal device.
  • At least one of the fourth key, the fifth key and the sixth key is a shared key between the second signing server and the second terminal device; At least one of the key and the sixth key is a key generated by a long-term key of the second terminal device and a random number.
  • the first server is a query call session control function entity of the network where the second terminal device is located, or is a routing proxy node of the network where the second terminal device is located.
  • the present application provides a communication device having some or all of the functions of the first to fifth aspects described above.
  • the functions of the apparatus may have the functions of some or all of the embodiments of the terminal device in this application, and may also have the functions of independently implementing any one of the embodiments of this application.
  • the functions can be implemented by hardware, or by executing corresponding software by hardware.
  • the hardware or software includes one or more units or modules corresponding to the above functions.
  • the structure of the communication device may include a processing unit and a communication unit, and the processing unit is configured to support the communication device to perform the corresponding functions in the above method.
  • the communication unit is used to support communication between the communication device and other devices.
  • the communication device may also include a storage unit for coupling with the processing unit and the communication unit, which stores program instructions and data necessary for the communication device.
  • a communication unit configured to receive first identification information from the first server, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal, and the third identification is a pair of the first identification
  • the encrypted identification, the fourth identification is the identification obtained by encrypting the second identification, or the first identification information includes one of the first identification and the second identification, and the first identification and the second identification. another encrypted fifth identification in the identification;
  • a processing unit configured to send a first request to the first subscription server through the communication unit according to the first identification information, where the first request carries the first identification information; the first request is used to request the first identification and/or the second identification identification;
  • the processing unit is further configured to obtain second identification information according to the first identification and/or the second identification, and the second identification information includes the sixth identification of the first terminal device and the seventh identification of the second terminal device, and the second identification information includes the sixth identification of the first terminal device and the seventh identification of the second terminal device.
  • the sixth identification is an identification obtained by encrypting the first identification
  • the seventh identification is an identification obtained by encrypting the second identification
  • the second identification information includes one of the first identification and the second identification
  • an eighth identity identity obtained by encrypting the other of the first identity identity and the second identity identity
  • the communication unit is further configured to send the second identity information to the first server.
  • the beneficial effects of the sixth aspect may refer to the beneficial effects of the first aspect.
  • the present application provides a communication device, the communication device having part or all of the functions of the first server of the second aspect above.
  • the communication device includes:
  • the communication unit is further configured to send the first identification information to the second subscription server.
  • the present application provides a communication device, which has part or all of the functions of the first subscription server of the third aspect.
  • the communication device may include:
  • a communication unit configured to receive a first request from a second subscription server, where the first request is used to request a first identity and/or a second identity, the first request carries first identity information, and the first identity information includes the first terminal
  • the third identity of the device and the fourth identity of the second terminal device the third identity is the identity obtained by encrypting the first identity
  • the fourth identity is the identity obtained by encrypting the second identity
  • the first identification information includes one of the first identification and the second identification, and a fifth identification obtained by encrypting the other of the first identification and the second identification;
  • the processing unit is configured to send a first response to the second subscription server according to the first request, where the first response carries the first identity and/or the second identity.
  • the present application provides a communication apparatus, the communication apparatus having part or all of the functions of the first terminal device of the fourth aspect above.
  • the communication device includes:
  • a processing unit configured to determine first identification information, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal, and the third identification is an identity obtained by encrypting the first identification identification, the fourth identification is an identification obtained by encrypting the second identification, or the first identification information includes one of the first identification and the second identification, and the first identification and the second identification.
  • Another encrypted fifth identity identifier is Another encrypted fifth identity identifier
  • the communication unit is used for sending the first identification information to the first server.
  • a communication unit configured to receive second identification information from the first server, where the second identification information includes a sixth identification of the first terminal device and a seventh identification of the second terminal device, and the sixth identification is for the first identification
  • the encrypted identification, the seventh identification is the identification obtained by encrypting the second identification, or the second identification information includes one of the first identification and the second identification, and the first identification and the second identification.
  • Another eighth identity identifier obtained by encryption in the identity identifier;
  • the communication unit in each apparatus may be a transceiver, and the processing unit may be a processor.
  • the processor in each device may be used to perform, for example, but not limited to, baseband related processing
  • the transceiver may be used to perform, for example, but not limited to, radio frequency transmission and reception.
  • the above-mentioned devices may be respectively arranged on chips that are independent of each other, or at least part or all of them may be arranged on the same chip.
  • processors can be further divided into analog baseband processors and digital baseband processors.
  • the analog baseband processor can be integrated with the transceiver on the same chip, and the digital baseband processor can be set on a separate chip. With the continuous development of integrated circuit technology, more and more devices can be integrated on the same chip.
  • a digital baseband processor can be integrated with a variety of application processors (such as but not limited to graphics processors, multimedia processors, etc.) on the same chip.
  • application processors such as but not limited to graphics processors, multimedia processors, etc.
  • Such a chip may be called a System on Chip. Whether each device is independently arranged on different chips or integrated on one or more chips often depends on the needs of product design. The embodiments of the present application do not limit the implementation form of the foregoing device.
  • the present application provides a communication apparatus, the communication apparatus includes a processor, and when the processor calls a computer program in a memory, the method in the second aspect is executed.
  • the communication device may be the first server.
  • the present application provides a communication device, the communication device includes a processor, and when the processor calls a computer program in a memory, the method of the third aspect is executed.
  • the communication device may be the first subscription server.
  • the present application provides a communication apparatus, the communication apparatus includes a processor, when the processor calls a computer program in a memory, as in the method in the fifth aspect.
  • the communication apparatus may be a second terminal device.
  • the communication apparatuses in the above aspects may include a processor and a memory, where the memory is used for storing computer-executed instructions; the processor is used for executing the computer-executed instructions stored in the memory, so that the communication apparatuses perform the methods corresponding to the various aspects.
  • the memory can be inside the processor or outside the processor.
  • These communication means may include a processor, a memory, and a transceiver for receiving channels or signals, or transmitting channels or signals; a memory for storing program code; a processor for invoking program code from the memory to execute various corresponding method.
  • These communication devices may also include a processor and an interface circuit, the interface circuit is used to receive code instructions and transmit them to the processor; the processor executes the code instructions to execute the methods corresponding to the various aspects.
  • the present application provides a computer-readable storage medium for storing instructions, and when the instructions are executed, the method of any one of the first to fifth aspects is implemented.
  • the present application provides a computer program product comprising instructions which, when executed, cause the method of any one of the first to fifth aspects to be implemented.
  • Fig. 1 is a kind of schematic flow chart of terminal equipment registration authentication
  • 2 is a schematic flowchart of a method for sending information
  • FIG. 3 is a schematic diagram of a communication system architecture provided by an embodiment of the present application.
  • FIG. 4 is a schematic flowchart of a method for sending information provided by an embodiment of the present application.
  • FIG. 6 is a schematic flowchart of a first terminal device sending first identification information to a first server
  • FIG. 7 is a schematic flow chart of information sending between a second terminal device and a first server
  • FIG. 11 is a schematic flowchart of another terminal device registration authentication provided by an embodiment of the present application.
  • FIG. 12 is a schematic structural diagram of a communication device provided by an embodiment of the present application.
  • FIG. 14 is a schematic structural diagram of another communication apparatus provided by an embodiment of the present application.
  • At least one (item) means one or more
  • plural means two or more
  • at least two (item) means two or three and three
  • “and/or” is used to describe the relationship of related objects, indicating that there can be three kinds of relationships, for example, “A and/or B” can mean: only A exists, only B exists, and both A and B exist three A case where A and B can be singular or plural.
  • the character “/” generally indicates that the associated objects are an “or” relationship.
  • At least one item(s) below” or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s).
  • the CSCF network element is responsible for the signaling control in the process of handling multimedia call sessions in the IMS.
  • the CSCF network element is mainly responsible for the control of functions such as registration authentication, session control, routing management, network management and charging related to user services.
  • the network elements of CSCF include: proxy call session control function (Proxy CSCF, P-CSCF), query call session control function (Interrogating CSCF, I-CSCF), serving call session control function (Serving CSCF, S-CSCF).
  • I-CSCF network element the entry point of the IMS network
  • the main functions include: in the registration process, the I-CSCF allocates an S-CSCF to the user according to the information obtained from the HSS, and forwards the registration request to the S-CSCF.
  • the I-CSCF queries the HSS, obtains the address of the S-CSCF from the HSS, and forwards the SIP request or response to the S-CSCF according to the S-CSCF address obtained from the HSS.
  • S-CSCF network element in the core position in IMS network session control, the main functions include: in the registration process, accept the registration request forwarded by the P-CSCF, interact with the home subscriber server (Home subscriber server, HSS), complete For user authentication and authentication, update the user's registration status information on the HSS. After the registration authentication is passed, the user-related information is downloaded from the HSS, the service-related information is provided for the terminal device, and the session of the terminal device is controlled. Obtain the address of the I-CSCF, and forward the SIP request or response to the I-CSCF, etc.
  • HSS The main functions of HSS include (1) storing user information and service information (including user identification, identity identification and addressing information, user security information, user location information, and user subscription information, where the identification identification can be a phone number); (2) Interact with the I-CSCF, complete the assignment of the S-CSCF, and obtain the relevant information serving the P-CSCF; (3) Generate the authentication vector information, interact with the S-CSCF, complete the user authentication, and obtain the user (4) Interact with the application server AS, respond to the service information query of the AS, accept the AS customized data change notification, and synchronize the service data to the HSS superior.
  • user information and service information including user identification, identity identification and addressing information, user security information, user location information, and user subscription information, where the identification identification can be a phone number
  • I-CSCF Interact with the I-CSCF, complete the assignment of the S-CSCF, and obtain the relevant information serving the P-CSCF
  • Generate the authentication vector information interact with the S-CSCF, complete the user authentication, and obtain the user
  • IP multimedia private identity IP multimedia private identity
  • IP multimedia public identity IP multimedia public identity
  • IMPI and IMPU are Uniform Resource Identifiers (URIs), which can be numbers, such as phone number Uniform Resource Identifiers (for example, 15551234567), or character identifiers, such as SIP Uniform Resource Identifier SIP-URI (for example, John.doe@example.com).
  • URIs Uniform Resource Identifiers
  • SIP-URI SIP Uniform Resource Identifier
  • the identity identifier may be a phone number, user name, etc.
  • the P-CSCF After receiving the registration request, the P-CSCF saves the user ID and other necessary information, obtains the I-CSCF address, forms a new registration request, and sends the registration request carrying the user ID and I-CSCF address to the queried I-CSCF address. ;
  • the S-CSCF After receiving the registration request, the S-CSCF checks whether the user is initially registered, and if so, sends a user authentication request to the HSS;
  • the HSS calculates the authentication vector for user authentication, and sends a user authentication response carrying the authentication vector to the S-CSCF.
  • the S-CSCF receives the authentication vector of the HSS and sends the unauthorized information to the UE through the I-CSCF and the P-CSCF.
  • the unauthorized information can be 401 Unauthorized, and the unauthorized information includes the authentication vector.
  • the UE generates an authentication response according to the authentication vector, and generates a new registration request to send the authentication response to the P-CSCF;
  • the HSS updates the user registration information and saves the S-CSCF domain name information, and returns the IFC rules to the S-CSCF through the server allocation response (which can be Diameter SAA).
  • a session can be established after completing the initial registration and authentication of the identities as described above.
  • the UE1 sends a session request to the S-CSCF1 through the P-CSCF1, wherein the session request carries the information of the first identity and the second identity.
  • S-CSCF1 After receiving the session request, S-CSCF1 sends a domain name resolution request to DNS and/or ENUM to obtain the IP address of I-CSCF2;
  • the I-CSCF2 receives the session request, and requests the HSS2 to send the IP address of the S-CSCF2 bound to the UE2, and the session request carries the information of the first identity and the second identity;
  • the I-CSCF2 obtains the IP address of the S-CSCF2 according to the domain name information of the S-CSCF2 returned by the HSS2, and sends a session request to the S-CSCF2, where the session request carries the information of the first identity and the second identity;
  • S-CSCF2 forwards the session request to UE2 through P-CSCF2, and the session request carries the first identity and second identity information;
  • FIG. 3 is a schematic diagram of a communication system architecture provided by an embodiment of the present application.
  • the communication system may include a first terminal device 301 and a second terminal device 305, a first subscription server 304 corresponding to the first terminal device 301, a second subscription server 303 corresponding to the second terminal device 305, and a second terminal
  • the first server 302 in the network where the device 305 is located.
  • the number and form of devices shown in FIG. 3 are used as examples and do not constitute a limitation to the embodiments of the present application. For example, an actual application may include two or more first terminal devices and the like.
  • the first terminal device 301 and the first subscription server 304 are network devices in the calling home domain, and the first server 302, the second subscription server 303 and the second terminal device 305 are network devices in the called home domain.
  • the first subscription server 304 receives the service request initiated by the first terminal device 301, addresses the second subscription server 303 through the first server 302, and through the second subscription server 303, enables the first terminal device 301 and the second terminal device 305 to establish connect.
  • the subscription server involved in the embodiment of the present application is a home subscriber server (Home subscriber server, HSS).
  • HSS home subscriber server
  • the first subscription server 304 may be referred to as HSS1 for short
  • the second subscription server 303 may be referred to as HSS2 for short.
  • the first server may be the query call session control function I-CSCF network element of the network where the second terminal device is located (the called home domain network), and for the convenience of description, referred to as I-CSCF2 for short, and the first server may also be the second terminal device.
  • the routing agent node (Diameter routing agent, DRA) of the network where it is located is referred to as DRA2 for the convenience of description.
  • the first terminal device 301 sends first identification information to the first server 302, where the first identification information includes the third identification of the first terminal and the fourth identification of the second terminal, the third The identification is an identification obtained by encrypting the first identification, the fourth identification is an identification obtained by encrypting the second identification, or the first identification information includes one of the first identification and the second identification, and A fifth identity that is obtained by encrypting the other of the first identity and the second identity; after the first server 302 obtains the first identity information from the first terminal device 301, the second signing server 303 is determined, and the first identity The information is sent to the second subscription server 303; the second subscription server 303 receives the first identification information from the first server 302, and sends a first request to the first subscription server 304, where the first request carries the first identification information; the first subscription server 304 After receiving the first request from the second subscription server, it sends a first response to the second subscription server, and the first response carries the first ID and/or the second ID; the second subscription
  • the technologies described in the embodiments of this application can be used in various communication systems, such as a fourth-generation (4th generation, 4G) communication system, a 4.5G communication system, a 5G communication system, a system that integrates multiple communication systems, or a communication system that evolves in the future .
  • 4G fourth-generation
  • 4.5G 4.5G
  • 5G 5th generation
  • a system that integrates multiple communication systems or a communication system that evolves in the future .
  • FIG. 4 is a schematic flowchart of an information sending method provided by an embodiment of the present application.
  • the execution subject of steps S401-402 is the first terminal device, or a chip in the first terminal device.
  • the execution subject of steps S403 to S404 and step S409 is the first server, or a chip in the first server.
  • the execution subject of step S405 and step S407 to step S408 is the second subscription server, or a chip in the second subscription server.
  • the execution body of step S406 is the first subscription server, or a chip of the first subscription server.
  • the execution body of step S410 is the second terminal device, or a chip of the second terminal device.
  • the first terminal device is referred to as UE1
  • the first server is referred to as I-CSCF2 in the called home domain
  • the second subscription server is HSS2
  • the first subscription server is HSS1
  • the second terminal device is referred to as Take UE2 as an example.
  • the method may include but is not limited to the following steps:
  • the first identification information includes the third identification of UE1 and the fourth identification of UE2 (or one of the first identification and the second identification, and the fifth identification).
  • the identity identifier is used to identify the terminal equipment, and it can be a business identity identifier such as a phone number, network voice and video calls, etc.
  • the telephone number may be composed of a country code (Country code, CC), (National destination code, NDC) and a subscriber number (Subscribe number, SN). For example, 86 (China country code)+139 (country destination code)+1234 (user number).
  • UE1 is the calling device in the calling home domain
  • UE2 is the called device in the called home domain.
  • UE1 has a first identity
  • UE2 has a second identity
  • the third identification is an identification obtained by encrypting the first identification
  • the fourth identification is an identification obtained by encrypting the second identification
  • the first identification information includes one of the first identification and the second identification
  • a fifth identity that is obtained by encrypting the other of the first identity and the second identity.
  • the UE1 determines the first identification information according to the first identification and/or the second identification.
  • At least one of the first key, the second key, and the third key is the shared key k1 of the first signing server and the first terminal device, and the shared key can be a long-term key K or a Long-term key K and keys derived from other parameters, such as keys generated with random numbers.
  • the shared key can be a long-term key K or a Long-term key K and keys derived from other parameters, such as keys generated with random numbers.
  • symmetric encryption is performed on the second identity identifier CC2+NDC2+SN2 of the second terminal device according to the shared key k1, and the obtained fourth identity identifier is CC2+NDC2+Routing indicator (RI)+ciphertext (SN2 removes the route instruct).
  • At least one of the first key, the second key and the third key is a key generated by the first signing server and the first terminal device according to the target algorithm.
  • the key generated by the target algorithm may be a random number generated according to a private algorithm of the first terminal device or the first subscription server.
  • the UE1 generates first identification information according to the third identification and the fourth identification (or one of the first identification and the second identification, and the fifth identification), and the first identification information includes the third identification of UE1 and the fifth identification.
  • the fourth identity of UE2 (or one of the first identity and the second identity, and the fifth identity).
  • the UE1 determines the first identification information, which may be implemented in one of the following ways:
  • the third identity may be an identity obtained by encrypting the first identity by the HSS1 with the first key, or may be an identity obtained by the first UE1 encrypting the first identity by using the first key.
  • the fourth identity is an identity obtained by UE1 encrypting the second identity with the second key.
  • Manner 2 The first identification information generated by the UE1 includes one of the first identification and the second identification, and a fifth identification obtained by encrypting the other of the first identification and the second identification.
  • the first identification information generated by the UE1 includes one of the first identification and the second identification
  • the HSS1 encrypts the other of the first identification and the second identification to obtain a fifth identification.
  • the first identification information includes any one of the following: a third identification and a fourth identification, or a fifth identification and a second identification, or a first identification and a fifth identification.
  • the third identity identifier may be an identity identifier obtained by HSS1 encrypting the first identity identifier with a first key
  • the fourth identity identifier is an identity identifier obtained by UE1 encrypting the second identity identifier with a second key.
  • the third identity is an identity obtained by UE1 encrypting the first identity with a first key
  • the fourth identity is an identity obtained by UE1 encrypting the second identity with a second key.
  • the UE1 does not receive the third identity sent by the P-CSCF1
  • the UE1 encrypts the first identity according to the first key
  • encrypts the second identity according to the second key For example, UE1 encrypts the first identity identifier CC1+NDC1+SN1 according to the random number generated by the private algorithm.
  • the fifth identity can be an identity obtained by UE1 encrypting the other one of the first identity and the second identity using a third key, or the fifth identity is HSS1's pairing of the first identity and the second identity.
  • the other one of the two identities uses the third key to encrypt the obtained identities. That is, the UE1 or the HSS1 encrypts any one of the first identity identifier or the second identity identifier.
  • HSS1 receives the registration request, obtains the first identity according to the user identity, and uses the first key to encrypt the first identity to obtain the third identity or fifth identity, and HSS1 sends a registration response to S-CSCF1,
  • the registration response carries the third identity of UE1 (or the fifth identity of UE1), and the registration response may be SAA.
  • S-CSCF1 receives the registration response, saves the correspondence between UE1's third identity (or fifth identity) and user identity, P-CSCF1's IP address, and the application server AS address list, and sends 200 OK information to P-CSCF1,
  • the 200OK information carries the correspondence between the third identity identifier and the user identifier.
  • S402 UE1 sends first identification information to the first server.
  • the first server can be the query call session control function I-CSCF2 of the network where the UE2 is located (the called home domain network), or a routing agent node (Diameter routing agent, DRA) of the network where the UE2 is located, for the convenience of description, abbreviated as DRA2.
  • the first server is I-CSCF2 as an example.
  • S-CSCF1 sends the fourth identity (or fifth identity) of UE2 to the telephone number mapping server ENUM, and the ENUM server sends the fourth identity (or fifth identity) of UE2 according to the The CC2, NDC2 and RI in the four identities obtain the called home domain name, and obtain the IP address of the first server I-CSCF2 corresponding to the fourth identity (or fifth identity) of UE2 in the called home domain from the DNS server . And return the IP address of I-CSCF2 to S-CSCF1.
  • the S-CSCF1 sends a session request to the first server I-CSCF2 according to the IP address of the I-CSCF2, where the session request carries the first identification information.
  • HSS2 receives the first identification information from the first server, and sends a first request to HSS1.
  • HSS2 receives the first identification information from I-CSCF2, and sends a first request to the Interworking Function (IWF) or Diameter Edge Agent (DEA), where the first request carries the first identification information.
  • IWF Interworking Function
  • DEA Diameter Edge Agent
  • the IWF finds the address of HSS1 according to CC1, NDC1 and/or RI in the third identity (or fifth identity) of UE1, and sends a first request to HSS1.
  • the first request carries the first identification information, and the first request is used to request the first identification and/or the second identification. Specifically, if the first identification information carries a third identification (or a fifth identification) encrypted with the first identification, the first request is used to request the first identification. If the first identification information carries the fourth identification (or the fifth identification) encrypted with the second identification, the first request is used to request the second identification.
  • HSS1 After receiving the first request from HSS2, HSS1 sends a first response to HSS2, where the first response carries the first identity and/or the second identity.
  • HSS1 receives the first request from HSS2 and generates a first response, where the first response carries the first identity and/or the second identity. If the first request carries the first identification information for requesting the first identification, the generated first response carries the first identification. If the first request carries the first identification information for requesting the second identification, the generated first response carries the second identification.
  • HSS1 uses the first key to decrypt the third identification to obtain the first identification CC1+NDC1+SN1, which is used by the first signing server.
  • the second key decrypts the fourth identity to obtain the second identity CC2+NDC2+SN2.
  • the HSS1 generates the first identification information according to the first identification and the second identification.
  • HSS1 uses the third key to decrypt the fifth identification to obtain the other of the first identification and the second identification.
  • the HSS1 generates the first response according to the first identity or the second identity.
  • HSS2 receives the first response sent by HSS1, and encrypts the first identification and/or the second identification to obtain second identification information.
  • the second identification information includes the sixth identification of the first terminal device and the seventh identification of the second terminal device, the sixth identification is the identification obtained by encrypting the first identification, and the seventh identification is the identification of the second identification
  • the identity identifier obtained by identification encryption, or the second identification information includes one of the first identity identifier and the second identity identifier, and an eighth identity identifier obtained by encrypting the other of the first identity identifier and the second identity identifier.
  • the sixth identification is an identification obtained by encrypting the first identification with a fourth key
  • the seventh identification is an identification obtained by encrypting the second identification with a fifth key
  • the eighth identification is an identification obtained by encrypting the other one of the first identification and the second identification using the sixth key.
  • At least one of the fourth key, the fifth key and the sixth key is the obtained public key of the home network where the second subscription server is located by UE2 or a key generated by further derivation with other parameters.
  • HSS2 sends the second identification information to the first server.
  • HSS2 obtains the IP address of S-CSCF2 according to the second identity of UE2, and sends the second identification information and the IP address of S-CSCF2 and/or the random number required for encryption to I-CSCF2 through the response information.
  • CSCF2 the IP address of S-CSCF2 according to the second identity of UE2, and sends the second identification information and the IP address of S-CSCF2 and/or the random number required for encryption to I-CSCF2 through the response information.
  • the first server After receiving the second identification information from the HSS2, the first server sends the second identification information and/or the random number required for encryption to the UE2.
  • the I-CSCF2 receives the second identification information, and forwards the second identification information and/or the random number required for encryption to the S-CSCF2 according to the IP address of the S-CSCF2.
  • the S-CSCF2 obtains the IP address of the P-CSCF2 according to the correspondence between the seventh identity identifier (or the eighth identity identifier) of the UE2 and the P-CSCF2, and sends the second identification information and/or the random number required for encryption to P-CSCF2.
  • the P-CSCF2 obtains the IP address of the UE2 according to the correspondence between the seventh identity identifier (or the eighth identity identifier) of the UE2 and the UE2, and sends the second identifier information and/or the random number required for encryption to the UE2.
  • the UE2 After receiving the second identification information from the first server, the UE2 decrypts the second identification information to obtain the first identification and/or the second identification.
  • UE2 uses the fourth key to decrypt the sixth identity to obtain the first identity, uses the seventh key to decrypt the seventh identity to obtain the second identity, or uses the sixth key to decrypt the eighth identity, Obtain the other of the first identity and the second identity.
  • Decrypting the seventh identification of the second terminal device or the eighth identification of the second terminal device to obtain the second identification, and verifying whether the second terminal is the terminal device corresponding to the second identification information according to the second identification is beneficial to The security of the transmission of the second identity identifier in the air interface and the core network is improved.
  • the seventh key is a private key corresponding to the public key (ie, the fifth key) of the UE2.
  • At least one of the fourth key and the sixth key is a shared key between UE2 and HSS2.
  • At least one of the fourth key and the sixth key is a key generated by a long-term key of UE2 and a random number.
  • UE2 uses the fourth key, the seventh key or the sixth key to decrypt the sixth identity identifier to obtain the first identity identifier CC1+NDC1+SN1, and decrypt the seventh identity identifier to obtain the second identity identifier CC2 +NDC2+SN2.
  • the encrypted first identification and/or the second identification are used.
  • the transmission in the air interface and the core network avoids the risk of the first identity and/or the second identity being leaked in the air interface and the core network, thereby improving security.
  • Manner 1 The UE encrypts the first user identifier by using the public key of the home domain network to obtain the second user identifier.
  • the network element Domain Name System (DNS) server, the routing agent node (Diameter routing agent, DRA), and the home subscriber server (Home Subscriber Server, HSS) configure the routing information and the IP addresses of other network elements in the home domain network respectively. corresponding relationship.
  • the UE uses the second user identity to perform the process of registering the identity, and the DNS, DRA and HSS address the corresponding network element based on the plaintext routing information in the second user identity.
  • the HSS decrypts the second user identifier, and acquires and saves the correspondence between the second user identifier and the first user identifier.
  • the user identity includes but is not limited to IP multimedia private identity (IP multimedia private Identity, IMPI) and IP multimedia public identity (IP multimedia public identity, IMPU), and the embodiment of this application takes the user identity as IMPI as an example.
  • IMPI is composed of Mobile Country Code (MCC), Mobile Network Code (MNC) and Routing Indicator (RI).
  • the UE newly generates an Eph public and private key pair, the network side public key (public key of HN, HN PubK) and the terminal side private key (Eph Private key of UE, Eph PriK), combined with the terminal side private key and the network side public key, Generate the original key one-time public key key (Eph shared Key) for encryption, and then generate the master key one-time encryption key (Eph enc Key) and one-time message authentication code key (Eph by Eph shared Key deduction) MAC Key).
  • Eph shared Key the master key one-time encryption key
  • Eph enc Key one-time message authentication code key
  • the UE may also perform overall encryption of the IMPI.
  • the second user identifier IMPI* generated according to the key is Protection Scheme ID+HN PK ID+Scheme Output(Eph PubK, ciphertext value, MAC).
  • the MCC, MNC and RI in the second user identity are used as the routing information RouteInfo.
  • the UE sends a registration Register request to the P-CSCF, where the registration request carries the second user identifier IMPI*, or the second user identifier IMPI* and routing information RouteInfo.
  • the P-CSCF After receiving the registration request, the P-CSCF sends a query request DNS query for querying the address of the I-CSCF to the DNS, and the query request DNS query carries the second user identifier IMPI*, or the second user identifier IMPI* and routing information RouteInfo.
  • the DNS obtains the I-CSCF address according to the MCC+MNC+RI included in the second user identity (or according to the routing information Route Info), and sends a query response to the P-CSCF, where the query response carries the I-CSCF address.
  • the I-CSCF receives the registration request Register, and sends a user authorization request (which may be a Diameter UAR) to the routing proxy node DRA.
  • the user authorization request carries IMPI*, or IMPI* and RouteInfo.
  • the DRA queries the corresponding relationship between the routing information and the HSS address (MCC+MNC+RI/RouteInfo, HSS address), and obtains the HSS address.
  • the DRA sends a user authorization request to the HSS, where the user authorization request carries the second user identifier IMPI*.
  • the HSS receives the IMPI*, the HSS decrypts the second user identifier IMPI* using the private key of the home network, obtains the first user identifier IMPI, queries and saves the correspondence between the first user identifier and the second user identifier (IMPI*, IMPI), and obtains the S-CSCF address.
  • the UE uses the Eph PubK and HN PriK contained in the second user identity IMPI* to generate the Eph shared Key, and then derives the Eph dec Key and the Eph MAC Key from the Eph shared Key.
  • the HSS uses the Eph dec Key to decrypt the part other than the MCC, MNC and RI in the second user identity to generate IMPI.
  • the I-CSCF sends a registration request to the S-CSCF according to the received S-CSCF address, and the registration request carries IMPI*.
  • the S-CSCF sends a multimedia authentication request (which may be Diameter MAR) to the HSS, and the multimedia authentication request carries the second user identity.
  • a multimedia authentication request (which may be Diameter MAR)
  • the HSS receives the multimedia authentication request, queries and saves the correspondence between the first user identifier and the second user identifier (IMPI*, IMPI) according to IMPI*, obtains the first user identifier IMPI, and calculates the authentication vector for user authentication.
  • the HSS sends a multimedia authentication response (which may be Diameter MAA) to the S-CSCF, and the multimedia authentication response carries an authentication vector.
  • a multimedia authentication response (which may be Diameter MAA)
  • the S-CSCF sends unauthorized information (which may be 401 Unauthorized) to the I-CSCF, and the unauthorized information carries IMPI* (or IMPI* and routing information RouteInfo) and authentication vector.
  • unauthorized information which may be 401 Unauthorized
  • IMPI* or IMPI* and routing information RouteInfo
  • the P-CSCF sends unauthorized information to the UE, and the unauthorized information carries IMPI* (or IMPI* and routing information RouteInfo) and an authentication vector.
  • IMPI* or IMPI* and routing information RouteInfo
  • the UE receives the unauthorized information, calculates the authentication vector according to the shared key and security algorithm between the UE and the HSS, and generates an authentication response; the UE sends a registration request to the P-CSCF, and the registration request carries IMPI* (or IMPI* and routing information RouteInfo). ), and the authentication response.
  • IMPI* or IMPI* and routing information RouteInfo
  • the P-CSCF After receiving the registration request, the P-CSCF sends a query request for querying the address of the I-CSCF to the DNS.
  • the query request carries IMPI* (or IMPI* and routing information RouteInfo) and an authentication response.
  • the P-CSCF receives the query response returned by the DNS according to the routing information, and the query response carries the address of the I-CSCF; the P-CSCF sends a registration request to the I-CSCF, and the registration request carries IMPI* (or IMPI* and routing information RouteInfo), and the authentication response .
  • the HSS After receiving the IMPI, the HSS queries and saves the correspondence between the first user identifier and the second user identifier (IMPI*, IMPI), obtains the first user identifier IMPI, and obtains the S-CSCF address according to the IMPI.
  • the HSS sends a user authentication response (which may be Diameter UAA) to the I-CSCF through the DRA, and the user authentication response includes the S-CSCF address.
  • a user authentication response (which may be Diameter UAA) to the I-CSCF through the DRA, and the user authentication response includes the S-CSCF address.
  • the I-CSCF sends a registration request to the S-CSCF according to the received S-CSCF address, and the registration request carries the second user identifier and the authentication response.
  • the S-CSCF verifies the authentication response and completes the registration and authentication of the UE.
  • the HSS queries the stored correspondence between the first user ID and the second user ID (IMPI*, IMPI) according to the server allocation request, obtains the first user ID, and obtains the user service registration information IFC rules according to the first user ID.
  • the IFC rules include application
  • the server list AS list is used to decide whether to trigger the application server AS.
  • the HSS sends a server allocation response (which may be Diameter SAA) to the S-CSCF, and the server allocation response carries the IFC rules (including the AS list).
  • a server allocation response (which may be Diameter SAA) to the S-CSCF, and the server allocation response carries the IFC rules (including the AS list).
  • the S-CSCF saves the correspondence between the second user identifier IMPI*, the P-CSCF address, and the IFC rules (including the AS list), and obtains the IFC rules (including the AS list).
  • the I-CSCF sends a 200 OK message to the P-CSCF.
  • the P-CSCF saves the correspondence between the second user identity, the UE address, the S-CSCF address, and the Internet Protocol security IPSec link; and sends a 200 OK message to the UE.
  • a session connection between the S-CSCF and the UE is established.
  • the S-CSCF sends a registration request Register to the AS according to the server list AS list in the saved IFC rules, and the registration request carries the second user identifier.
  • the AS sends a registration request to the HSS with the first user identifier IMPI, and the registration request carries the second user identifier IMPI*.
  • the HSS obtains the first user identifier IMPI according to the second user identifier IMPI* query (IMPI*, IMPI) carried in the registration request, and then returns the first user identifier to the AS.
  • the AS receives the first user identifier IMPI sent by the HSS, obtains user data corresponding to the AS, and sends a 200OK message to the S-CSCF, where the 200OK message carries the user data. Thereby, the connection between the inside of the network is established, and the authentication of the identity of the terminal device is completed.
  • the S-CSCF or the HSS After the S-CSCF verifies the authentication response and completes the registration authentication of the UE, the S-CSCF or the HSS generates a third user identifier T-IMPI corresponding to the first user identifier and the second user identifier.
  • the HSS stores the correspondence between the third user identifier and the first user identifier (T-IMPI, IMPI), which is used to deliver the T-IMPI to the UE during the information transmission process, and the UE receives and stores the T-IMPI. Specific steps are as follows:
  • the UE encrypts the first user identifier IMPI to generate the second user identifier IMPI*
  • the HSS decrypts the IMPI* to obtain the IMPI, and saves the correspondence between the first user identifier and the second user identifier (IMPI*, IMPI )
  • the HSS generates an authentication vector
  • the steps and methods for the UE to return an authentication response refer to the above-mentioned method 1 about the UE encrypting the IMPI to generate IMPI*
  • the HSS decrypts the IMPI* to obtain the IMPI, and saves the corresponding relationship (IMPI*, IMPI)
  • the HSS generates the authentication vector, and the UE returns the description of the authentication response, which will not be repeated here.
  • the S-CSCF verifies the authentication response, and after completing the registration and authentication of the UE, the S-CSCF generates a third user identity T-IMPI, or the HSS generates a third user identity T-IMPI.
  • the specific steps are 1, 2:
  • the S-CSCF verifies the authentication response, and after completing the registration and authentication of the UE, the S-CSCF generates a third user identity T-IMPI.
  • the S-CSCF stores the correspondence between the third user identifier T-IMPI and the second user identifier IMPI* (T-IMPI, IMPI*).
  • the S-CSCF sends a server allocation request to the HSS, and the server allocation request carries the third user identifier T-IMPI and the second user identifier IMPI*.
  • the HSS obtains the first user identity IMPI according to the corresponding relationship (T-IMPI, IMPI*), saves the corresponding relationship (T-IMPI, IMPI) between the third user identity T-IMPI and the first user identity IMPI, and according to the first user identity IMPI Identify IMPI to obtain user registration information (Initial Filter Criteria, IFC) rules, the IFC rules include the application server list AS list.
  • the S-CSCF verifies the authentication response, and after completing the registration authentication for the UE, the S-CSCF sends a server allocation request to the HSS, and the server allocation request carries the second user identifier IMPI*.
  • the T-IMPI includes routing information such as MCC, MNC, and RI.
  • the T-IMPI may be generated based on the routing information RouteInfo and the encrypted part in the second user identifier IMPI*.
  • the T-IMPI may be generated based on the routing information RouteInfo in the second user identity IMPI* and a randomly generated character string.
  • the T-IMPI may also be generated by the HSS based on the routing information and the remainder in the first user identity IMPI; or, the T-IMPI may be a character string randomly generated by the HSS based on the routing information in the first user identity IMPI and the remainder. or the T-IMPI may be generated based on other methods, which is not limited in the present invention.
  • the S-CSCF sends a 200 OK message to the I-CSCF, and the 200 OK message carries the T-IMPI.
  • the I-CSCF sends a 200 OK message to the P-CSCF, and the 200 OK message carries the T-IMPI.
  • the P-CSCF maintains the correspondence between the third user identity and/or the UE address and/or the S-CSCF address and/or the Internet Protocol secure IPSec link (T-IMPI and/or UE IP and/or S-CSCF IP and/or IPSec link); send 200 OK information to the UE, optionally, the 200 OK information carries the third user identity T-IMPI.
  • T-IMPI and/or UE IP and/or S-CSCF IP and/or IPSec link send 200 OK information to the UE, optionally, the 200 OK information carries the third user identity T-IMPI.
  • a session connection between the S-CSCF and the UE is established.
  • the S-CSCF or the HSS after completing the registration and authentication of the UE, the S-CSCF or the HSS generates a third user identity corresponding to the first user identity or the second user identity, and uses the third user identity as a temporary user identity It is issued to the UE for subsequent registration by the UE using the third user identifier, which can avoid the need to encrypt and decrypt the first user identifier or the second user identifier again in the subsequent registration process, thereby improving information sending efficiency.
  • Mode 3 As shown in Figure 11, when the UE registers for the first time, the HSS generates a third user identity T-IMPI, and saves the correspondence between the third user identity T-IMPI and the first user identity IMPI (T-IMPI, IMPI), The HSS sends the third user identity T-IMPI to the UE, and the third user identity T-IMPI is used as the user identity in the subsequent UE registration process.
  • the specific method is as follows:
  • the UE sends a registration request to the P-CSCF, where the registration request carries the third user identity T-IMPI.
  • the P-CSCF After receiving the registration request, the P-CSCF sends a query request for querying the address of the I-CSCF to the DNS.
  • the query request carries the third user identifier, receives the query response returned by the DNS and carries the address of the I-CSCF, and sends the registration request to the I-CSCF. ask.
  • the I-CSCF receives the registration request, and sends a user authorization request to the DRA, carrying the third user identifier T-IMPI.
  • the DRA obtains the HSS address according to the routing information of the third user identifier in the user authorization request, and sends the user authorization request to the HSS, carrying the T-IMPI.
  • the HSS sends a user authentication response to the I-CSCF through the DRA, and the user authentication response carries the S-CSCF address.
  • the HSS receives the multimedia authentication request from the S-CSCF, queries and saves the correspondence between the third user identifier and the first user identifier (T-IMPI, IMPI) according to the T-IMPI, obtains the first user identifier IMPI, and calculates the IMPI for the user Authentication vector for authentication.
  • the unauthorized information carrying the T-IMPI and the authentication vector is sent to the UE through each network element.
  • the UE calculates the authentication vector according to the shared key and security algorithm of the UE and the HSS, generates an authentication response, and sends a user authorization request to the HSS through the I-CSCF, and the user authorization request carries the T-IMPI.
  • the HSS receives the user authorization request, obtains the first user identifier IMPI according to the correspondence between the third user identifier T-IMPI and the first user identifier IMPI (T-IMPI, IMPI), and obtains the S-CSCF address according to the IMPI.
  • the HSS sends a user authentication response to the I-CSCF through the DRA, and the user authentication response carries the S-CSCF address.
  • the I-CSCF sends a registration request to the S-CSCF according to the received S-CSCF address, and the registration request carries the T-IMPI and the authentication response.
  • the S-CSCF After authenticating the UE, the S-CSCF sends a server allocation request to the HSS, and the server allocation request carries the T-IMPI.
  • the HSS sends the server allocation response Diameter SAA to the S-CSCF, and the server allocation response Diameter SAA includes the IFC rules (including the AS list).
  • the S-CSCF saves the correspondence between the third user identity, the P-CSCF address, and the IFC rules (including the AS list), and obtains the IFC rules (including the AS list).
  • the I-CSCF sends a 200 OK message to the P-CSCF.
  • the P-CSCF sends a 200 OK message to the UE, thereby establishing a session connection between the S-CSCF and the UE.
  • the S-CSCF sends a registration request to the AS according to the server list AS list in the saved IFC rules, and the registration request carries the T-IMPI.
  • the AS requests the HSS for the first user identity.
  • the HSS queries the correspondence between the third user identifier and the first user identifier (T-IMPI, IMPI) according to the T-IMPI included in the request, obtains the first user identifier, and then returns the first user identifier to the AS.
  • the third user identifier is used as the user identifier, and the HSS obtains the first user identifier according to the corresponding relationship between the third user identifier and the first user identifier, avoiding the need for
  • the process of encrypting and decrypting the first user identifier can improve the information sending efficiency.
  • the communication apparatus shown in FIG. 12 may be used to execute part or all of the functions of the second subscription server in the method embodiments described in the foregoing FIG. 4 to FIG. 11 .
  • the communication device may also be a chip system.
  • the communication apparatus shown in FIG. 12 may include a communication unit 1201 and a processing unit 1202 .
  • the communication unit 1201 is used to implement the sending and receiving operations of the second subscription server in the above information sending method of this application; the processing unit 1202 is used to implement the data processing function of the second subscription server in the above information sending method of this application.
  • the communication apparatus shown in FIG. 12 may be used to execute part or all of the functions of the first subscription server in the method embodiments described in the foregoing FIG. 4 to FIG. 11 .
  • the communication device may also be a chip system.
  • the communication apparatus shown in FIG. 12 may include a communication unit 1201 and a processing unit 1202.
  • the communication unit 1201 is used to implement the sending and receiving operations of the first subscription server in the above information sending method of this application;
  • the processing unit 1202 is used to implement the data processing function of the first subscription server in the above information sending method of this application.
  • the communication apparatus shown in FIG. 12 may be used to execute part or all of the functions of the first server in the method embodiments described in the foregoing FIG. 4 to FIG. 11 .
  • the communication device may also be a chip system.
  • the communication apparatus shown in FIG. 12 may include a communication unit 1201 and a processing unit 1202 .
  • the communication unit 1201 is used to implement the sending and receiving operation of the first server in the above information sending method of the present application;
  • the processing unit 1202 is used to implement the data processing function of the first server in the above information sending method of the present application.
  • the communication apparatus shown in FIG. 12 may be used to execute part or all of the functions of the first terminal device in the method embodiments described in the foregoing FIG. 4 to FIG. 11 .
  • the communication device may also be a chip system.
  • the communication apparatus shown in FIG. 12 may include a communication unit 1201 and a processing unit 1202 .
  • the communication unit 1201 is used to implement the sending and receiving operation of the first terminal device in the above information sending method of the present application; the processing unit 1202 is used to implement the data processing function of the first terminal device in the above information sending method of the present application.
  • the apparatus 1300 may further include a communication interface 1301 for implementing the sending and receiving operations of the second subscription server in the above information sending method of the present application; or for realizing the sending and receiving operations of the first server in the above information sending method of the present application; or for Realize the sending and receiving operation of the first subscription server in the above information sending method of the present application; or be used to realize the sending and receiving operation of the first terminal device in the above information sending method of the present application; or be used to realize the first in the above information sending method of the present application.
  • Two terminal equipment send and receive operations.
  • the apparatus 1300 may also include at least one memory 1303 for storing program instructions and/or data.
  • Memory 1303 and processor 1302 are coupled.
  • the coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules.
  • the processor 1302 may cooperate with the memory 1303 .
  • the processor 1302 may execute program instructions stored in the memory 1303 . At least one of the at least one memory may be included in the processor.
  • the communication interface 1301 may output or receive baseband signals.
  • the output or reception of the communication interface 1301 may be a radio frequency signal.
  • the processor may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, which can implement or
  • a general purpose processor may be a microprocessor or any conventional processor or the like.
  • the steps of the methods disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.
  • FIG. 14 only shows the main components of the communication device 1400 .
  • the communication device 1400 includes a processor, a memory, a radio frequency circuit, an antenna, and an input and output device.
  • the processor is mainly used to process the communication protocol and communication data, control the entire communication device 1400, execute software programs, and process data of the software programs, for example, to support the communication device 1400 to execute the flow described in FIG. 4-FIG. 11 .
  • the memory is mainly used to store software programs and data.
  • the radio frequency circuit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal.
  • Antennas are mainly used to send and receive radio frequency signals in the form of electromagnetic waves.
  • the communication device 1400 may also include an input and output device, such as a touch screen, a display screen, a keyboard, etc., which are mainly used for receiving data input by the user and outputting data to the user. It should be noted that some types of communication devices 1400 may not have an input/output device.
  • FIG. 14 only shows one memory and one processor.
  • the memory may also be referred to as a storage medium or a storage device, etc., which is not limited in this embodiment of the present application.
  • the processor may include a baseband processor and a central processing unit (CPU).
  • the baseband processor is mainly used to process communication protocols and communication data, and the CPU is mainly used to process the entire communication
  • the apparatus 1400 controls, executes a software program, and processes data of the software program.
  • the processor may also be a network processor (NP) or a combination of CPU and NP.
  • the processor may further include a hardware chip.
  • the above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (programmale logic device, PLD) or a combination thereof.
  • ASIC application-specific integrated circuit
  • PLD programmable logic device
  • the above PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination thereof.
  • the memory may include volatile memory (volatile memory), such as random-access memory (RAM); the memory may also include non-volatile memory (non-volatile memory), such as flash memory (flash memory) , a hard disk drive (HDD) or a solid-state drive (SSD); the memory may also include a combination of the above-mentioned types of memory.
  • an antenna and a radio frequency circuit with a transceiver function can be regarded as the communication unit 1401 of the communication device 1400 , and a processor with a processing function can be regarded as a part of the communication device 1400 .
  • the communication unit 1401 may be configured to perform the transceiving operations of the communication apparatus 1400 in the above method embodiments.
  • the processing unit 1402 may be configured to perform data processing operations of the communication apparatus 1400 in the above method embodiments.
  • Embodiments of the present application further provide a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the computer-readable storage medium is executed on a processor, the method flow of the foregoing method embodiment is implemented.
  • the embodiment of the present application further provides a computer program product, when the computer program product runs on the processor, the method flow of the above method embodiment is realized.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

The present application discloses an information sending method and apparatus. Said method comprises: a second subscription server receiving first identification information from a first server, the first identification information comprising a first identity identifier of a first terminal device and/or a second identity identifier of a second terminal device that are encrypted; the second subscription server sending a first request to a first subscription server, the first request carrying the first identification information; receiving the first identity identifier and/or the second identity identifier from the first subscription server; and obtaining second identification information according to the first identity identifier and/or the second identity identifier, and sending the second identification information to the first server. By encrypting the first identity identifier and/or the second identity identifier and transmitting the encrypted first identity identifier and/or second identity identifier in an air interface and a core network, the risk that the first identity identifier and/or the second identity identifier is leaked in the air interface and the core network can be reduced, thereby improving the security.

Description

一种信息发送方法及装置Method and device for sending information
本申请要求于2020年11月12日提交中国专利局、申请号为202011262056.6、申请名称为“一种信息发送方法及装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims the priority of the Chinese patent application with the application number of 202011262056.6 and the application title of "A Method and Device for Sending Information" filed with the China Patent Office on November 12, 2020, the entire contents of which are incorporated into this application by reference .
技术领域technical field
本申请涉及通信技术领域,尤其涉及一种信息发送方法及装置。The present application relates to the field of communication technologies, and in particular, to a method and apparatus for sending information.
背景技术Background technique
随着通信技术的发展,用户之间的联络越发频繁,用户信息保护的问题日益严峻,存在用户信息被泄漏的风险。例如,电话号码作为一种重要的用户信息,在用户拨打电话过程中,电话号码容易在空口及核心网中被泄露,从而导致用户可能接收到骚扰电话甚至诈骗电话。因此,在用户拨打电话的过程中存在信息被泄露的风险。With the development of communication technology, the contact between users is more and more frequent, the problem of user information protection is becoming more and more serious, and there is a risk of user information being leaked. For example, as a kind of important user information, the phone number is easily leaked in the air interface and the core network when the user makes a call, so that the user may receive harassing calls or even fraudulent calls. Therefore, there is a risk of information leakage in the process of making a call by a user.
发明内容SUMMARY OF THE INVENTION
本申请提供了一种信息发送方法及装置,可以降低信息被泄露的风险,从而提高安全性。The present application provides an information sending method and device, which can reduce the risk of information leakage, thereby improving security.
第一方面,本申请提供信息发送方法,该方法应用于包括第一终端设备和第二终端设备的通信系统;该通信系统还包括第一终端设备对应的第一签约服务器和第二终端设备对应的第二签约服务器,上述第一终端设备具有第一身份标识,上述第二终端设备具有第二身份标识,第一终端设备是通信主叫方,第二终端设备是通信被叫方;第一方面提供的方法可以由第二签约服务器执行,或者也可以由配置于第二签约服务器中的芯片执行,本申请对此不作限定。In a first aspect, the present application provides a method for sending information. The method is applied to a communication system including a first terminal device and a second terminal device; the communication system further includes a first subscription server corresponding to the first terminal device and a corresponding second terminal device. the second subscription server, the first terminal device has a first identity, the second terminal device has a second identity, the first terminal device is the calling party of the communication, and the second terminal device is the called party of the communication; the first The method provided by the aspect may be executed by the second subscription server, or may also be executed by a chip configured in the second subscription server, which is not limited in this application.
其中,该方法包括:第二签约服务器从第一服务器接收第一标识信息,该第一标识信息包括第一终端设备的第三身份标识和第二终端设备的第四身份标识,第三身份标识为对第一身份标识加密得到的身份标识,第四身份标识为对第二身份标识加密得到的身份标识,或者第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;向第一签约服务器发送第一请求,第一请求携带第一标识信息;第一请求用于请求第一身份标识和/或第二身份标识;从第一签约服务器接收第一响应;第一响应携带第一身份标识和/或第二身份标识;根据第一身份标识和/或第二身份标识得到第二标识信息,第二标识信息包括第一终端设备的第六身份标识和第二终端设备的第七身份标识,第六身份标识为对第一身份标识加密得到的身份标识,第七身份标识为对第二身份标识加密得到的身份标识,或者第二标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;向第一服务器发送第二标识信息。The method includes: the second subscription server receives first identification information from the first server, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal device, the third identification The identity is obtained by encrypting the first identity, the fourth identity is the identity obtained by encrypting the second identity, or the first identity information includes one of the first identity and the second identity, and the second identity is encrypted. A fifth identity identifier obtained by encrypting the other one of the identity identifier and the second identity identifier; sending a first request to the first signing server, the first request carrying the first identifier information; the first request is used to request the first identity identifier and Receive the first response from the first subscription server; the first response carries the first identity and/or the second identity; obtain the second identity information according to the first identity and/or the second identity , the second identification information includes the sixth identification of the first terminal device and the seventh identification of the second terminal device, the sixth identification is the identification obtained by encrypting the first identification, and the seventh identification is the identification of the second identification. The identity mark obtained by the encryption of the identity mark, or the second identification information includes one of the first identity mark and the second identity mark, and the eighth identity mark obtained by encrypting the other of the first identity mark and the second identity mark; Send the second identification information to the first server.
可见,通过对第一终端设备的第一身份标识和/或第二终端设备的第二身份标识进行加密,使用加密后的第一身份标识和/或第二身份标识在空口与核心网中传输,避免了第一身份标识和/或第二身份标识在空口及核心网中被泄露的风险,从而提高安全性。It can be seen that by encrypting the first identification of the first terminal device and/or the second identification of the second terminal device, the encrypted first identification and/or the second identification are used for transmission between the air interface and the core network. , avoiding the risk of the first identity and/or the second identity being leaked in the air interface and the core network, thereby improving security.
在一种可能的实现中,第六身份标识为对第一身份标识使用第四密钥加密得到的身份标识,第七身份标识为对第二身份标识使用第五密钥加密得到的身份标识,第八身份标识为对第一身份标识和第二身份标识中的另一个使用第六密钥加密得到的身份标识。可见,通过多种加密方式分别对第一终端设备的第一身份标识和/或第二终端设备的第二身份标识进行加 密,保证用户隐私安全。In a possible implementation, the sixth identification is an identification obtained by encrypting the first identification with a fourth key, and the seventh identification is an identification obtained by encrypting the second identification with a fifth key, The eighth identification is an identification obtained by encrypting the other one of the first identification and the second identification using the sixth key. It can be seen that the first identification of the first terminal device and/or the second identification of the second terminal device are encrypted respectively through multiple encryption methods to ensure user privacy security.
在一种可能的实现中,第五密钥为第二终端设备的公钥。可见,通过第二终端设备的公钥对第一身份标识和/或第二身份标识加密,获得第二终端设备的公钥对应的私钥的网络设备可以对第七身份标识解密,获得第一身份标识和/或第二身份标识,避免路由过程中第一身份标识和/或第二终端设备被其他网络设备获取,实现加密后的第一身份标识和/或第二身份标识能够正确路由至第二终端设备。In a possible implementation, the fifth key is the public key of the second terminal device. It can be seen that the network device that obtains the private key corresponding to the public key of the second terminal device by encrypting the first identity and/or the second identity through the public key of the second terminal device can decrypt the seventh identity to obtain the The identity identifier and/or the second identity identifier prevents the first identity identifier and/or the second terminal device from being acquired by other network devices during the routing process, so that the encrypted first identity identifier and/or the second identity identifier can be correctly routed to second terminal equipment.
在一种可能的实现中,第三身份标识为对第一身份标识使用第一密钥加密得到的身份标识,第四身份标识为对第二身份标识使用第二密钥加密得到的身份标识,第五身份标识为对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。可见,通过对第一终端设备的第一身份标识和/或第二终端设备的第二身份标识进行加密,避免第一身份标识和/或第二终端设备在空口及核心网之间暴露,保证用户隐私安全。In a possible implementation, the third identity is an identity obtained by encrypting the first identity with a first key, and the fourth identity is an identity obtained by encrypting the second identity with a second key, The fifth identification is an identification obtained by encrypting the other of the first identification and the second identification with a third key. It can be seen that by encrypting the first identity of the first terminal device and/or the second identity of the second terminal device, the exposure of the first identity and/or the second terminal device between the air interface and the core network is avoided, ensuring that User privacy and security.
在一种可能的实现中,第四身份标识为第一终端设备对第二身份标识使用第二密钥加密得到的身份标识;第三身份标识为第一终端设备对第一身份标识使用第一密钥加密得到的身份标识;或者,第三身份标识为第一签约服务器对第一身份标识使用第一密钥加密得到的身份标识。可见,对第一身份标识和第二身份标识同时加密,保护主叫用户信息与被叫用户信息的隐私安全。In a possible implementation, the fourth identity is an identity obtained by the first terminal device using the second key to encrypt the second identity; the third identity is the first terminal using the first identity for the first identity. The identity identifier obtained by encryption with the key; or, the third identity identifier is the identity identifier obtained by the first signing server encrypting the first identity identifier with the first key. It can be seen that the first identity identifier and the second identity identifier are encrypted at the same time to protect the privacy and security of the calling user information and the called user information.
在一种可能的实现中,第五身份标识为第一终端设备对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识,或者第五身份标识为第一签约服务器对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。可见,对第一身份标识和/或第二身份标识中任意一个进行加密,在提高安全性的同时提高信息发送效率。In a possible implementation, the fifth identity is an identity obtained by the first terminal device using the third key to encrypt the other of the first identity and the second identity, or the fifth identity is the first The signing server encrypts the other one of the first identification and the second identification using the third key to obtain the identification. It can be seen that by encrypting any one of the first identity identifier and/or the second identity identifier, the information sending efficiency is improved while the security is improved.
在一种可能的实现中,第四密钥、第五密钥和第六密钥中的至少一个为第二签约服务器与第二终端设备的共享密钥;或者,第四密钥、第五密钥和第六密钥中的至少一个为第二终端设备的长期密钥与随机数产生的密钥。可见,通过第二签约服务器与第二终端设备的共享密钥对第一身份标识和/或第二身份标识加密,获得共享密钥的网络设备可以对第六身份标识、第七身份标识或第八身份标识解密,获得第一身份标识和/或第二身份标识,避免路由过程中第一身份标识和/或第二身份标识被其他网络设备获取,实现加密后的第一身份标识和/或第二身份标识能够正确路由至第二终端设备。In a possible implementation, at least one of the fourth key, the fifth key and the sixth key is a shared key between the second signing server and the second terminal device; At least one of the key and the sixth key is a key generated by a long-term key of the second terminal device and a random number. It can be seen that the first identity and/or the second identity are encrypted by the shared key between the second signing server and the second terminal device, and the network device that obtains the shared key can encrypt the sixth identity, the seventh identity or the third identity. 8. Decryption of the identities to obtain the first identity and/or the second identity, to prevent the first identity and/or the second identity from being acquired by other network devices during the routing process, and to realize the encrypted first identity and/or The second identity can be correctly routed to the second terminal device.
在一种可能的实现中,第一服务器是第二终端设备所在网络的查询呼叫会话控制功能,或者是第二终端设备所在网络的路由代理节点。可见,通过第一服务器将加密后的第一身份标识和/或第二身份标识路由至第二终端设备,可以提高路由正确性。In a possible implementation, the first server is a query call session control function of the network where the second terminal device is located, or is a routing proxy node of the network where the second terminal device is located. It can be seen that the routing accuracy can be improved by routing the encrypted first identity identifier and/or the second identity identifier to the second terminal device by the first server.
第二方面,本申请提供一种信息发送方法,该方法应用于包括第一终端设备和第二终端设备的通信系统;通信系统还包括第二终端设备对应的第二签约服务器,第一终端设备具有第一身份标识,第二终端设备具有第二身份标识,第一终端设备是通信主叫方,第二终端设备是通信被叫方;第二方面提供的方法可以由第一签约服务器执行,或者也可以由配置于第一签约服务器中的芯片执行,本申请对此不作限定。In a second aspect, the present application provides a method for sending information, the method is applied to a communication system including a first terminal device and a second terminal device; the communication system further includes a second subscription server corresponding to the second terminal device, the first terminal device having a first identity identifier, the second terminal device having a second identity identifier, the first terminal device being the calling party of the communication, and the second terminal device being the called party of the communication; the method provided in the second aspect may be executed by the first subscription server, Alternatively, it may also be executed by a chip configured in the first subscription server, which is not limited in this application.
其中,该方法包括:第一服务器从第一终端设备获取第一标识信息,第一标识信息包括第一终端设备的第三身份标识和第二终端设备的第四身份标识,第三身份标识为对第一身份标识加密得到的身份标识,第四身份标识为对第二身份标识加密得到的身份标识,或者第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;第一服务器根据第二终端设备的第四身份标识中的参数中的至少一个,确定第二签约服务器,参数包括国家码和国家目的码,或者包括国家码、 国家目的码和路由指示;第一服务器将第一标识信息发送给第二签约服务器。The method includes: the first server obtains first identification information from the first terminal device, the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal device, and the third identification is The identification is obtained by encrypting the first identification, the fourth identification is the identification obtained by encrypting the second identification, or the first identification information includes one of the first identification and the second identification, and the first identification The fifth identity identifier obtained by encrypting the other of the identity identifier and the second identity identifier; the first server determines the second signing server according to at least one of the parameters in the fourth identity identifier of the second terminal device, and the parameters include the country code and the country purpose code, or include the country code, the country purpose code and the routing indication; the first server sends the first identification information to the second subscription server.
在一种可能的实现中,第一服务器从第二签约服务器接收第二标识信息,第二标识信息包括第一终端设备的第六身份标识和第二终端设备的第七身份标识,第六身份标识为对第一身份标识加密得到的身份标识,第七身份标识为对第二身份标识加密得到的身份标识,或者第二标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;第一服务器向第二终端设备发送第二标识信息。In a possible implementation, the first server receives second identification information from the second signing server, where the second identification information includes a sixth identification of the first terminal device and a seventh identification of the second terminal device, the sixth identification The identification is an identification obtained by encrypting the first identification, the seventh identification is an identification obtained by encrypting the second identification, or the second identification information includes one of the first identification and the second identification, and the An eighth identity identifier obtained by encrypting the other of the first identity identifier and the second identity identifier; the first server sends the second identifier information to the second terminal device.
上述第一服务器根据第四身份标识中的参数确定第二签约服务器。另一种可能的方式是,在上述第五身份标识是对第二身份标识加密得到的情况下,第一服务器可以根据该第五身份标识中的参数中的至少一个来确定该第二签约服务器。该参数也可以包括国家码和国家目的码,或者包括国家码、国家目的码和路由指示。The above-mentioned first server determines the second subscription server according to the parameters in the fourth identity identifier. Another possible way is that, in the case where the above-mentioned fifth identification is obtained by encrypting the second identification, the first server may determine the second signing server according to at least one of the parameters in the fifth identification. . The parameter may also include a country code and a country destination code, or a country code, a country destination code, and a routing indication.
在一种可能的实现中,第三身份标识为对第一身份标识使用第一密钥加密得到的身份标识,第四身份标识为对第二身份标识使用第二密钥加密得到的身份标识,第五身份标识为对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。In a possible implementation, the third identity is an identity obtained by encrypting the first identity with a first key, and the fourth identity is an identity obtained by encrypting the second identity with a second key, The fifth identification is an identification obtained by encrypting the other of the first identification and the second identification with a third key.
在一种可能的实现中,第四身份标识为第一终端设备对第二身份标识使用第二密钥加密得到的身份标识;第三身份标识为第一终端设备对第一身份标识使用第一密钥加密得到的身份标识;或者,第三身份标识为第一签约服务器对第一身份标识使用第一密钥加密得到的身份标识。In a possible implementation, the fourth identity is an identity obtained by the first terminal device using the second key to encrypt the second identity; the third identity is the first terminal using the first identity for the first identity. The identity identifier obtained by encryption with the key; or, the third identity identifier is the identity identifier obtained by the first signing server encrypting the first identity identifier with the first key.
在一种可能的实现中第五身份标识为第一终端设备对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识,或者第五身份标识为第一签约服务器对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。In a possible implementation, the fifth identity is an identity obtained by the first terminal device using the third key to encrypt the other of the first identity and the second identity, or the fifth identity is the first contract The server encrypts the other one of the first identity and the second identity using the third key to obtain the identity.
在一种可能的实现中,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器与第一终端设备的共享密钥;或者,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器根据第一终端设备的长期密钥与随机数产生的密钥;或者,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器与第一终端设备根据目标算法产生的密钥。In a possible implementation, at least one of the first key, the second key and the third key is a shared key between the first signing server and the first terminal device; At least one of the key and the third key is a key generated by the first signing server according to the long-term key and the random number of the first terminal device; or, one of the first key, the second key and the third key At least one of the keys is a key generated by the first signing server and the first terminal device according to the target algorithm.
在一种可能的实现中,第一服务器是第二终端设备所在网络的查询呼叫会话控制功能,或者是第二终端设备所在网络的路由代理节点。In a possible implementation, the first server is a query call session control function of the network where the second terminal device is located, or is a routing proxy node of the network where the second terminal device is located.
第二方面的有益效果可以参见第一方面的有益效果。The beneficial effects of the second aspect can be found in the beneficial effects of the first aspect.
第三方面,本申请提供一种信息发送方法,该方法应用于包括第一终端设备和第二终端设备的通信系统;通信系统还包括第一终端设备对应的第一签约服务器和第二终端设备对应的第二签约服务器,第一终端设备具有第一身份标识,第二终端设备具有第二身份标识,第一终端设备是通信主叫方,第二终端设备是通信被叫方;In a third aspect, the present application provides an information sending method, which is applied to a communication system including a first terminal device and a second terminal device; the communication system further includes a first subscription server and a second terminal device corresponding to the first terminal device the corresponding second subscription server, the first terminal device has a first identity, the second terminal device has a second identity, the first terminal device is a communication calling party, and the second terminal device is a communication called party;
其中,该方法包括:第一签约服务器从第二签约服务器接收第一请求,第一请求用于请求第一身份标识和/或第二身份标识,第一请求携带第一标识信息,第一标识信息包括第一终端设备的第三身份标识和第二终端设备的第四身份标识,第三身份标识为对第一身份标识加密得到的身份标识,第四身份标识为对第二身份标识加密得到的身份标识,或者第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;第一签约服务器向第二签约服务器发送第一响应,第一响应携带第一身份标识和/或第二身份标识。Wherein, the method includes: a first subscription server receives a first request from a second subscription server, the first request is used to request a first identity identifier and/or a second identity identifier, the first request carries first identification information, and the first identifier The information includes the third identity of the first terminal device and the fourth identity of the second terminal. The third identity is the identity obtained by encrypting the first identity, and the fourth identity is obtained by encrypting the second identity. or the first identification information includes one of the first identification and the second identification, and a fifth identification obtained by encrypting the other of the first identification and the second identification; the first signing server Send a first response to the second subscription server, where the first response carries the first identity and/or the second identity.
在一种可能的实现中,第三身份标识为对第一身份标识使用第一密钥加密得到的身份标识,第四身份标识为对第二身份标识使用第二密钥加密得到的身份标识,第五身份标识为对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。In a possible implementation, the third identity is an identity obtained by encrypting the first identity with a first key, and the fourth identity is an identity obtained by encrypting the second identity with a second key, The fifth identification is an identification obtained by encrypting the other of the first identification and the second identification with a third key.
在一种可能的实现中,第四身份标识为第一终端设备对第二身份标识使用第二密钥加密得到的身份标识;第三身份标识为第一终端设备对第一身份标识使用第一密钥加密得到的身份标识;或者,第三身份标识为第一签约服务器对第一身份标识使用第一密钥加密得到的身份标识。In a possible implementation, the fourth identity is an identity obtained by the first terminal device using the second key to encrypt the second identity; the third identity is the first terminal using the first identity for the first identity. The identity identifier obtained by encryption with the key; or, the third identity identifier is the identity identifier obtained by the first signing server encrypting the first identity identifier with the first key.
在一种可能的实现中,第一签约服务器使用第一密钥对第三身份标识进行解密,得到第一身份标识,和/或第一签约服务器使用第二密钥对第四身份标识进行解密,得到第二身份标识,或者第一签约服务器使用第三密钥对第五身份标识进行解密,得到第一身份标识和第二身份标识中的另一个。In a possible implementation, the first signing server uses the first key to decrypt the third identity to obtain the first identity, and/or the first signing server uses the second key to decrypt the fourth identity , obtain the second identity, or the first signing server decrypts the fifth identity by using the third key to obtain the other of the first identity and the second identity.
在一种可能的实现中,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器与第一终端设备的共享密钥;或者,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器根据第一终端设备的长期密钥与随机数产生的密钥;或者,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器与第一终端设备根据目标算法产生的密钥。In a possible implementation, at least one of the first key, the second key and the third key is a shared key between the first signing server and the first terminal device; At least one of the key and the third key is a key generated by the first signing server according to the long-term key and the random number of the first terminal device; or, one of the first key, the second key and the third key At least one of the keys is a key generated by the first signing server and the first terminal device according to the target algorithm.
在一种可能的实现中,第一服务器是第二终端设备所在网络的查询呼叫会话控制功能,或者是第二终端设备所在网络的路由代理节点。In a possible implementation, the first server is a query call session control function of the network where the second terminal device is located, or is a routing proxy node of the network where the second terminal device is located.
第三方面的有益效果可以参见第一方面的有益效果。For the beneficial effects of the third aspect, please refer to the beneficial effects of the first aspect.
第四方面,本申请提供一种信息发送方法,该方法应用于包括第一终端设备和第二终端设备的通信系统;第一终端设备具有第一身份标识,第二终端设备具有第二身份标识,第一终端设备是通信主叫方,第二终端设备是通信被叫方;In a fourth aspect, the present application provides an information sending method, which is applied to a communication system including a first terminal device and a second terminal device; the first terminal device has a first identity, and the second terminal has a second identity , the first terminal device is the calling party of the communication, and the second terminal device is the called party of the communication;
其中,该方法包括:第一终端设备确定第一标识信息,第一标识信息包括第一终端设备的第三身份标识和第二终端设备的第四身份标识,第三身份标识为对第一身份标识加密得到的身份标识,第四身份标识为对第二身份标识加密得到的身份标识,或者第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;第一终端设备向第一服务器发送第一标识信息。Wherein, the method includes: the first terminal device determines first identification information, the first identification information includes a third identification of the first terminal and a fourth identification of the second terminal, and the third identification is for the first identification The identity identifier obtained by identifying the encryption, the fourth identity identifier is the identity identifier obtained by encrypting the second identity identifier, or the first identifier information includes one of the first identity identifier and the second identity identifier, and the first identity identifier and the second identity identifier. The other of the two identifications is a fifth identification obtained by encryption; the first terminal device sends the first identification information to the first server.
在一种可能的实现中,第三身份标识为对第一身份标识使用第一密钥加密得到的身份标识,第四身份标识为对第二身份标识使用第二密钥加密得到的身份标识,第五身份标识为对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。In a possible implementation, the third identity is an identity obtained by encrypting the first identity with a first key, and the fourth identity is an identity obtained by encrypting the second identity with a second key, The fifth identification is an identification obtained by encrypting the other of the first identification and the second identification with a third key.
在一种可能的实现中,第一签约服务器为第一终端设备对应的签约服务器,第三身份标识为第一终端设备对第一身份标识使用第一密钥加密得到的身份标识,第四身份标识为第一终端设备对第二身份标识使用第二密钥加密得到的身份标识;或者,第三身份标识为第一签约服务器对第一身份标识使用第一密钥加密得到的身份标识,第四身份标识为第一终端设备对第二身份标识使用第二密钥加密得到的身份标识。In a possible implementation, the first signing server is a signing server corresponding to the first terminal device, the third identity identifier is an identity identifier obtained by the first terminal device using the first key to encrypt the first identifier, and the fourth identity The identifier is an identity identifier obtained by encrypting the second identity identifier with the second key by the first terminal device; or, the third identity identifier is an identity identifier obtained by the first signing server using the first key encryption for the first identity identifier, The four identifications are the identifications obtained by the first terminal device encrypting the second identifications with the second key.
在一种可能的实现中,第一签约服务器为第一终端设备对应的签约服务器,第五身份标识为第一终端设备对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识,或者第五身份标识为第一签约服务器对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。In a possible implementation, the first subscription server is a subscription server corresponding to the first terminal device, and the fifth identity is that the first terminal device uses a third key for the other of the first identity and the second identity The encrypted identification, or the fifth identification, is an identification obtained by the first signing server encrypting the other of the first identification and the second identification with the third key.
在一种可能的实现中,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器与第一终端设备的共享密钥;或者,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器根据第一终端设备的长期密钥与随机数产生的密钥;或者,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器与第一终端设备根据目标算法产生的密钥。In a possible implementation, at least one of the first key, the second key and the third key is a shared key between the first signing server and the first terminal device; At least one of the key and the third key is a key generated by the first signing server according to the long-term key and the random number of the first terminal device; or, one of the first key, the second key and the third key At least one of the keys is a key generated by the first signing server and the first terminal device according to the target algorithm.
在一种可能的实现中,第一服务器是第二终端设备所在网络的查询呼叫会话控制功能,或者是第二终端设备所在网络的路由代理节点。In a possible implementation, the first server is a query call session control function of the network where the second terminal device is located, or is a routing proxy node of the network where the second terminal device is located.
第四方面的有益效果可以参见第一方面的有益效果。For the beneficial effects of the fourth aspect, reference may be made to the beneficial effects of the first aspect.
第五方面,本申请提供一种信息发送方法,该方法应用于包括第一终端设备和第二终端设备的通信系统;第一终端设备具有第一身份标识,第二终端设备具有第二身份标识,第一终端设备是通信主叫方,第二终端设备是通信被叫方;In a fifth aspect, the present application provides an information sending method, which is applied to a communication system including a first terminal device and a second terminal device; the first terminal device has a first identity, and the second terminal has a second identity , the first terminal device is the calling party of the communication, and the second terminal device is the called party of the communication;
其中,该方法包括:第二终端设备从第一服务器接收第二标识信息,第二标识信息包括第一终端设备的第六身份标识和第二终端设备的第七身份标识,第六身份标识为对第一身份标识加密得到的身份标识,第七身份标识为对第二身份标识加密得到的身份标识,或者第二标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;第二终端设备对第二标识信息进行解密,得到第一身份标识和/或第二身份标识。The method includes: the second terminal device receives second identification information from the first server, the second identification information includes a sixth identification of the first terminal device and a seventh identification of the second terminal device, and the sixth identification is The identity mark obtained by encrypting the first identity mark, the seventh identity mark is the identity mark obtained by encrypting the second identity mark, or the second identification information includes one of the first identity mark and the second identity mark, and the first An eighth identity identifier obtained by encrypting the other of the identity identifier and the second identity identifier; the second terminal device decrypts the second identifier information to obtain the first identity identifier and/or the second identity identifier.
在一种可能的实现中,第二终端设备使用第四密钥对第六身份标识解密,得到第一身份标识,使用第七密钥对第七身份标识解密,得到第二身份标识,或者使用第六密钥对第八身份标识解密,得到第一身份标识和第二身份标识中的另一个。In a possible implementation, the second terminal device uses the fourth key to decrypt the sixth identification to obtain the first identification, and uses the seventh key to decrypt the seventh identification to obtain the second identification, or uses The sixth key decrypts the eighth identification to obtain the other of the first identification and the second identification.
在一种可能的实现中,第七密钥为第二终端设备的公钥对应的私钥。In a possible implementation, the seventh key is a private key corresponding to the public key of the second terminal device.
在一种可能的实现中,第四密钥、第五密钥和第六密钥中的至少一个为第二签约服务器与第二终端设备的共享密钥;或者,第四密钥、第五密钥和第六密钥中的至少一个为第二终端设备的长期密钥与随机数产生的密钥。In a possible implementation, at least one of the fourth key, the fifth key and the sixth key is a shared key between the second signing server and the second terminal device; At least one of the key and the sixth key is a key generated by a long-term key of the second terminal device and a random number.
在一种可能的实现中,第一服务器是第二终端设备所在网络的查询呼叫会话控制功能实体,或者是第二终端设备所在网络的路由代理节点。In a possible implementation, the first server is a query call session control function entity of the network where the second terminal device is located, or is a routing proxy node of the network where the second terminal device is located.
第五方面的有益效果可以参见第一方面的有益效果。For the beneficial effects of the fifth aspect, reference may be made to the beneficial effects of the first aspect.
上述各方法实施例在各个方面中进行了描述,在不互相排斥的前提下,涉及的一些信息在各个方面中都可以使用,这些信息比如是与各个密钥相关的具体特征。The above method embodiments have been described in various aspects. On the premise that they are not mutually exclusive, some information involved can be used in various aspects, such as specific features related to each key.
本申请提供一种通信装置,该通信装置具有实现上述第一方面至第五方面的部分或全部功能。比如,装置的功能可具备本申请中终端设备的部分或全部实施例中的功能,也可以具备单独实施本申请中的任一个实施例的功能。功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。硬件或软件包括一个或多个与上述功能相对应的单元或模块。The present application provides a communication device having some or all of the functions of the first to fifth aspects described above. For example, the functions of the apparatus may have the functions of some or all of the embodiments of the terminal device in this application, and may also have the functions of independently implementing any one of the embodiments of this application. The functions can be implemented by hardware, or by executing corresponding software by hardware. The hardware or software includes one or more units or modules corresponding to the above functions.
在一种可能的设计中,该通信装置的结构中可包括处理单元和通信单元,处理单元被配置为支持通信装置执行上述方法中相应的功能。通信单元用于支持通信装置与其他设备之间的通信。通信装置还可以包括存储单元,存储单元用于与处理单元和通信单元耦合,其保存通信装置必要的程序指令和数据。In a possible design, the structure of the communication device may include a processing unit and a communication unit, and the processing unit is configured to support the communication device to perform the corresponding functions in the above method. The communication unit is used to support communication between the communication device and other devices. The communication device may also include a storage unit for coupling with the processing unit and the communication unit, which stores program instructions and data necessary for the communication device.
第六方面,本申请提供了一种通信装置,该通信装置具有实现上述第一方面的第二签约服务器的部分或全部功能。该通信装置包括:In a sixth aspect, the present application provides a communication device, the communication device having part or all of the functions of the second subscription server of the first aspect above. The communication device includes:
通信单元,用于从第一服务器接收第一标识信息,第一标识信息包括第一终端设备的第三身份标识和第二终端设备的第四身份标识,第三身份标识为对第一身份标识加密得到的身份标识,第四身份标识为对第二身份标识加密得到的身份标识,或者第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;A communication unit, configured to receive first identification information from the first server, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal, and the third identification is a pair of the first identification The encrypted identification, the fourth identification is the identification obtained by encrypting the second identification, or the first identification information includes one of the first identification and the second identification, and the first identification and the second identification. another encrypted fifth identification in the identification;
处理单元,用于根据第一标识信息,通过该通信单元向第一签约服务器发送第一请求,第一请求携带第一标识信息;第一请求用于请求第一身份标识和/或第二身份标识;a processing unit, configured to send a first request to the first subscription server through the communication unit according to the first identification information, where the first request carries the first identification information; the first request is used to request the first identification and/or the second identification identification;
通信单元,还用于从第一签约服务器接收第一响应;第一响应携带第一身份标识和/或第二身份标识;a communication unit, further configured to receive a first response from the first subscription server; the first response carries the first identity and/or the second identity;
处理单元,还用于根据第一身份标识和/或第二身份标识得到第二标识信息,第二标识信息包括第一终端设备的第六身份标识和第二终端设备的第七身份标识,第六身份标识为对第一身份标识加密得到的身份标识,第七身份标识为对第二身份标识加密得到的身份标识,或者第二标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;通信单元,还用于向该第一服务器发送第二标识信息。The processing unit is further configured to obtain second identification information according to the first identification and/or the second identification, and the second identification information includes the sixth identification of the first terminal device and the seventh identification of the second terminal device, and the second identification information includes the sixth identification of the first terminal device and the seventh identification of the second terminal device. The sixth identification is an identification obtained by encrypting the first identification, and the seventh identification is an identification obtained by encrypting the second identification, or the second identification information includes one of the first identification and the second identification, and an eighth identity identity obtained by encrypting the other of the first identity identity and the second identity identity; the communication unit is further configured to send the second identity information to the first server.
该实施方式的相关内容可参见上述第一方面的相关内容,此处不再详述。For the relevant content of this embodiment, reference may be made to the relevant content of the above-mentioned first aspect, which will not be described in detail here.
第六方面的有益效果可以参见第一方面的有益效果。The beneficial effects of the sixth aspect may refer to the beneficial effects of the first aspect.
第七方面,本申请提供一种通信装置,该通信装置具有实现上述第二方面的第一服务器的部分或全部功能。该通信装置包括:In a seventh aspect, the present application provides a communication device, the communication device having part or all of the functions of the first server of the second aspect above. The communication device includes:
通信单元,用于从第一终端设备获取第一标识信息,第一标识信息包括第一终端设备的第三身份标识和第二终端设备的第四身份标识,第三身份标识为对第一身份标识加密得到的身份标识,第四身份标识为对第二身份标识加密得到的身份标识,或者第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;a communication unit, configured to obtain first identification information from the first terminal device, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal device, and the third identification is for the first identification The identity identifier obtained by identifying the encryption, the fourth identity identifier is the identity identifier obtained by encrypting the second identity identifier, or the first identifier information includes one of the first identity identifier and the second identity identifier, and the first identity identifier and the second identity identifier. A fifth identity identity obtained by encryption from another of the two identity identifiers;
处理单元,用于根据第二终端设备的第四身份标识或者第二终端设备的第五身份标识中的参数中的至少一个,确定第二签约服务器,参数包括国家码和国家目的码,或者包括国家码、国家目的码和路由指示;The processing unit is configured to determine the second subscription server according to at least one of the parameters in the fourth identification of the second terminal device or the fifth identification of the second terminal device, the parameters include a country code and a country purpose code, or include Country code, country destination code and routing instructions;
通信单元,还用于将第一标识信息发送给第二签约服务器。The communication unit is further configured to send the first identification information to the second subscription server.
该实施方式的相关内容可参见上述第二方面的相关内容,此处不再详述。For the relevant content of this embodiment, reference may be made to the relevant content of the above-mentioned second aspect, which will not be described in detail here.
第七方面的有益效果可以参见第二方面的有益效果。For the beneficial effects of the seventh aspect, reference may be made to the beneficial effects of the second aspect.
第八方面,本申请提供一种通信装置,该通信装置具有实现上述第三方面的第一签约服务器的部分或全部功能。该通信装置可包括:In an eighth aspect, the present application provides a communication device, which has part or all of the functions of the first subscription server of the third aspect. The communication device may include:
通信单元,用于从第二签约服务器接收第一请求,第一请求用于请求第一身份标识和/或第二身份标识,第一请求携带第一标识信息,第一标识信息包括第一终端设备的第三身份标识和第二终端设备的第四身份标识,第三身份标识为对第一身份标识加密得到的身份标识,第四身份标识为对第二身份标识加密得到的身份标识,或者第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;a communication unit, configured to receive a first request from a second subscription server, where the first request is used to request a first identity and/or a second identity, the first request carries first identity information, and the first identity information includes the first terminal The third identity of the device and the fourth identity of the second terminal device, the third identity is the identity obtained by encrypting the first identity, and the fourth identity is the identity obtained by encrypting the second identity, or The first identification information includes one of the first identification and the second identification, and a fifth identification obtained by encrypting the other of the first identification and the second identification;
处理单元,用于根据第一请求向第二签约服务器发送第一响应,第一响应携带第一身份标识和/或第二身份标识。The processing unit is configured to send a first response to the second subscription server according to the first request, where the first response carries the first identity and/or the second identity.
该实施方式的相关内容可参见上述第三方面的相关内容,此处不再详述。For the relevant content of this embodiment, reference may be made to the relevant content of the above-mentioned third aspect, which will not be described in detail here.
第八方面的有益效果可以参见第三方面的有益效果。For the beneficial effects of the eighth aspect, reference may be made to the beneficial effects of the third aspect.
第九方面,本申请提供一种通信装置,该通信装置具有实现上述第四方面的第一终端设备的部分或全部功能。该通信装置包括:In a ninth aspect, the present application provides a communication apparatus, the communication apparatus having part or all of the functions of the first terminal device of the fourth aspect above. The communication device includes:
处理单元,用于确定第一标识信息,第一标识信息包括第一终端设备的第三身份标识和第二终端设备的第四身份标识,第三身份标识为对第一身份标识加密得到的身份标识,第四身份标识为对第二身份标识加密得到的身份标识,或者第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;a processing unit, configured to determine first identification information, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal, and the third identification is an identity obtained by encrypting the first identification identification, the fourth identification is an identification obtained by encrypting the second identification, or the first identification information includes one of the first identification and the second identification, and the first identification and the second identification. Another encrypted fifth identity identifier;
通信单元,用于向第一服务器发送第一标识信息。The communication unit is used for sending the first identification information to the first server.
该实施方式的相关内容可参见上述第四方面的相关内容,此处不再详述。For the relevant content of this embodiment, reference may be made to the relevant content of the above-mentioned fourth aspect, which will not be described in detail here.
第九方面的有益效果可以参见第四方面的有益效果。For the beneficial effects of the ninth aspect, reference may be made to the beneficial effects of the fourth aspect.
第十方面,本申请提供一种通信装置,该通信装置具有实现上述第五方面的第二终端设备的部分或全部功能。该通信装置包括:According to a tenth aspect, the present application provides a communication device, the communication device having part or all of the functions of the second terminal device of the fifth aspect. The communication device includes:
通信单元,用于从第一服务器接收第二标识信息,第二标识信息包括第一终端设备的第六身份标识和第二终端设备的第七身份标识,第六身份标识为对第一身份标识加密得到的身份标识,第七身份标识为对第二身份标识加密得到的身份标识,或者第二标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;A communication unit, configured to receive second identification information from the first server, where the second identification information includes a sixth identification of the first terminal device and a seventh identification of the second terminal device, and the sixth identification is for the first identification The encrypted identification, the seventh identification is the identification obtained by encrypting the second identification, or the second identification information includes one of the first identification and the second identification, and the first identification and the second identification. Another eighth identity identifier obtained by encryption in the identity identifier;
处理单元,用于对第二标识信息进行解密,得到第一身份标识和/或第二身份标识。A processing unit, configured to decrypt the second identification information to obtain the first identification and/or the second identification.
该实施方式的相关内容可参见上述第五方面的相关内容,此处不再详述。For the relevant content of this embodiment, reference may be made to the relevant content of the fifth aspect above, which will not be described in detail here.
第十方面的有益效果可以参见第五方面的有益效果。For the beneficial effects of the tenth aspect, reference may be made to the beneficial effects of the fifth aspect.
在本申请的各种实现过程中,各装置中的通信单元可以是收发器,处理单元可以是处理器。In various implementation processes of the present application, the communication unit in each apparatus may be a transceiver, and the processing unit may be a processor.
在本申请的各种实现过程中,各装置中的处理器可用于进行,例如但不限于,基带相关处理,收发器可用于进行,例如但不限于,射频收发。上述器件可以分别设置在彼此独立的芯片上,也可以至少部分的或者全部的设置在同一块芯片上。例如,处理器可以进一步划分为模拟基带处理器和数字基带处理器。其中,模拟基带处理器可以与收发器集成在同一块芯片上,数字基带处理器可以设置在独立的芯片上。随着集成电路技术的不断发展,可以在同一块芯片上集成的器件越来越多。例如,数字基带处理器可以与多种应用处理器(例如但不限于图形处理器,多媒体处理器等)集成在同一块芯片之上。这样的芯片可以称为系统芯片(System on Chip)。将各个器件独立设置在不同的芯片上,还是整合设置在一个或者多个芯片上,往往取决于产品设计的需要。本申请实施例对上述器件的实现形式不做限定。In various implementation processes of the present application, the processor in each device may be used to perform, for example, but not limited to, baseband related processing, and the transceiver may be used to perform, for example, but not limited to, radio frequency transmission and reception. The above-mentioned devices may be respectively arranged on chips that are independent of each other, or at least part or all of them may be arranged on the same chip. For example, processors can be further divided into analog baseband processors and digital baseband processors. Among them, the analog baseband processor can be integrated with the transceiver on the same chip, and the digital baseband processor can be set on a separate chip. With the continuous development of integrated circuit technology, more and more devices can be integrated on the same chip. For example, a digital baseband processor can be integrated with a variety of application processors (such as but not limited to graphics processors, multimedia processors, etc.) on the same chip. Such a chip may be called a System on Chip. Whether each device is independently arranged on different chips or integrated on one or more chips often depends on the needs of product design. The embodiments of the present application do not limit the implementation form of the foregoing device.
第十一方面,本申请提供了一种通信装置,通信装置包括处理器,当处理器调用存储器中的计算机程序时,如第一方面的方法被执行。该通信装置可以是第二签约服务器。In an eleventh aspect, the present application provides a communication apparatus, the communication apparatus includes a processor, and when the processor calls a computer program in a memory, the method of the first aspect is executed. The communication device may be a second subscription server.
第十二方面,本申请提供了一种通信装置,通信装置包括处理器,当处理器调用存储器中的计算机程序时,如第二方面中的方法被执行。该通信装置可以是第一服务器。In a twelfth aspect, the present application provides a communication apparatus, the communication apparatus includes a processor, and when the processor calls a computer program in a memory, the method in the second aspect is executed. The communication device may be the first server.
第十三方面,本申请提供了一种通信装置,通信装置包括处理器,当处理器调用存储器中的计算机程序时,如第三方面的方法被执行。该通信装置可以是第一签约服务器。In a thirteenth aspect, the present application provides a communication device, the communication device includes a processor, and when the processor calls a computer program in a memory, the method of the third aspect is executed. The communication device may be the first subscription server.
第十四方面,本申请提供了一种通信装置,通信装置包括处理器,当处理器调用存储器中的计算机程序时,如第四方面中的方法。该通信装置可以是第一终端设备。In a fourteenth aspect, the present application provides a communication apparatus, the communication apparatus includes a processor, when the processor calls a computer program in a memory, as in the method in the fourth aspect. The communication apparatus may be a first terminal device.
第十五方面,本申请提供了一种通信装置,通信装置包括处理器,当处理器调用存储器中的计算机程序时,如第五方面中的方法。该通信装置可以是第二终端设备。In a fifteenth aspect, the present application provides a communication apparatus, the communication apparatus includes a processor, when the processor calls a computer program in a memory, as in the method in the fifth aspect. The communication apparatus may be a second terminal device.
上述各个方面中的这些通信装置可以是包括处理器和存储器,存储器用于存储计算机执行指令;处理器用于执行存储器所存储的计算机执行指令,以使通信装置执行各个方面所对应的方法。可选的,存储器可在处理器之内,也可在处理器之外。The communication apparatuses in the above aspects may include a processor and a memory, where the memory is used for storing computer-executed instructions; the processor is used for executing the computer-executed instructions stored in the memory, so that the communication apparatuses perform the methods corresponding to the various aspects. Optionally, the memory can be inside the processor or outside the processor.
这些通信装置可以是包括处理器、存储器和收发器,收发器,用于接收信道或信号,或者发送信道或信号;存储器,用于存储程序代码;处理器,用于从存储器调用程序代码执行各个方面所对应的方法。These communication means may include a processor, a memory, and a transceiver for receiving channels or signals, or transmitting channels or signals; a memory for storing program code; a processor for invoking program code from the memory to execute various corresponding method.
这些通信装置还可以是包括处理器和接口电路,接口电路,用于接收代码指令并传输至处理器;处理器运行代码指令以执行各个方面所对应的方法。These communication devices may also include a processor and an interface circuit, the interface circuit is used to receive code instructions and transmit them to the processor; the processor executes the code instructions to execute the methods corresponding to the various aspects.
第十六方面,本申请提供一种计算机可读存储介质,计算机可读存储介质用于存储指令,当指令被执行时,使得第一方面至第五方面中任一方面的方法被实现。In a sixteenth aspect, the present application provides a computer-readable storage medium for storing instructions, and when the instructions are executed, the method of any one of the first to fifth aspects is implemented.
第十七方面,本申请提供一种包括指令的计算机程序产品,当指令被执行时,使得第一方面至第五方面中任一方面的方法被实现。In a seventeenth aspect, the present application provides a computer program product comprising instructions which, when executed, cause the method of any one of the first to fifth aspects to be implemented.
附图说明Description of drawings
图1是一种终端设备注册认证的流程示意图;Fig. 1 is a kind of schematic flow chart of terminal equipment registration authentication;
图2是一种信息发送方法的流程示意图;2 is a schematic flowchart of a method for sending information;
图3是本申请实施例提供的一种通信系统架构的示意图;3 is a schematic diagram of a communication system architecture provided by an embodiment of the present application;
图4是本申请实施例提供的一种信息发送方法的流程示意图;4 is a schematic flowchart of a method for sending information provided by an embodiment of the present application;
图5是一种第一签约服务器对第一身份标识加密的流程示意图;5 is a schematic flowchart of a first signing server encrypting a first identity identifier;
图6是一种第一终端设备向第一服务器发送第一标识信息的流程示意图;6 is a schematic flowchart of a first terminal device sending first identification information to a first server;
图7是一种第二终端设备与第一服务器的信息发送流程示意图;FIG. 7 is a schematic flow chart of information sending between a second terminal device and a first server;
图8是一种第一服务器向第二终端设备发送第二标识信息的流程示意图;8 is a schematic flowchart of a first server sending second identification information to a second terminal device;
图9为本申请实施例提供的一种终端设备注册认证的流程示意图;9 is a schematic flowchart of a terminal device registration authentication provided by an embodiment of the present application;
图10为本申请实施例提供的又一种终端设备注册认证的流程示意图;FIG. 10 is a schematic flowchart of another terminal device registration authentication provided by an embodiment of the present application;
图11是本申请实施例提供的又一种终端设备注册认证的流程示意图;11 is a schematic flowchart of another terminal device registration authentication provided by an embodiment of the present application;
图12是本申请实施例提供的一种通信装置的结构示意图;FIG. 12 is a schematic structural diagram of a communication device provided by an embodiment of the present application;
图13是本申请实施例提供的又一种通信装置的结构示意图;FIG. 13 is a schematic structural diagram of another communication device provided by an embodiment of the present application;
图14是本申请实施例提供的又一种通信装置的结构示意图。FIG. 14 is a schematic structural diagram of another communication apparatus provided by an embodiment of the present application.
具体实施方式Detailed ways
本申请的说明书、权利要求书及附图中的术语“第一”和“第二”等是用于区别不同对象,而不是用于描述特定顺序。此外,术语“包括”和“具有”以及它们任何变形,意图在于覆盖不排他的包含。例如包含了一系列步骤或单元的过程、方法、系统、产品或设备没有限定于已列出的步骤或单元,而是可选地还包括没有列出的步骤或单元,或可选地还包括对于这些过程、方法、产品或设备固有的其它步骤或单元。The terms "first" and "second" in the description, claims and drawings of the present application are used to distinguish different objects, rather than to describe a specific order. Furthermore, the terms "comprising" and "having" and any variations thereof are intended to cover non-exclusive inclusion. For example, a process, method, system, product or device comprising a series of steps or units is not limited to the listed steps or units, but optionally also includes unlisted steps or units, or optionally also includes For other steps or units inherent to these processes, methods, products or devices.
在本文中提及“实施例”意味着,结合实施例描述的特定特征、结构或特性可以包含在本申请的至少一个实施例中。在说明书中的各个位置出现该短语并不一定均是指相同的实施例,也不是与其它实施例互斥的独立的或备选的实施例。本领域技术人员显式地和隐式地理解的是,本文所描述的实施例可以与其它实施例相结合。Reference herein to an "embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the present application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor a separate or alternative embodiment that is mutually exclusive of other embodiments. It is explicitly and implicitly understood by those skilled in the art that the embodiments described herein may be combined with other embodiments.
在本申请中,“至少一个(项)”是指一个或者多个,“多个”是指两个或两个以上,“至少两个(项)”是指两个或三个及三个以上,“和/或”,用于描述关联对象的关联关系,表示可以存在三种关系,例如,“A和/或B”可以表示:只存在A,只存在B以及同时存在A和B三种情况,其中A,B可以是单数或者复数。字符“/”一般表示前后关联对象是一种“或”的关系。“以下至少一项(个)”或其类似表达,是指这些项中的任意组合,包括单项(个)或复数项(个)的任意组合。例如,a,b或c中的至少一项(个),可以表示:a,b,c,“a和b”,“a和c”,“b和c”,或“a和b和c”,其中a,b,c可以是单个,也可以是多个。In this application, "at least one (item)" means one or more, "plurality" means two or more, "at least two (item)" means two or three and three In the above, "and/or" is used to describe the relationship of related objects, indicating that there can be three kinds of relationships, for example, "A and/or B" can mean: only A exists, only B exists, and both A and B exist three A case where A and B can be singular or plural. The character "/" generally indicates that the associated objects are an "or" relationship. "At least one item(s) below" or similar expressions thereof refer to any combination of these items, including any combination of single item(s) or plural items(s). For example, at least one (a) of a, b or c, can mean: a, b, c, "a and b", "a and c", "b and c", or "a and b and c" ", where a, b, c can be single or multiple.
为了更好地理解本申请实施例,下面对本申请实施例涉及的专业术语进行介绍:In order to better understand the embodiments of the present application, the following professional terms involved in the embodiments of the present application are introduced:
(一)互联网协议多媒体子系统(Internet protocol multimedia subsystem,IMS)(1) Internet Protocol Multimedia Subsystem (IMS)
IMS是一种采用会话初始协议(Session initiation protocol,SIP)作为呼叫控制信令的多 媒体通信网络,作为电信下一代核心网,IMS使运营商能为用户提供基于因特网的应用、服务和协议的多媒体业务。各种类型的终端设备通过IMS都可能建立起端到端的互联网协议(Internet Protocol,IP)通信,并可获得所需要的服务质量,其中,终端设备可以是用户终端(User equipment,UE),本申请实施例以终端设备为UE为例。IMS is a multimedia communication network that uses Session Initiation Protocol (SIP) as call control signaling. As a telecom next-generation core network, IMS enables operators to provide users with multimedia based on Internet-based applications, services and protocols. business. Various types of terminal equipment may establish end-to-end Internet Protocol (Internet Protocol, IP) communication through IMS, and obtain the required quality of service, wherein the terminal equipment can be a user terminal (User equipment, UE), this The embodiment of the application takes that the terminal device is a UE as an example.
(二)呼叫会话控制功能(Call session control function,CSCF)(2) Call session control function (CSCF)
CSCF网元是IMS中负责处理多媒体呼叫会话过程中的信令控制。CSCF网元主要负责和用户业务相关的注册鉴权、会话控制、路由管理、网管和计费等功能的控制。CSCF的网元包括:代理呼叫会话控制功能(Proxy CSCF,P-CSCF)、查询呼叫会话控制功能(Interrogating CSCF,I-CSCF)、服务呼叫会话控制功能(Serving CSCF,S-CSCF)。The CSCF network element is responsible for the signaling control in the process of handling multimedia call sessions in the IMS. The CSCF network element is mainly responsible for the control of functions such as registration authentication, session control, routing management, network management and charging related to user services. The network elements of CSCF include: proxy call session control function (Proxy CSCF, P-CSCF), query call session control function (Interrogating CSCF, I-CSCF), serving call session control function (Serving CSCF, S-CSCF).
P-CSCF网元:IMS拜访网络的统一入口点,主要功能包括:将终端设备发起的SIP注册请求转发给I-CSCF,以及将UE发送的SIP消息转发给S-CSCF。P-CSCF network element: the unified entry point of the IMS visited network, the main functions include: forwarding the SIP registration request initiated by the terminal device to the I-CSCF, and forwarding the SIP message sent by the UE to the S-CSCF.
I-CSCF网元:IMS网络的入口点,主要功能包括:在注册过程中,I-CSCF根据从HSS获取的信息,为用户分配一个S-CSCF,并将注册请求转发到该S-CSCF。在会话过程中,I-CSCF查询HSS,从HSS中获取S-CSCF的地址,根据从HSS获取的S-CSCF地址,转发SIP请求或响应到S-CSCF。I-CSCF network element: the entry point of the IMS network, the main functions include: in the registration process, the I-CSCF allocates an S-CSCF to the user according to the information obtained from the HSS, and forwards the registration request to the S-CSCF. During the session, the I-CSCF queries the HSS, obtains the address of the S-CSCF from the HSS, and forwards the SIP request or response to the S-CSCF according to the S-CSCF address obtained from the HSS.
S-CSCF网元:在IMS网络会话控制中处于核心地位,主要功能包括:在注册过程中,接受由P-CSCF转发的注册请求,与归属签约用户服务器(Home subscriber server,HSS)交互,完成对用户的认证和鉴权,更新HSS上用户的注册状态信息。注册认证通过之后,从HSS下载用户相关信息,为终端设备提供业务相关信息,并对终端设备的会话进行控制。获取I-CSCF的地址,并转发SIP请求或响应到I-CSCF等。S-CSCF network element: in the core position in IMS network session control, the main functions include: in the registration process, accept the registration request forwarded by the P-CSCF, interact with the home subscriber server (Home subscriber server, HSS), complete For user authentication and authentication, update the user's registration status information on the HSS. After the registration authentication is passed, the user-related information is downloaded from the HSS, the service-related information is provided for the terminal device, and the session of the terminal device is controlled. Obtain the address of the I-CSCF, and forward the SIP request or response to the I-CSCF, etc.
(三)归属签约用户服务器(Home subscriber server,HSS)(3) Home subscriber server (HSS)
归属签约用户服务器HSS可以称为签约服务器,是IMS网络中的核心数据库,用于存储IMS域内与用户和业务相关的信息,与IMS网络中其他终端设备与网元共同完成呼叫/会话的处理。HSS是IMS控制层的重要组成部分,用于处理调用/会话的IMS网络实体的主要用户数据库。HSS与应用服务器(Application server,AS)和呼叫会话控制功能(Call session control function,CSCF)服务器进行通信。HSS的主要功能包括(1)存储用户信息和业务信息(包括用户标识、身份标识和寻址信息,用户安全信息,用户位置信息,及用户的签约信息,其中,身份标识可以是电话号码);(2)与I-CSCF进行交互,完成S-CSCF的指派,获取为P-CSCF服务的相关信息;(3)生成认证向量信息,与S-CSCF进行交互,完成对用户的认证,获取用户的相关注册信息,并向服务会话控制设备传送相关的用户信息和业务信息;(4)与应用服务器AS进行交互,响应AS的业务信息查询,接受AS定制数据变更通知,将业务数据同步到HSS上。The home subscriber server HSS can be called a subscription server, which is the core database in the IMS network, used to store information related to users and services in the IMS domain, and complete call/session processing with other terminal devices and network elements in the IMS network. The HSS is an important part of the IMS control layer and is used to handle the main user database of the IMS network entity of the call/session. The HSS communicates with an application server (Application server, AS) and a call session control function (Call session control function, CSCF) server. The main functions of HSS include (1) storing user information and service information (including user identification, identity identification and addressing information, user security information, user location information, and user subscription information, where the identification identification can be a phone number); (2) Interact with the I-CSCF, complete the assignment of the S-CSCF, and obtain the relevant information serving the P-CSCF; (3) Generate the authentication vector information, interact with the S-CSCF, complete the user authentication, and obtain the user (4) Interact with the application server AS, respond to the service information query of the AS, accept the AS customized data change notification, and synchronize the service data to the HSS superior.
(四)用户标识(4) User ID
IMS中使用的用户标识包括但不限于是IP多媒体私有标识(IP multimedia private identity,IMPI)和IP多媒体公共标识(IP multimedia public identity,IMPU)。IMPI和IMPU是一种统一资源符(Uniform Resource Identifier,URI),可以是数字,如电话号码统一资源符(例如15551234567),也可以是字符标识符,如SIP统一资源标识符SIP-URI(例如John.doe@example.com)。其中,IMPI采用SIP-URI时,可以用“身份标识@归属网络域名”或“身份标识@归属网络域名”来表示。其中,身份标识可以是分配给用户的电话号码、用户名等。如归属网络域名是gx.cn的一个IMS用户,他的电话号码是077123456,则该用户的IMPI为“077123456@gx.cn”。其中,IMPI包括移动国家码(Mobile country code,MCC)、 移动网络码(Mobile network code,MNC)、移动用户识别号码(Mobile subscriber identification number,MSIN)等路由信息。本申请实施例以用户标识为IMPI为例。User identities used in IMS include but are not limited to IP multimedia private identity (IP multimedia private identity, IMPI) and IP multimedia public identity (IP multimedia public identity, IMPU). IMPI and IMPU are Uniform Resource Identifiers (URIs), which can be numbers, such as phone number Uniform Resource Identifiers (for example, 15551234567), or character identifiers, such as SIP Uniform Resource Identifier SIP-URI (for example, John.doe@example.com). Wherein, when the IMPI adopts a SIP-URI, it can be represented by "identity identifier@home network domain name" or "identity identifier@home network domain name". Wherein, the identity identifier may be a phone number, user name, etc. assigned to the user. If the home network domain name is an IMS user of gx.cn and his phone number is 077123456, the IMPI of the user is "077123456@gx.cn". The IMPI includes routing information such as a mobile country code (MCC), a mobile network code (MNC), and a mobile subscriber identification number (MSIN). In the embodiment of the present application, the user identifier is IMPI as an example.
(五)终端设备发起初始注册认证的流程(5) The process of initial registration authentication initiated by terminal equipment
参见图1,UE将注册(Register)请求发送到P-CSCF,注册请求携带UE的用户标识(如IMPI)、联系地址、SIP、接入网类型、加密算法等信息;Referring to FIG. 1 , the UE sends a registration (Register) request to the P-CSCF, and the registration request carries the UE's user identity (such as IMPI), contact address, SIP, access network type, encryption algorithm and other information;
P-CSCF收到注册请求后保存用户标识以及其它必要信息后,获取I-CSCF地址,组成新的注册请求,将携带用户标识与I-CSCF地址的注册请求发送到查询到的I-CSCF地址;After receiving the registration request, the P-CSCF saves the user ID and other necessary information, obtains the I-CSCF address, forms a new registration request, and sends the registration request carrying the user ID and I-CSCF address to the queried I-CSCF address. ;
I-CSCF根据用户标识在HSS中查询用户的注册状态,若未注册,则选择一个S-CSCF处理UE的注册请求,I-CSCF将携带S-CSCF地址的注册请求发送至S-CSCF继续处理;The I-CSCF queries the registration status of the user in the HSS according to the user ID. If it is not registered, it selects an S-CSCF to process the registration request of the UE. The I-CSCF sends the registration request carrying the address of the S-CSCF to the S-CSCF to continue processing. ;
S-CSCF接收注册请求后,检查用户是否为初始注册,若是,则向HSS发送用户鉴权请求;After receiving the registration request, the S-CSCF checks whether the user is initially registered, and if so, sends a user authentication request to the HSS;
HSS计算用于用户鉴权的认证向量,向S-CSCF发送携带认证向量的用户鉴权响应。The HSS calculates the authentication vector for user authentication, and sends a user authentication response carrying the authentication vector to the S-CSCF.
S-CSCF接收HSS的认证向量并通过I-CSCF和P-CSCF向UE发送未授权信息,未授权信息可以是401 Unauthorized,未授权信息包括认证向量。The S-CSCF receives the authentication vector of the HSS and sends the unauthorized information to the UE through the I-CSCF and the P-CSCF. The unauthorized information can be 401 Unauthorized, and the unauthorized information includes the authentication vector.
UE根据认证向量生成认证响应,并生成新的注册请求将认证响应发送至P-CSCF;The UE generates an authentication response according to the authentication vector, and generates a new registration request to send the authentication response to the P-CSCF;
P-CSCF接收到认证响应后,经过I-CSCF向S-CSCF发送用于用户鉴权的注册请求,注册请求携带认证响应。After receiving the authentication response, the P-CSCF sends a registration request for user authentication to the S-CSCF through the I-CSCF, and the registration request carries the authentication response.
S-CSCF校验接收到的认证响应,确认用户鉴权后,向HSS发送服务器分配请求(可以是Diameter SAR),用于请求用户注册信息IFC规则。The S-CSCF verifies the received authentication response, and after confirming the user authentication, sends a server allocation request (which can be Diameter SAR) to the HSS, which is used to request the user registration information IFC rules.
HSS更新用户注册信息并保存S-CSCF域名信息,并通过服务器分配响应(可以是Diameter SAA),返回IFC规则至S-CSCF。The HSS updates the user registration information and saves the S-CSCF domain name information, and returns the IFC rules to the S-CSCF through the server allocation response (which can be Diameter SAA).
S-CSCF向UE发送200OK信息,UE的身份标识初始注册认证完成。The S-CSCF sends a 200 OK message to the UE, and the initial registration and authentication of the UE's identity is completed.
当UE1和UE2都属于同一个IMS网络时,完成如上所述的身份标识的初始注册认证后,就可以建立会话。When both UE1 and UE2 belong to the same IMS network, a session can be established after completing the initial registration and authentication of the identities as described above.
(六)第一终端与第二终端建立会话流程(6) The flow of establishing a session between the first terminal and the second terminal
参见图2,UE1与UE2分别属于主叫归属域与被叫归属域,主叫归属域中还包括网元域名系统(Domain name system,DNS)服务器、电话号码映射(E.164 number uri mapping,ENUM)服务器、P-CSCF1、S-CSCF1、HSS1,被叫归属域中还包括I-CSCF2、P-CSCF2、S-CSCF2、HSS2。UE1具备第一身份标识,UE2具备第二身份标识,身份标识用于标识终端设备,可以是电话号码、网络语音视频通话等业务的身份标识。Referring to Figure 2, UE1 and UE2 belong to the calling home domain and the called home domain, respectively, and the calling home domain also includes a network element Domain Name System (DNS) server, telephone number mapping (E.164 number uri mapping, ENUM) server, P-CSCF1, S-CSCF1, HSS1, the called home domain also includes I-CSCF2, P-CSCF2, S-CSCF2, HSS2. The UE1 has a first identity, and the UE2 has a second identity, and the identity is used to identify the terminal device, which may be an identity of a phone number, an Internet voice and video call, and other services.
UE1通过P-CSCF1将会话请求发送给S-CSCF1,其中,会话请求携带第一身份标识与第二身份标识信息。The UE1 sends a session request to the S-CSCF1 through the P-CSCF1, wherein the session request carries the information of the first identity and the second identity.
S-CSCF1接收会话请求后,发送域名解析请求给DNS和/或ENUM,获得I-CSCF2的IP地址;After receiving the session request, S-CSCF1 sends a domain name resolution request to DNS and/or ENUM to obtain the IP address of I-CSCF2;
I-CSCF2接收会话请求,并请求HSS2发送与UE2绑定的S-CSCF2的IP地址,会话请求携带第一身份标识与第二身份标识信息;The I-CSCF2 receives the session request, and requests the HSS2 to send the IP address of the S-CSCF2 bound to the UE2, and the session request carries the information of the first identity and the second identity;
I-CSCF2根据HSS2返回的S-CSCF2的域名信息获取S-CSCF2的IP地址,并将会话请求发送到S-CSCF2,会话请求携带第一身份标识与第二身份标识信息;The I-CSCF2 obtains the IP address of the S-CSCF2 according to the domain name information of the S-CSCF2 returned by the HSS2, and sends a session request to the S-CSCF2, where the session request carries the information of the first identity and the second identity;
S-CSCF2通过P-CSCF2将会话请求转发给UE2会话请求携带第一身份标识与第二身份标识信息;S-CSCF2 forwards the session request to UE2 through P-CSCF2, and the session request carries the first identity and second identity information;
UE2接收会话请求与UE1建立会话流程。UE2 receives the session request and establishes a session process with UE1.
为了更好地理解本申请实施例,下面首先对本申请实施例涉及的通信系统架构进行介绍:In order to better understand the embodiments of the present application, the following first introduces the communication system architecture involved in the embodiments of the present application:
请参见图3,图3是本申请实施例提供的一种通信系统架构的示意图。该通信系统可以包括第一终端设备301与第二终端设备305,还可以包括第一终端设备301对应的第一签约服务器304与第二终端设备305对应的第二签约服务器303,以及第二终端设备305所在网络中的第一服务器302。图3所示的设备数量和形态用于举例并不构成对本申请实施例的限定,例如实际应用中可以包括两个或两个以上的第一终端设备等。Referring to FIG. 3 , FIG. 3 is a schematic diagram of a communication system architecture provided by an embodiment of the present application. The communication system may include a first terminal device 301 and a second terminal device 305, a first subscription server 304 corresponding to the first terminal device 301, a second subscription server 303 corresponding to the second terminal device 305, and a second terminal The first server 302 in the network where the device 305 is located. The number and form of devices shown in FIG. 3 are used as examples and do not constitute a limitation to the embodiments of the present application. For example, an actual application may include two or more first terminal devices and the like.
其中,第一终端设备301与第一签约服务器304为主叫归属域中的网络设备,第一服务器302、第二签约服务器303和第二终端设备305为被叫归属域中的网络设备。第一签约服务器304接收第一终端设备301发起的业务请求,通过第一服务器302寻址到第二签约服务器303,通过第二签约服务器303,使第一终端设备301与第二终端设备305建立连接。The first terminal device 301 and the first subscription server 304 are network devices in the calling home domain, and the first server 302, the second subscription server 303 and the second terminal device 305 are network devices in the called home domain. The first subscription server 304 receives the service request initiated by the first terminal device 301, addresses the second subscription server 303 through the first server 302, and through the second subscription server 303, enables the first terminal device 301 and the second terminal device 305 to establish connect.
其中,本申请实施例涉及的终端设备,可以是一种具有无线收发功能的设备,可以部署在陆地上,包括室内或室外、手持或车载;也可以部署在水面上(如轮船等);还可以部署在空中(例如飞机、气球和人造卫星上等)。UE包括具有无线通信功能的手持式设备、车载设备、穿戴式设备或计算设备。示例性地,UE可以是手机(mobile phone)、平板电脑或带无线收发功能的电脑。终端设备还可以是虚拟现实(virtual reality,VR)终端设备、增强现实(augmented reality,AR)终端设备、智能汽车(smart vehicle)终端设备、工业控制中的无线终端、无人驾驶中的无线终端、无人机、无人机控制器、远程医疗中的无线终端、智能电网中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端、等等。本申请的实施例对终端设备所采用的具体技术和具体设备形态不做限定。The terminal device involved in the embodiments of the present application may be a device with a wireless transceiver function, and may be deployed on land, including indoor or outdoor, handheld or vehicle-mounted; it may also be deployed on water (such as ships, etc.); Can be deployed in the air (eg, on airplanes, balloons, satellites, etc.). UEs include handheld devices, in-vehicle devices, wearable devices or computing devices with wireless communication capabilities. Exemplarily, the UE may be a mobile phone, a tablet computer, or a computer with a wireless transceiver function. The terminal device may also be a virtual reality (VR) terminal device, an augmented reality (AR) terminal device, a smart vehicle (smart vehicle) terminal device, a wireless terminal in industrial control, and a wireless terminal in unmanned driving. , UAV, UAV controller, wireless terminal in telemedicine, wireless terminal in smart grid, wireless terminal in smart city, wireless terminal in smart home, etc. The embodiments of the present application do not limit the specific technology and specific device form adopted by the terminal device.
本申请实施例涉及的签约服务器是归属签约用户服务器(Home subscriber server,HSS),为方便描述,第一签约服务器304可简称为HSS1,第二签约服务器303可简称为HSS2。The subscription server involved in the embodiment of the present application is a home subscriber server (Home subscriber server, HSS). For convenience of description, the first subscription server 304 may be referred to as HSS1 for short, and the second subscription server 303 may be referred to as HSS2 for short.
第一服务器可以是第二终端设备所在网络(被叫归属域网络)的查询呼叫会话控制功能I-CSCF网元,为方便描述,简称为I-CSCF2,第一服务器还可以是第二终端设备所在网络的路由代理节点(Diameter routing agent,DRA),为方便描述,简称为DRA2。The first server may be the query call session control function I-CSCF network element of the network where the second terminal device is located (the called home domain network), and for the convenience of description, referred to as I-CSCF2 for short, and the first server may also be the second terminal device. The routing agent node (Diameter routing agent, DRA) of the network where it is located is referred to as DRA2 for the convenience of description.
应用在本申请中,第一终端设备301向第一服务器302发送第一标识信息,该第一标识信息包括第一终端设备的第三身份标识和第二终端设备的第四身份标识,第三身份标识为对第一身份标识加密得到的身份标识,第四身份标识为对第二身份标识加密得到的身份标识,或者第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;第一服务器302从第一终端设备301获取第一标识信息后,确定第二签约服务器303,将第一标识信息发送给第二签约服务器303;第二签约服务器303从第一服务器302接收第一标识信息,向第一签约服务器304发送第一请求,第一请求携带第一标识信息;第一签约服务器304从第二签约服务器接收第一请求后,向第二签约服务器发送第一响应,第一响应携带第一身份标识和/或第二身份标识;第二签约服务器303从第一签约服务器304接收第一响应后,根据第一身份标识和/或第二身份标识得到第二标识信息,向第一服务器302发送第二标识信息,第二标识信息包括第一终端设备的第六身份标识和第二终端设备的第七身份标识,第六身份标识为对第一身份标识加密得到的身份标识,第七身份标识为对第二身份标识加密得到的身份标识,或者第二标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;第一服务器302向第二终端设备305发送该第二标识信息。Applied in this application, the first terminal device 301 sends first identification information to the first server 302, where the first identification information includes the third identification of the first terminal and the fourth identification of the second terminal, the third The identification is an identification obtained by encrypting the first identification, the fourth identification is an identification obtained by encrypting the second identification, or the first identification information includes one of the first identification and the second identification, and A fifth identity that is obtained by encrypting the other of the first identity and the second identity; after the first server 302 obtains the first identity information from the first terminal device 301, the second signing server 303 is determined, and the first identity The information is sent to the second subscription server 303; the second subscription server 303 receives the first identification information from the first server 302, and sends a first request to the first subscription server 304, where the first request carries the first identification information; the first subscription server 304 After receiving the first request from the second subscription server, it sends a first response to the second subscription server, and the first response carries the first ID and/or the second ID; the second subscription server 303 receives the first response from the first subscription server 304 After a response, obtain second identification information according to the first identification and/or the second identification, and send the second identification information to the first server 302, where the second identification information includes the sixth identification of the first terminal device and the second identification The seventh identity of the terminal device, the sixth identity is the identity obtained by encrypting the first identity, the seventh identity is the identity obtained by encrypting the second identity, or the second identity information includes the first identity and one of the second identifiers, and an eighth identifier obtained by encrypting the other one of the first identifier and the second identifier; the first server 302 sends the second identifier information to the second terminal device 305 .
通过对第一终端设备的第一身份标识和/或第二终端设备的第二身份标识进行加密,使用 加密后的第一身份标识和/或第二身份标识在空口与核心网中传输,避免了第一身份标识和/或第二身份标识在空口及核心网中被泄露的风险,从而提高安全性。By encrypting the first identity of the first terminal device and/or the second identity of the second terminal, and using the encrypted first identity and/or the second identity for transmission between the air interface and the core network, avoiding The risk of the first identity identifier and/or the second identity identifier being leaked in the air interface and the core network is avoided, thereby improving security.
本申请实施例描述的技术可用于各种通信系统,例如第四代(4th generation,4G)通信系统,4.5G通信系统,5G通信系统,多种通信系统融合的系统,或者未来演进的通信系统。The technologies described in the embodiments of this application can be used in various communication systems, such as a fourth-generation (4th generation, 4G) communication system, a 4.5G communication system, a 5G communication system, a system that integrates multiple communication systems, or a communication system that evolves in the future .
可以理解的是,本申请实施例描述的通信系统是为了更加清楚的说明本申请实施例的技术方案,并不构成对本申请实施例提供的技术方案的限定,本领域技术人员可知,随着系统架构的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。It can be understood that the communication system described in the embodiments of the present application is for the purpose of illustrating the technical solutions of the embodiments of the present application more clearly, and does not constitute a limitation on the technical solutions provided by the embodiments of the present application. The evolution of the architecture and the emergence of new business scenarios, the technical solutions provided in the embodiments of the present application are also applicable to similar technical problems.
下面将对本申请实施例提供的信息发送方法进行具体阐述。需要说明的是,本申请下述实施例中各个网元之间的消息名字或消息中各参数的名字等只是一个示例,具体实现中也可以是其他的名字,本申请实施例对此不作具体限定。还需要说明的是,在本申请实施例的附图中,各个实施例所示的步骤,以及步骤之间的先后顺序用于举例,并不构成对本申请实施例的限定。应理解,执行图示中的部分步骤或调整步骤的顺序进行具体实施,均落在本申请的保护范围内。The information sending method provided by the embodiments of the present application will be described in detail below. It should be noted that the names of messages between network elements or the names of parameters in the messages in the following embodiments of the present application are just an example, and other names may also be used in specific implementations, which are not specified in the embodiments of the present application. limited. It should also be noted that, in the drawings of the embodiments of the present application, the steps shown in the respective embodiments and the sequence between the steps are used as examples, and do not constitute limitations to the embodiments of the present application. It should be understood that the specific implementation of performing some steps in the figures or the order of adjusting the steps falls within the protection scope of the present application.
请参见图4,图4是本申请实施例提供的一种信息发送方法的流程示意图。其中,步骤S401~402执行主体为第一终端设备,或者为第一终端设备中的芯片。步骤S403~步骤S404、步骤S409的执行主体为第一服务器,或者为第一服务器中的芯片。步骤S405、步骤S407~步骤S408的执行主体为第二签约服务器,或者为第二签约服务器中的芯片。步骤S406的执行主体为第一签约服务器,或者为第一签约服务器的芯片。步骤S410的执行主体为第二终端设备,或者为第二终端设备的芯片。以下以第一终端设备、第一服务器、第二签约服务器、第一签约服务器和第二终端设备为信息发送方法的执行主体为例进行说明。为方便描述,本申请实施例中以第一终端设备称为UE1、第一服务器为被叫归属域中I-CSCF2、第二签约服务器为HSS2、第一签约服务器为HSS1和第二终端设备称为UE2为例。该方法可以包括但不限于如下步骤:Please refer to FIG. 4. FIG. 4 is a schematic flowchart of an information sending method provided by an embodiment of the present application. The execution subject of steps S401-402 is the first terminal device, or a chip in the first terminal device. The execution subject of steps S403 to S404 and step S409 is the first server, or a chip in the first server. The execution subject of step S405 and step S407 to step S408 is the second subscription server, or a chip in the second subscription server. The execution body of step S406 is the first subscription server, or a chip of the first subscription server. The execution body of step S410 is the second terminal device, or a chip of the second terminal device. The following description will be given by taking the first terminal device, the first server, the second subscription server, the first subscription server and the second terminal device as the execution subjects of the information sending method as an example. For convenience of description, in the embodiments of this application, the first terminal device is referred to as UE1, the first server is referred to as I-CSCF2 in the called home domain, the second subscription server is HSS2, the first subscription server is HSS1, and the second terminal device is referred to as Take UE2 as an example. The method may include but is not limited to the following steps:
S401、UE1确定第一标识信息。S401. UE1 determines first identification information.
第一标识信息包括UE1的第三身份标识和UE2的第四身份标识(或者第一身份标识和第二身份标识中的一个,以及第五身份标识)。身份标识用于标识终端设备,可以是电话号码、网络语音视频通话等业务身份标识。其中,电话号码可以由国家码(Country code,CC)、(National destination code,NDC)和用户号(Subscribe number,SN)组成。例如,86(中国国家码)+139(国家目的码)+1234(用户号)。UE1为主叫归属域中的主叫设备,UE2为被叫归属域中的被叫设备。The first identification information includes the third identification of UE1 and the fourth identification of UE2 (or one of the first identification and the second identification, and the fifth identification). The identity identifier is used to identify the terminal equipment, and it can be a business identity identifier such as a phone number, network voice and video calls, etc. Wherein, the telephone number may be composed of a country code (Country code, CC), (National destination code, NDC) and a subscriber number (Subscribe number, SN). For example, 86 (China country code)+139 (country destination code)+1234 (user number). UE1 is the calling device in the calling home domain, and UE2 is the called device in the called home domain.
在一种实现方式中,UE1具有第一身份标识,UE2具有第二身份标识。第三身份标识为对第一身份标识加密得到的身份标识,第四身份标识为对第二身份标识加密得到的身份标识,或者第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识。UE1根据第一身份标识和/或第二身份标识确定第一标识信息。In an implementation manner, UE1 has a first identity, and UE2 has a second identity. The third identification is an identification obtained by encrypting the first identification, the fourth identification is an identification obtained by encrypting the second identification, or the first identification information includes one of the first identification and the second identification , and a fifth identity that is obtained by encrypting the other of the first identity and the second identity. The UE1 determines the first identification information according to the first identification and/or the second identification.
第三身份标识为对第一身份标识使用第一密钥加密得到的身份标识,第四身份标识为对第二身份标识使用第二密钥加密得到的身份标识,第五身份标识为对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。The third identity is the identity obtained by encrypting the first identity with the first key, the fourth identity is the identity obtained by encrypting the second identity with the second key, and the fifth identity is the first The other one of the identity identifier and the second identity identifier is an identity identifier obtained by encrypting with the third key.
可选的,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器与第一终端设 备的共享密钥k1,该共享密钥可以是长期密钥K或根据长期密钥K以及其他参数推导的密钥,如与随机数产生的密钥。例如,根据共享密钥k1对第二终端设备的第二身份标识CC2+NDC2+SN2进行对称加密,得到第四身份标识为CC2+NDC2+路由指示(Routing indicator,RI)+密文(SN2除去路由指示)。Optionally, at least one of the first key, the second key, and the third key is the shared key k1 of the first signing server and the first terminal device, and the shared key can be a long-term key K or a Long-term key K and keys derived from other parameters, such as keys generated with random numbers. For example, symmetric encryption is performed on the second identity identifier CC2+NDC2+SN2 of the second terminal device according to the shared key k1, and the obtained fourth identity identifier is CC2+NDC2+Routing indicator (RI)+ciphertext (SN2 removes the route instruct).
可选的,第一密钥、第二密钥和第三密钥中的至少一个为第一终端设备获取到的第一签约服务器所在归属网络的公钥或其与其他参数进一步推导产生的密钥。例如,根据归属网络的公钥与一次性私钥进行推导产生的密钥对第二终端设备的第二身份标识CC2+NDC2+SN2进行非对称加密,得到第四身份标识为CC2+NDC2+保护方案标识(protection scheme ID)+归属网络公钥标识(home public key ID)+椭圆曲线密码一次性公钥(ECC ephemeral public key)+SN2+消息认证码(MAC),或CC(被叫)+NDC(被叫)+RI+protection scheme ID+home public key ID+ECC ephemeral public key+密文(SN2除去路由指示部分)+MAC。Optionally, at least one of the first key, the second key, and the third key is the public key of the home network where the first subscription server is located, obtained by the first terminal device, or a key generated by further derivation with other parameters. key. For example, asymmetric encryption is performed on the second identification CC2+NDC2+SN2 of the second terminal device according to the key generated by deriving the public key and the one-time private key of the home network, and the fourth identification is CC2+NDC2+ protection scheme. Identification (protection scheme ID) + home network public key identification (home public key ID) + elliptic curve cryptography one-time public key (ECC ephemeral public key) + SN2 + message authentication code (MAC), or CC (callee) + NDC ( Callee)+RI+protection scheme ID+home public key ID+ECC ephemeral public key+ciphertext (SN2 removes the routing indication part)+MAC.
可选的,第一密钥、第二密钥和第三密钥中的至少一个为第一签约服务器与第一终端设备根据目标算法产生的密钥。目标算法产生的密钥可以是根据第一终端设备或者第一签约服务器的私有算法生成的随机数。Optionally, at least one of the first key, the second key and the third key is a key generated by the first signing server and the first terminal device according to the target algorithm. The key generated by the target algorithm may be a random number generated according to a private algorithm of the first terminal device or the first subscription server.
UE1根据第三身份标识与第四身份标识(或者第一身份标识和第二身份标识中的一个,以及第五身份标识)生成第一标识信息,第一标识信息包括UE1的第三身份标识和UE2的第四身份标识(或者第一身份标识和第二身份标识中的一个,以及第五身份标识)。UE1确定第一标识信息,可以通过以下几种方式中的一种实现:UE1 generates first identification information according to the third identification and the fourth identification (or one of the first identification and the second identification, and the fifth identification), and the first identification information includes the third identification of UE1 and the fifth identification. The fourth identity of UE2 (or one of the first identity and the second identity, and the fifth identity). The UE1 determines the first identification information, which may be implemented in one of the following ways:
方式一:第三身份标识可以是HSS1对第一身份标识使用第一密钥加密得到的身份标识,也可以是第一UE1对第一身份标识使用第一密钥加密得到的身份标识。第四身份标识为UE1对第二身份标识使用第二密钥加密得到的身份标识。方式二:UE1生成的第一标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识。或者,UE1生成的第一标识信息包括第一身份标识和第二身份标识中的一个,HSS1对第一身份标识和第二身份标识中的另一个加密得到的第五身份标识。也即是说,第一标识信息包括以下任意一种:第三身份标识与第四身份标识,或者第五身份标识与第二身份标识,或者第一身份标识与第五身份标识。通过对第一身份标识和/或第二身份标识加密,可以降低身份标识在空口与核心网中传播时被泄露的风险,从而提高安全性。Manner 1: The third identity may be an identity obtained by encrypting the first identity by the HSS1 with the first key, or may be an identity obtained by the first UE1 encrypting the first identity by using the first key. The fourth identity is an identity obtained by UE1 encrypting the second identity with the second key. Manner 2: The first identification information generated by the UE1 includes one of the first identification and the second identification, and a fifth identification obtained by encrypting the other of the first identification and the second identification. Alternatively, the first identification information generated by the UE1 includes one of the first identification and the second identification, and the HSS1 encrypts the other of the first identification and the second identification to obtain a fifth identification. That is to say, the first identification information includes any one of the following: a third identification and a fourth identification, or a fifth identification and a second identification, or a first identification and a fifth identification. By encrypting the first identity identifier and/or the second identity identifier, the risk of the identity identifier being leaked during propagation in the air interface and the core network can be reduced, thereby improving security.
可选的,第三身份标识可以为HSS1对第一身份标识使用第一密钥加密得到的身份标识,第四身份标识为UE1对第二身份标识使用第二密钥加密得到的身份标识。Optionally, the third identity identifier may be an identity identifier obtained by HSS1 encrypting the first identity identifier with a first key, and the fourth identity identifier is an identity identifier obtained by UE1 encrypting the second identity identifier with a second key.
可选的,第三身份标识为UE1对第一身份标识使用第一密钥加密得到的身份标识,第四身份标识为UE1对第二身份标识使用第二密钥加密得到的身份标识。当UE1未接收到P-CSCF1发送的第三身份标识时,UE1根据第一密钥对第一身份标识加密,根据第二密钥对第二身份标识加密。例如,UE1根据私有算法生成的随机数对第一身份标识CC1+NDC1+SN1进行加密。Optionally, the third identity is an identity obtained by UE1 encrypting the first identity with a first key, and the fourth identity is an identity obtained by UE1 encrypting the second identity with a second key. When the UE1 does not receive the third identity sent by the P-CSCF1, the UE1 encrypts the first identity according to the first key, and encrypts the second identity according to the second key. For example, UE1 encrypts the first identity identifier CC1+NDC1+SN1 according to the random number generated by the private algorithm.
可选的,第五身份标识可以为UE1对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识,或者第五身份标识为HSS1对第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。即UE1或者HSS1对第一身份标识或第二身份标识中任意一个进行加密。Optionally, the fifth identity can be an identity obtained by UE1 encrypting the other one of the first identity and the second identity using a third key, or the fifth identity is HSS1's pairing of the first identity and the second identity. The other one of the two identities uses the third key to encrypt the obtained identities. That is, the UE1 or the HSS1 encrypts any one of the first identity identifier or the second identity identifier.
如图5所示,HSS1对第一身份标识加密得到第三身份标识或第五身份标识的具体步骤为:As shown in Figure 5, the specific steps for HSS1 to encrypt the first identification to obtain the third identification or the fifth identification are as follows:
UE1通过P-CSCF1与S-CSCF1向网络发起注册请求,注册请求中携带用户标识。The UE1 initiates a registration request to the network through the P-CSCF1 and the S-CSCF1, and the registration request carries the user identity.
HSS1接收到注册请求,根据用户标识获取到第一身份标识,并使用第一密钥对第一身份标识进行加密,得到第三身份标识或第五身份标识,HSS1向S-CSCF1发送注册响应,注册响应携带UE1的第三身份标识(或UE1的第五身份标识),注册响应可以是SAA。HSS1 receives the registration request, obtains the first identity according to the user identity, and uses the first key to encrypt the first identity to obtain the third identity or fifth identity, and HSS1 sends a registration response to S-CSCF1, The registration response carries the third identity of UE1 (or the fifth identity of UE1), and the registration response may be SAA.
S-CSCF1接收注册响应,保存UE1的第三身份标识(或第五身份标识)与用户标识、P-CSCF1的IP地址、应用服务器AS地址列表的对应关系,并向P-CSCF1发送200OK信息,200OK信息携带第三身份标识与用户标识的对应关系。S-CSCF1 receives the registration response, saves the correspondence between UE1's third identity (or fifth identity) and user identity, P-CSCF1's IP address, and the application server AS address list, and sends 200 OK information to P-CSCF1, The 200OK information carries the correspondence between the third identity identifier and the user identifier.
P-CSCF1对UE1的第三身份标识(或第五身份标识)与用户标识和/或S-CSCF1的IP地址和/或UE1的IP地址和/或互联网协议安全((Internet Protocol Security,IPSec)安全关联(Security Association,SA)的对应关系进行保存,并向UE1发送200OK信息,200OK信息可选携带UE1的第三身份标识(或第五身份标识)。The third identity (or fifth identity) of the P-CSCF1 to the UE1 is related to the user identity and/or the IP address of the S-CSCF1 and/or the IP address of the UE1 and/or the Internet Protocol Security ((Internet Protocol Security, IPSec) The corresponding relationship of the security association (Security Association, SA) is saved, and 200OK information is sent to the UE1, and the 200OK information can optionally carry the third identity (or fifth identity) of the UE1.
S402、UE1向第一服务器发送第一标识信息。S402: UE1 sends first identification information to the first server.
第一服务器可以是UE2所在网络(被叫归属域网络)的查询呼叫会话控制功能I-CSCF2,或者是UE2所在网络的路由代理节点(Diameter routing agent,DRA),为方便描述,简称为DRA2。本申请实施例中,以第一服务器为I-CSCF2为例。The first server can be the query call session control function I-CSCF2 of the network where the UE2 is located (the called home domain network), or a routing agent node (Diameter routing agent, DRA) of the network where the UE2 is located, for the convenience of description, abbreviated as DRA2. In the embodiment of the present application, the first server is I-CSCF2 as an example.
如图6所示,第一终端设备向第一服务器发送第一标识信息的具体步骤为:As shown in Figure 6, the specific steps for the first terminal device to send the first identification information to the first server are:
UE1向P-CSCF1发送会话请求,会话请求(可以是Invite)携带第一标识信息。第一标识信息包括第三身份标识与第四身份标识,或者第一身份标识与第五身份标识,或者第二身份标识与第五身份标识。UE1 sends a session request to P-CSCF1, where the session request (which may be Invite) carries the first identification information. The first identification information includes a third identification and a fourth identification, or a first identification and a fifth identification, or a second identification and a fifth identification.
P-CSCF1接收第一标识信息,根据UE1的第三身份标识(或第五身份标识)与S-CSCF1的对应关系找到S-CSCF1的地址,通过会话请求将第一标识信息或用户标识发送至S-CSCF1。P-CSCF1 receives the first identification information, finds the address of S-CSCF1 according to the correspondence between UE1's third identification (or fifth identification) and S-CSCF1, and sends the first identification information or user identification to the S-CSCF1.
可选的,若第一标识信息包括的第三身份标识或者第五身份标识为HSS1生成的,则P-CSCF1对第三身份标识或者第五身份标识与IPSec SA的绑定关系进行校验,若校验通过,则根据保存的第三身份标识或者第五身份标识与S-CSCF1的对应关系找到S-CSCF1的IP地址。若第一标识信息携带的第三身份标识或者第五身份标识为UE1生成的,则P-CSCF1根据保存的第三身份标识或者第五身份标识、IPSec SA与S-CSCF1的对应关系找到第一身份标识与S-CSCF1的IP地址。Optionally, if the third identity or fifth identity included in the first identification information is generated by HSS1, then P-CSCF1 verifies the binding relationship between the third identity or the fifth identity and the IPSec SA, If the verification is passed, the IP address of the S-CSCF1 is found according to the stored correspondence between the third identity identifier or the fifth identity identifier and the S-CSCF1. If the third identity or fifth identity carried by the first identification information is generated by UE1, then P-CSCF1 finds the first Identity and IP address of S-CSCF1.
S-CSCF1保存UE1的第三身份标识(或第五身份标识)、与用户标识的对应关系,以进行本地校验。或者,若S-CSCF1不保存第三身份标识或者第五身份标识、与用户标识的对应关系,则将该对应关系发送至HSS1进行校验。The S-CSCF1 saves the third identity (or fifth identity) of the UE1 and the corresponding relationship with the user identity for local verification. Or, if the S-CSCF1 does not store the correspondence between the third identity identifier or the fifth identity identifier and the user identifier, the correspondence relation is sent to the HSS1 for verification.
若UE2的第四身份标识(或第五身份标识)不为SIP-URI格式,则S-CSCF1向电话号码映射服务器ENUM发送UE2的第四身份标识(或第五身份标识),ENUM服务器根据第四身份标识中的CC2、NDC2与RI得到被叫归属域名,从DNS服务器获取UE2的第四身份标识(或第五身份标识)在被叫归属域中对应的第一服务器I-CSCF2的IP地址。并将I-CSCF2的IP地址返还至S-CSCF1。If the fourth identity (or fifth identity) of UE2 is not in the SIP-URI format, S-CSCF1 sends the fourth identity (or fifth identity) of UE2 to the telephone number mapping server ENUM, and the ENUM server sends the fourth identity (or fifth identity) of UE2 according to the The CC2, NDC2 and RI in the four identities obtain the called home domain name, and obtain the IP address of the first server I-CSCF2 corresponding to the fourth identity (or fifth identity) of UE2 in the called home domain from the DNS server . And return the IP address of I-CSCF2 to S-CSCF1.
S-CSCF1根据I-CSCF2的IP地址,向第一服务器I-CSCF2发送会话请求,会话请求携带第一标识信息。The S-CSCF1 sends a session request to the first server I-CSCF2 according to the IP address of the I-CSCF2, where the session request carries the first identification information.
S403、第一服务器从UE1获取第一标识信息后,根据UE2的第四身份标识(或者UE2的第五身份标识)中的参数中的至少一个,确定第二签约服务器。S403: After acquiring the first identification information from the UE1, the first server determines the second subscription server according to at least one of the parameters in the fourth identification of the UE2 (or the fifth identification of the UE2).
第一服务器I-CSCF2从UE1接收到第一标识信息,根据UE2的第四身份标识或者UE2的第五身份标识中的国家码CC2、国家目的码NDC2与路由指示RI中的至少一个,确定第二签约服务器HSS2的IP地址。The first server I-CSCF2 receives the first identification information from the UE1, and according to at least one of the country code CC2, the national destination code NDC2 and the routing indication RI in the fourth identification of the UE2 or the fifth identification of the UE2, determines the first identification information. 2. The IP address of the subscription server HSS2.
S404、第一服务器将第一标识信息发送给HSS2。S404. The first server sends the first identification information to HSS2.
如图7所示,I-CSCF2向HSS2发送第一标识信息。As shown in FIG. 7 , the I-CSCF2 sends the first identification information to the HSS2.
S405、HSS2从第一服务器接收第一标识信息,向HSS1发送第一请求。S405. HSS2 receives the first identification information from the first server, and sends a first request to HSS1.
如图7所示,HSS2从I-CSCF2接收第一标识信息,向互通功能(Inter working function,IWF)或直径边缘代理(Diameter edge agent,DEA)发送第一请求,第一请求携带第一标识信息。As shown in Figure 7, HSS2 receives the first identification information from I-CSCF2, and sends a first request to the Interworking Function (IWF) or Diameter Edge Agent (DEA), where the first request carries the first identification information.
IWF(或DEA)根据UE1的第三身份标识(或第五身份标识)中的CC1、NDC1和/或RI找到HSS1的地址,并向HSS1发送第一请求。第一请求携带第一标识信息,第一请求用于请求第一身份标识和/或第二身份标识。具体的,若第一标识信息中携带对第一身份标识加密的第三身份标识(或第五身份标识),则第一请求用于请求第一身份标识。若第一标识信息中携带对第二身份标识加密的第四身份标识(或第五身份标识),则第一请求用于请求第二身份标识。The IWF (or DEA) finds the address of HSS1 according to CC1, NDC1 and/or RI in the third identity (or fifth identity) of UE1, and sends a first request to HSS1. The first request carries the first identification information, and the first request is used to request the first identification and/or the second identification. Specifically, if the first identification information carries a third identification (or a fifth identification) encrypted with the first identification, the first request is used to request the first identification. If the first identification information carries the fourth identification (or the fifth identification) encrypted with the second identification, the first request is used to request the second identification.
S406、HSS1从HSS2接收第一请求后,向HSS2发送第一响应,第一响应携带第一身份标识和/或第二身份标识。S406. After receiving the first request from HSS2, HSS1 sends a first response to HSS2, where the first response carries the first identity and/or the second identity.
如图7所示,HSS1从HSS2接受到第一请求,生成第一响应,第一响应携带第一身份标识和/或第二身份标识。若第一请求携带用于请求第一身份标识的第一标识信息,则生成的第一响应携带第一身份标识。若第一请求携带用于请求第二身份标识的第一标识信息,则生成的第一响应携带第二身份标识。As shown in FIG. 7 , HSS1 receives the first request from HSS2 and generates a first response, where the first response carries the first identity and/or the second identity. If the first request carries the first identification information for requesting the first identification, the generated first response carries the first identification. If the first request carries the first identification information for requesting the second identification, the generated first response carries the second identification.
可选的,当第一标识携带第三身份标识和第四身份标识时,HSS1使用第一密钥对第三身份标识进行解密,得到第一身份标识CC1+NDC1+SN1,第一签约服务器使用第二密钥对第四身份标识进行解密,得到第二身份标识CC2+NDC2+SN2。HSS1根据第一身份标识和第二身份标识生成第一标识信息。Optionally, when the first identification carries the third identification and the fourth identification, HSS1 uses the first key to decrypt the third identification to obtain the first identification CC1+NDC1+SN1, which is used by the first signing server. The second key decrypts the fourth identity to obtain the second identity CC2+NDC2+SN2. The HSS1 generates the first identification information according to the first identification and the second identification.
当第一标识携带第五身份标识时,HSS1使用第三密钥对第五身份标识进行解密,得到第一身份标识和第二身份标识中的另一个。HSS1根据第一身份标识或第二身份标识生成第一响应。When the first identification carries the fifth identification, HSS1 uses the third key to decrypt the fifth identification to obtain the other of the first identification and the second identification. The HSS1 generates the first response according to the first identity or the second identity.
HSS1向IWF(或DEA)发送第一响应。HSS1 sends the first response to the IWF (or DEA).
IWF(或DEA)向HSS2发送第一响应。The IWF (or DEA) sends the first response to HSS2.
S407、HSS2从HSS1接收第一响应后,根据第一身份标识和/或第二身份标识得到第二标识信息。S407. After receiving the first response from HSS1, HSS2 obtains the second identification information according to the first identification and/or the second identification.
HSS2接收HSS1发送的第一响应,并对第一身份标识和/或第二身份标识进行加密,得到第二标识信息。第二标识信息包括第一终端设备的第六身份标识和第二终端设备的第七身份标识,第六身份标识为对第一身份标识加密得到的身份标识,第七身份标识为对第二身份标识加密得到的身份标识,或者第二标识信息包括第一身份标识和第二身份标识中的一个,以及对第一身份标识和第二身份标识中的另一个加密得到的第八身份标识。HSS2 receives the first response sent by HSS1, and encrypts the first identification and/or the second identification to obtain second identification information. The second identification information includes the sixth identification of the first terminal device and the seventh identification of the second terminal device, the sixth identification is the identification obtained by encrypting the first identification, and the seventh identification is the identification of the second identification The identity identifier obtained by identification encryption, or the second identification information includes one of the first identity identifier and the second identity identifier, and an eighth identity identifier obtained by encrypting the other of the first identity identifier and the second identity identifier.
在一种实现方式中,第六身份标识为对第一身份标识使用第四密钥加密得到的身份标识,第七身份标识为对第二身份标识使用第五密钥加密得到的身份标识。第八身份标识为对第一身份标识和第二身份标识中的另一个使用第六密钥加密得到的身份标识。In an implementation manner, the sixth identification is an identification obtained by encrypting the first identification with a fourth key, and the seventh identification is an identification obtained by encrypting the second identification with a fifth key. The eighth identification is an identification obtained by encrypting the other one of the first identification and the second identification using the sixth key.
可选的,第四密钥、第五密钥和第六密钥中的至少一个为HSS2与UE2的共享密钥k2,该共享密钥可以是长期密钥K或根据长期密钥K以及其他参数推导的密钥,如与随机数产生的密钥。例如,根据第四密钥(共享密钥k2)对第二身份标识CC2+NDC2+SN2进行对称加密,得到第七身份标识为CC2+NDC2+路由指示(Routing indicator,RI)+密文(SN2除去路 由指示部分)。根据UE2的长期密钥与随机数产生的密钥对身份标识进行加密,可以保证每次加密得到的身份标识都是变化的。Optionally, at least one of the fourth key, the fifth key, and the sixth key is the shared key k2 of HSS2 and UE2, and the shared key can be the long-term key K or according to the long-term key K and other Parameter-derived keys, such as keys generated with random numbers. For example, the second identity identifier CC2+NDC2+SN2 is symmetrically encrypted according to the fourth key (shared key k2), and the seventh identity identifier is obtained as CC2+NDC2+Routing indicator (RI)+ciphertext (SN2 removes Routing Instructions section). Encrypting the identity identifier according to the long-term key of UE2 and the key generated by the random number can ensure that the identity identifier obtained by each encryption changes.
可选的,第四密钥、第五密钥和第六密钥中的至少一个为UE2的获取到的第二签约服务器所在归属网络的公钥或其与其他参数进一步推导产生的密钥。例如,根据UE2归属网络的公钥与一次性私钥进行推导产生的密钥对UE2的第二身份标识CC2+NDC2+SN2进行非对称加密,得到第七身份标识为CC(被叫)+NDC(被叫)+RI+protection scheme ID+home public key ID+ECC ephemeral public key+密文(SN2除去路由指示部分)+MAC。Optionally, at least one of the fourth key, the fifth key and the sixth key is the obtained public key of the home network where the second subscription server is located by UE2 or a key generated by further derivation with other parameters. For example, perform asymmetric encryption on UE2's second identity identifier CC2+NDC2+SN2 according to the key derived from the public key of UE2's home network and the one-time private key, and obtain the seventh identity identifier as CC (called)+NDC (Callee)+RI+protection scheme ID+home public key ID+ECC ephemeral public key+ciphertext (SN2 removes the routing indication part)+MAC.
S408、HSS2向第一服务器发送第二标识信息。S408. HSS2 sends the second identification information to the first server.
如图8所示,HSS2根据UE2的第二身份标识,获取S-CSCF2的IP地址,通过响应信息将第二标识信息与S-CSCF2的IP地址和/或加密所需随机数发送至I-CSCF2。As shown in Figure 8, HSS2 obtains the IP address of S-CSCF2 according to the second identity of UE2, and sends the second identification information and the IP address of S-CSCF2 and/or the random number required for encryption to I-CSCF2 through the response information. CSCF2.
S409、第一服务器从HSS2接收第二标识信息后,向UE2发送第二标识信息和/或加密所需随机数。S409: After receiving the second identification information from the HSS2, the first server sends the second identification information and/or the random number required for encryption to the UE2.
如图8所示,I-CSCF2接收第二标识信息,并根据S-CSCF2的IP地址转发第二标识信息和/或加密所需随机数给S-CSCF2。As shown in FIG. 8 , the I-CSCF2 receives the second identification information, and forwards the second identification information and/or the random number required for encryption to the S-CSCF2 according to the IP address of the S-CSCF2.
S-CSCF2根据UE2的第七身份标识(或第八身份标识)与P-CSCF2的对应关系,获取到P-CSCF2的IP地址,并将第二标识信息和/或加密所需随机数发送至P-CSCF2。The S-CSCF2 obtains the IP address of the P-CSCF2 according to the correspondence between the seventh identity identifier (or the eighth identity identifier) of the UE2 and the P-CSCF2, and sends the second identification information and/or the random number required for encryption to P-CSCF2.
P-CSCF2根据UE2的第七身份标识(或第八身份标识)与UE2的对应关系,获取UE2的IP地址,并将第二标识信息和/或加密所需随机数发送至UE2。The P-CSCF2 obtains the IP address of the UE2 according to the correspondence between the seventh identity identifier (or the eighth identity identifier) of the UE2 and the UE2, and sends the second identifier information and/or the random number required for encryption to the UE2.
S410、UE2从第一服务器接收第二标识信息后,对第二标识信息进行解密,得到第一身份标识和/或第二身份标识。S410. After receiving the second identification information from the first server, the UE2 decrypts the second identification information to obtain the first identification and/or the second identification.
UE2使用第四密钥对第六身份标识解密,得到第一身份标识,使用第七密钥对第七身份标识解密,得到第二身份标识,或者使用第六密钥对第八身份标识解密,得到第一身份标识和第二身份标识中的另一个。对第二终端设备的第七身份标识或者第二终端设备的第八身份标识解密,得到第二身份标识,根据第二身份标识验证第二终端是否为第二标识信息对应的终端设备,有利于提高第二身份标识在空口及核心网中传输的安全性。UE2 uses the fourth key to decrypt the sixth identity to obtain the first identity, uses the seventh key to decrypt the seventh identity to obtain the second identity, or uses the sixth key to decrypt the eighth identity, Obtain the other of the first identity and the second identity. Decrypting the seventh identification of the second terminal device or the eighth identification of the second terminal device to obtain the second identification, and verifying whether the second terminal is the terminal device corresponding to the second identification information according to the second identification is beneficial to The security of the transmission of the second identity identifier in the air interface and the core network is improved.
可选的,第七密钥为UE2的公钥(即第五密钥)对应的私钥。第四密钥和第六密钥中的至少一个为UE2与HSS2的共享密钥。第四密钥和第六密钥中的至少一个为UE2的长期密钥与随机数产生的密钥。例如,UE2使用第四密钥、第七密钥或者第六密钥对第六身份标识解密,得到第一身份标识CC1+NDC1+SN1,对第七身份标识进行解密,得到第二身份标识CC2+NDC2+SN2。Optionally, the seventh key is a private key corresponding to the public key (ie, the fifth key) of the UE2. At least one of the fourth key and the sixth key is a shared key between UE2 and HSS2. At least one of the fourth key and the sixth key is a key generated by a long-term key of UE2 and a random number. For example, UE2 uses the fourth key, the seventh key or the sixth key to decrypt the sixth identity identifier to obtain the first identity identifier CC1+NDC1+SN1, and decrypt the seventh identity identifier to obtain the second identity identifier CC2 +NDC2+SN2.
图4所示的实施例中,通过对第一终端设备的第一身份标识和/或第二终端设备的第二身份标识进行加密,使用加密后的第一身份标识和/或第二身份标识在空口与核心网中传输,避免了第一身份标识和/或第二身份标识在空口及核心网中被泄露的风险,从而提高安全性。In the embodiment shown in FIG. 4 , by encrypting the first identification of the first terminal device and/or the second identification of the second terminal device, the encrypted first identification and/or the second identification are used. The transmission in the air interface and the core network avoids the risk of the first identity and/or the second identity being leaked in the air interface and the core network, thereby improving security.
下面对终端设备注册认证的三种具体实现方式进行详细介绍:The three specific implementations of terminal device registration authentication are described in detail below:
方式一:UE使用归属域网络的公钥对第一用户标识进行加密,得到第二用户标识。网元域名系统(Domain Name System,DNS)服务器、路由代理节点(Diameter routing agent,DRA)、归属签约用户服务器(Home Subscriber Server,HSS)分别配置路由信息与归属域网络中其他网元的IP地址的对应关系。UE使用第二用户标识执行注册身份标识的流程,DNS、DRA和HSS基于第二用户标识中的明文路由信息寻址对应的网元。HSS对第二用户标识进行解密,获取并保存第二用户标识与第一用户标识的对应关系。使用第二用户标识作为用户标识进行 认证,以完成身份标识注册。其中,用户标识包括但不限于是IP多媒体私有标识(IP multimedia private Identity,IMPI)和IP多媒体公共标识(IP multimedia public identity,IMPU),本申请实施例以用户标识为IMPI为例。IMPI由移动国家码(Mobile country code,MCC)、移动网络码(Mobile network code,MNC)和路由指示(Routing indicator,RI)等组成。Manner 1: The UE encrypts the first user identifier by using the public key of the home domain network to obtain the second user identifier. The network element Domain Name System (DNS) server, the routing agent node (Diameter routing agent, DRA), and the home subscriber server (Home Subscriber Server, HSS) configure the routing information and the IP addresses of other network elements in the home domain network respectively. corresponding relationship. The UE uses the second user identity to perform the process of registering the identity identity, and the DNS, DRA and HSS address the corresponding network element based on the plaintext routing information in the second user identity. The HSS decrypts the second user identifier, and acquires and saves the correspondence between the second user identifier and the first user identifier. Use the second user ID as the user ID for authentication to complete the ID registration. Wherein, the user identity includes but is not limited to IP multimedia private identity (IP multimedia private Identity, IMPI) and IP multimedia public identity (IP multimedia public identity, IMPU), and the embodiment of this application takes the user identity as IMPI as an example. IMPI is composed of Mobile Country Code (MCC), Mobile Network Code (MNC) and Routing Indicator (RI).
参见图9,UE使用归属域网络的公钥对IMPI进行加密,得到IMPI*(或IMPI*与RouteInfo)。可选的,UE对第一用户标识中的部分信息进行加密,可以是对第一用户标识IMPI中除MCC、MNC和RI以外的部分进行加密,得到第二用户标识IMPI*。例如,UE新生成Eph公私钥对,网络侧公钥(public key of HN,HN PubK)和终端侧私钥(Eph Private key of UE,Eph PriK),结合终端侧私钥与网络侧公钥,生成用于加密的原始密钥一次性公钥密钥(Eph shared Key),再由Eph shared Key推演生成主密钥一次性加密密钥(Eph enc Key)和一次性消息认证码密钥(Eph MAC Key)。使用Eph enc Key对第一用户标识IMPI中除了MCC、MNC和RI以外的部分进行加密,生成第二用户标识IMPI*为MCC+MNC+RI+保护方案标识(Protection Scheme ID)+HN PK ID+方案输出(Scheme Output)(一次性公钥(Eph PubK),密文值(ciphertext value),消息认证码(MAC))。UE还可以对IMPI进行整体加密。例如,根据密钥生成第二用户标识IMPI*为Protection Scheme ID+HN PK ID+Scheme Output(Eph PubK,ciphertext value,MAC)。此时,将第二用户标识中的MCC、MNC和RI作为路由信息RouteInfo。Referring to FIG. 9, the UE encrypts the IMPI using the public key of the home domain network to obtain IMPI* (or IMPI* and RouteInfo). Optionally, the UE encrypts part of the information in the first user identifier, which may be to encrypt the part of the first user identifier IMPI except for the MCC, MNC and RI to obtain the second user identifier IMPI*. For example, the UE newly generates an Eph public and private key pair, the network side public key (public key of HN, HN PubK) and the terminal side private key (Eph Private key of UE, Eph PriK), combined with the terminal side private key and the network side public key, Generate the original key one-time public key key (Eph shared Key) for encryption, and then generate the master key one-time encryption key (Eph enc Key) and one-time message authentication code key (Eph by Eph shared Key deduction) MAC Key). Use Eph enc Key to encrypt the part of the first user identity IMPI except MCC, MNC and RI, and generate the second user identity IMPI* as MCC+MNC+RI+Protection Scheme ID+HN PK ID+scheme output (Scheme Output) (one-time public key (Eph PubK), ciphertext value (ciphertext value), message authentication code (MAC)). The UE may also perform overall encryption of the IMPI. For example, the second user identifier IMPI* generated according to the key is Protection Scheme ID+HN PK ID+Scheme Output(Eph PubK, ciphertext value, MAC). At this time, the MCC, MNC and RI in the second user identity are used as the routing information RouteInfo.
DNS、DRA和HSS分别配置第二用户标识中的路由信息MCC、MNC与RI,或RouteInfo配置与各网元地址的对应关系(MCC+MNC+RI/RouteInfo,网元地址)。例如,当UE对第一用户标识中的部分信息进行加密时,DNS配置路由信息与I-CSCF地址的对应关系为(MCC+MNC+RI,I-CSCF地址)。DRA配置路由信息与HSS地址的对应关系为(MCC+MNC+RI,HSS地址)。HSS配置IMPI、各网元地址和相关信息的对应关系分别为(IMPI,S-CSCF地址)、(IMPI,用户注册信息(Initial filter criteria,IFC)规则)、(IMPI,AS对应用户数据),其中,IFC规则包括应用服务器AS清单。当UE对第一用户标识进行整体加密时,DNS配置路由信息与I-CSCF地址的对应关系为(RouteInfo,I-CSCF地址)。DRA配置路由信息与HSS地址的对应关系为(RouteInfo,HSS地址)。DNS, DRA, and HSS are respectively configured with routing information MCC, MNC and RI in the second user identity, or the corresponding relationship between RouteInfo and each network element address (MCC+MNC+RI/RouteInfo, network element address) is configured. For example, when the UE encrypts part of the information in the first user identity, the corresponding relationship between the DNS configuration routing information and the I-CSCF address is (MCC+MNC+RI, I-CSCF address). The corresponding relationship between the routing information configured by the DRA and the HSS address is (MCC+MNC+RI, HSS address). The corresponding relationship between HSS configuration IMPI, each network element address and related information is (IMPI, S-CSCF address), (IMPI, user registration information (Initial filter criteria, IFC) rule), (IMPI, AS corresponds to user data), Among them, the IFC rules include the application server AS list. When the UE performs overall encryption on the first user identity, the corresponding relationship between the DNS configuration routing information and the I-CSCF address is (RouteInfo, I-CSCF address). The corresponding relationship between the DRA configuration routing information and the HSS address is (RouteInfo, HSS address).
UE向P-CSCF发送注册Register请求,注册请求携带第二用户标识IMPI*,或第二用户标识IMPI*与路由信息RouteInfo。The UE sends a registration Register request to the P-CSCF, where the registration request carries the second user identifier IMPI*, or the second user identifier IMPI* and routing information RouteInfo.
P-CSCF接收注册请求后,向DNS发送用于查询I-CSCF的地址的查询请求DNS query,查询请求DNS query携带第二用户标识IMPI*,或第二用户标识IMPI*与路由信息RouteInfo。After receiving the registration request, the P-CSCF sends a query request DNS query for querying the address of the I-CSCF to the DNS, and the query request DNS query carries the second user identifier IMPI*, or the second user identifier IMPI* and routing information RouteInfo.
DNS根据第二用户标识包含的MCC+MNC+RI(或者根据路由信息Route Info)获取I-CSCF地址,并向P-CSCF发送查询响应,查询响应携带I-CSCF地址。The DNS obtains the I-CSCF address according to the MCC+MNC+RI included in the second user identity (or according to the routing information Route Info), and sends a query response to the P-CSCF, where the query response carries the I-CSCF address.
P-CSCF接收DNS返回的查询响应,向I-CSCF发送注册请求Register。The P-CSCF receives the query response returned by the DNS and sends a registration request Register to the I-CSCF.
I-CSCF接收注册请求Register,向路由代理节点DRA发送用户授权请求(可以是Diameter UAR),用户授权请求携带IMPI*,或IMPI*与RouteInfo。The I-CSCF receives the registration request Register, and sends a user authorization request (which may be a Diameter UAR) to the routing proxy node DRA. The user authorization request carries IMPI*, or IMPI* and RouteInfo.
DRA根据用户授权请求中第二用户标识包含的MCC+MNC+RI(或者根据路由信息Route Info),查询路由信息与HSS地址的对应关系(MCC+MNC+RI/RouteInfo,HSS地址),获得HSS地址。According to the MCC+MNC+RI contained in the second user identifier in the user authorization request (or according to the routing information Route Info), the DRA queries the corresponding relationship between the routing information and the HSS address (MCC+MNC+RI/RouteInfo, HSS address), and obtains the HSS address.
DRA向HSS发送用户授权请求,用户授权请求携带第二用户标识IMPI*。The DRA sends a user authorization request to the HSS, where the user authorization request carries the second user identifier IMPI*.
HSS接收IMPI*,HSS使用归属网络的私钥解密第二用户标识IMPI*,得到第一用户标识IMPI,查询并保存第一用户标识与第二用户标识的对应关系(IMPI*,IMPI),获取S-CSCF 地址。例如,UE用第二用户标识IMPI*中包含的Eph PubK和HN PriK生成Eph shared Key,再由Eph shared Key推演生成Eph dec Key和Eph MAC Key。HSS使用Eph dec Key对第二用户标识中除了MCC、MNC和RI以外的部分进行解密生成IMPI。HSS根据第一用户标识获取S-CSCF地址。可选的,HSS接收第二用户标识后根据第二用户标识的长度、结构或者包含的算法标识等信息判断第二用户标识为加密的用户标识,然后使用归属网络的私钥对其解密,得到第一用户标识。HSS通过DRA向I-CSCF发送用户鉴权响应(可以是Diameter UAA),用户鉴权响应携带S-CSCF地址。The HSS receives the IMPI*, the HSS decrypts the second user identifier IMPI* using the private key of the home network, obtains the first user identifier IMPI, queries and saves the correspondence between the first user identifier and the second user identifier (IMPI*, IMPI), and obtains the S-CSCF address. For example, the UE uses the Eph PubK and HN PriK contained in the second user identity IMPI* to generate the Eph shared Key, and then derives the Eph dec Key and the Eph MAC Key from the Eph shared Key. The HSS uses the Eph dec Key to decrypt the part other than the MCC, MNC and RI in the second user identity to generate IMPI. The HSS obtains the S-CSCF address according to the first user identity. Optionally, after receiving the second user identifier, the HSS determines that the second user identifier is an encrypted user identifier according to information such as the length, structure or included algorithm identifier of the second user identifier, and then decrypts it using the private key of the home network to obtain: The first user ID. The HSS sends a user authentication response (which may be Diameter UAA) to the I-CSCF through the DRA, and the user authentication response carries the S-CSCF address.
I-CSCF根据接收到的S-CSCF地址,向S-CSCF发送注册请求,注册请求携带IMPI*。The I-CSCF sends a registration request to the S-CSCF according to the received S-CSCF address, and the registration request carries IMPI*.
S-CSCF向HSS发送多媒体鉴权请求(可以是Diameter MAR),多媒体鉴权请求携带第二用户标识。The S-CSCF sends a multimedia authentication request (which may be Diameter MAR) to the HSS, and the multimedia authentication request carries the second user identity.
HSS接收多媒体鉴权请求,根据IMPI*查询并保存第一用户标识与第二用户标识的对应关系(IMPI*,IMPI),获取第一用户标识IMPI,并计算用于用户鉴权的认证向量。The HSS receives the multimedia authentication request, queries and saves the correspondence between the first user identifier and the second user identifier (IMPI*, IMPI) according to IMPI*, obtains the first user identifier IMPI, and calculates the authentication vector for user authentication.
HSS向S-CSCF发送多媒体鉴权响应(可以是Diameter MAA),多媒体鉴权响应携带认证向量。The HSS sends a multimedia authentication response (which may be Diameter MAA) to the S-CSCF, and the multimedia authentication response carries an authentication vector.
S-CSCF向I-CSCF发送未授权信息(可以是401 Unauthorized),未授权信息携带IMPI*(或IMPI*与路由信息RouteInfo)、认证向量。The S-CSCF sends unauthorized information (which may be 401 Unauthorized) to the I-CSCF, and the unauthorized information carries IMPI* (or IMPI* and routing information RouteInfo) and authentication vector.
I-CSCF向P-CSCF发送未授权信息,未授权信息携带IMPI*(或IMPI*与路由信息RouteInfo)、认证向量。The I-CSCF sends unauthorized information to the P-CSCF, and the unauthorized information carries IMPI* (or IMPI* and routing information RouteInfo) and an authentication vector.
P-CSCF向UE发送未授权信息,未授权信息携带IMPI*(或IMPI*与路由信息RouteInfo)、认证向量。The P-CSCF sends unauthorized information to the UE, and the unauthorized information carries IMPI* (or IMPI* and routing information RouteInfo) and an authentication vector.
UE接收未授权信息,并根据UE与HSS的共享密钥与安全算法对认证向量进行计算,生成认证响应;UE向P-CSCF发送注册请求,注册请求携带IMPI*(或IMPI*与路由信息RouteInfo),以及认证响应。The UE receives the unauthorized information, calculates the authentication vector according to the shared key and security algorithm between the UE and the HSS, and generates an authentication response; the UE sends a registration request to the P-CSCF, and the registration request carries IMPI* (or IMPI* and routing information RouteInfo). ), and the authentication response.
P-CSCF接收注册请求后,向DNS发送用于查询I-CSCF的地址的查询请求,查询请求携带IMPI*(或IMPI*与路由信息RouteInfo),以及认证响应。P-CSCF接收DNS根据路由信息返回的查询响应,查询响应携带I-CSCF地址;P-CSCF向I-CSCF发送注册请求,注册请求携带IMPI*(或IMPI*与路由信息RouteInfo),以及认证响应。After receiving the registration request, the P-CSCF sends a query request for querying the address of the I-CSCF to the DNS. The query request carries IMPI* (or IMPI* and routing information RouteInfo) and an authentication response. The P-CSCF receives the query response returned by the DNS according to the routing information, and the query response carries the address of the I-CSCF; the P-CSCF sends a registration request to the I-CSCF, and the registration request carries IMPI* (or IMPI* and routing information RouteInfo), and the authentication response .
I-CSCF接收注册请求,通过DRA获取HSS地址,向HSS发送用户授权请求(可以是Diameter UAR),用户授权请求携带IMPI。The I-CSCF receives the registration request, obtains the HSS address through the DRA, and sends a user authorization request (which may be a Diameter UAR) to the HSS, and the user authorization request carries the IMPI.
HSS接收IMPI后,查询并保存第一用户标识与第二用户标识的对应关系(IMPI*,IMPI),获得第一用户标识IMPI,根据IMPI获取S-CSCF地址。After receiving the IMPI, the HSS queries and saves the correspondence between the first user identifier and the second user identifier (IMPI*, IMPI), obtains the first user identifier IMPI, and obtains the S-CSCF address according to the IMPI.
HSS通过DRA向I-CSCF发送用户鉴权响应(可以是Diameter UAA),用户鉴权响应中包含S-CSCF地址。The HSS sends a user authentication response (which may be Diameter UAA) to the I-CSCF through the DRA, and the user authentication response includes the S-CSCF address.
I-CSCF根据接收到的S-CSCF地址,向S-CSCF发送注册请求,注册请求携带第二用户标识与认证响应。The I-CSCF sends a registration request to the S-CSCF according to the received S-CSCF address, and the registration request carries the second user identifier and the authentication response.
S-CSCF对认证响应进行校验,完成对UE的注册认证。The S-CSCF verifies the authentication response and completes the registration and authentication of the UE.
在对UE注册认证后,S-CSCF向HSS发送服务器分配请求(可以是Diameter SAR),服务器分配请求携带第二用户标识。After registering and authenticating the UE, the S-CSCF sends a server allocation request (which may be Diameter SAR) to the HSS, and the server allocation request carries the second user identity.
HSS根据服务器分配请求查询保存的第一用户标识与第二用户标识的对应关系(IMPI*,IMPI),获得第一用户标识,根据第一用户标识获取用户业务注册信息IFC规则,IFC规则包括应用服务器列表AS list,用于决定是否触发应用服务器AS。The HSS queries the stored correspondence between the first user ID and the second user ID (IMPI*, IMPI) according to the server allocation request, obtains the first user ID, and obtains the user service registration information IFC rules according to the first user ID. The IFC rules include application The server list AS list is used to decide whether to trigger the application server AS.
HSS向S-CSCF发送服务器分配响应(可以是Diameter SAA),服务器分配响应携带IFC规则(包括AS list)。The HSS sends a server allocation response (which may be Diameter SAA) to the S-CSCF, and the server allocation response carries the IFC rules (including the AS list).
S-CSCF保存第二用户标识IMPI*与P-CSCF地址、IFC规则(包括AS list)的对应关系,获得IFC规则(包括AS list)。The S-CSCF saves the correspondence between the second user identifier IMPI*, the P-CSCF address, and the IFC rules (including the AS list), and obtains the IFC rules (including the AS list).
S-CSCF向I-CSCF发送200OK信息。The S-CSCF sends a 200 OK message to the I-CSCF.
I-CSCF向P-CSCF发送200OK信息。The I-CSCF sends a 200 OK message to the P-CSCF.
P-CSCF保存第二用户标识、UE地址、S-CSCF地址、互联网协议安全IPSec链接的对应关系;向UE发送200OK信息。从而建立S-CSCF与UE之间的会话连接。The P-CSCF saves the correspondence between the second user identity, the UE address, the S-CSCF address, and the Internet Protocol security IPSec link; and sends a 200 OK message to the UE. Thus, a session connection between the S-CSCF and the UE is established.
S-CSCF根据保存的IFC规则中的服务器列表AS list,向AS发送注册请求Register,该注册请求携带第二用户标识。The S-CSCF sends a registration request Register to the AS according to the server list AS list in the saved IFC rules, and the registration request carries the second user identifier.
AS向HSS发送注册请求第一用户标识IMPI,注册请求携带第二用户标识IMPI*。The AS sends a registration request to the HSS with the first user identifier IMPI, and the registration request carries the second user identifier IMPI*.
HSS根据注册请求携带的第二用户标识IMPI*查询(IMPI*,IMPI),获得第一用户标识IMPI,然后向AS返回第一用户标识。The HSS obtains the first user identifier IMPI according to the second user identifier IMPI* query (IMPI*, IMPI) carried in the registration request, and then returns the first user identifier to the AS.
AS接收HSS发送的第一用户标识IMPI,获得AS对应的用户数据,并向S-CSCF发送200OK信息,200OK信息携带用户数据。从而建立网络内部之间的连接,完成终端设备的身份标识的认证。The AS receives the first user identifier IMPI sent by the HSS, obtains user data corresponding to the AS, and sends a 200OK message to the S-CSCF, where the 200OK message carries the user data. Thereby, the connection between the inside of the network is established, and the authentication of the identity of the terminal device is completed.
图9所示的实施例中,终端设备使用归属域网络的公钥对第一用户标识进行加密,得到第二用户标识,并保留路由信息为明文。在身份标识注册流程中,各网元根据第二用户标识中的路由信息寻址相应的下一跳网元。签约服务器使用归属网络的私钥对第二用户标识解密,并保存第二用户标识与第一用户标识的对应关系。在后续注册流程中,终端设备和各网元均使用加密后的第二用户标识,避免了用户标识在空口和各网元上传输时的泄露,从而提高安全性。In the embodiment shown in FIG. 9 , the terminal device encrypts the first user identifier by using the public key of the home domain network to obtain the second user identifier, and retains the routing information as plaintext. In the identity registration process, each network element addresses the corresponding next-hop network element according to the routing information in the second user identity. The subscription server decrypts the second user identifier using the private key of the home network, and saves the correspondence between the second user identifier and the first user identifier. In the subsequent registration process, both the terminal device and each network element use the encrypted second user identifier, which avoids leakage of the user identifier during transmission over the air interface and each network element, thereby improving security.
方式二:在S-CSCF对认证响应进行校验,完成对UE的注册认证之后,S-CSCF或者HSS生成与第一用户标识、第二用户标识对应的第三用户标识T-IMPI。HSS保存第三用户标识与第一用户标识的对应关系(T-IMPI,IMPI),用于在信息传输过程中将T-IMPI下发给UE,UE接收并保存T-IMPI。具体步骤如下:Manner 2: After the S-CSCF verifies the authentication response and completes the registration authentication of the UE, the S-CSCF or the HSS generates a third user identifier T-IMPI corresponding to the first user identifier and the second user identifier. The HSS stores the correspondence between the third user identifier and the first user identifier (T-IMPI, IMPI), which is used to deliver the T-IMPI to the UE during the information transmission process, and the UE receives and stores the T-IMPI. Specific steps are as follows:
如图10所示,UE对第一用户标识IMPI加密,生成第二用户标识IMPI*,HSS对IMPI*解密得到IMPI,并保存第一用户标识与第二用户标识的对应关系(IMPI*,IMPI),HSS生成认证向量,UE返回认证响应的步骤与方法,参见上述方式一中的关于UE对IMPI加密生成IMPI*,HSS对IMPI*解密得到IMPI,并保存对应关系(IMPI*,IMPI),HSS生成认证向量,UE返回认证响应的描述,在此不再赘述。As shown in Figure 10, the UE encrypts the first user identifier IMPI to generate the second user identifier IMPI*, the HSS decrypts the IMPI* to obtain the IMPI, and saves the correspondence between the first user identifier and the second user identifier (IMPI*, IMPI ), the HSS generates an authentication vector, and the steps and methods for the UE to return an authentication response, refer to the above-mentioned method 1 about the UE encrypting the IMPI to generate IMPI*, and the HSS decrypts the IMPI* to obtain the IMPI, and saves the corresponding relationship (IMPI*, IMPI), The HSS generates the authentication vector, and the UE returns the description of the authentication response, which will not be repeated here.
S-CSCF校验认证响应,完成对UE的注册认证后,S-CSCF生成第三用户标识T-IMPI,或者HSS生成第三用户标识T-IMPI。具体步骤为①、②:The S-CSCF verifies the authentication response, and after completing the registration and authentication of the UE, the S-CSCF generates a third user identity T-IMPI, or the HSS generates a third user identity T-IMPI. The specific steps are ①, ②:
①S-CSCF校验认证响应,完成对UE的注册认证后,S-CSCF生成第三用户标识T-IMPI。S-CSCF保存第三用户标识T-IMPI与第二用户标识IMPI*的对应关系(T-IMPI,IMPI*)。S-CSCF向HSS发送服务器分配请求,服务器分配请求携带第三用户标识T-IMPI与第二用户标识IMPI*。① The S-CSCF verifies the authentication response, and after completing the registration and authentication of the UE, the S-CSCF generates a third user identity T-IMPI. The S-CSCF stores the correspondence between the third user identifier T-IMPI and the second user identifier IMPI* (T-IMPI, IMPI*). The S-CSCF sends a server allocation request to the HSS, and the server allocation request carries the third user identifier T-IMPI and the second user identifier IMPI*.
HSS根据对应关系(T-IMPI,IMPI*),获得第一用户标识IMPI,保存第三用户标识T-IMPI和第一用户标识IMPI的对应关系(T-IMPI,IMPI),并根据第一用户标识IMPI获取用户注册信息(Initial Filter Criteria,IFC)规则,IFC规则包括应用服务器列表AS list。The HSS obtains the first user identity IMPI according to the corresponding relationship (T-IMPI, IMPI*), saves the corresponding relationship (T-IMPI, IMPI) between the third user identity T-IMPI and the first user identity IMPI, and according to the first user identity IMPI Identify IMPI to obtain user registration information (Initial Filter Criteria, IFC) rules, the IFC rules include the application server list AS list.
②S-CSCF校验认证响应,完成对UE的注册认证后,S-CSCF向HSS发送服务器分配请求,服务器分配请求携带第二用户标识IMPI*。② The S-CSCF verifies the authentication response, and after completing the registration authentication for the UE, the S-CSCF sends a server allocation request to the HSS, and the server allocation request carries the second user identifier IMPI*.
HSS根据第二用户标识IMPI*和第一用户标识IMPI的对应关系(IMPI*,IMPI),获取第一用户标识IMPI,并生成第三用户标识T-IMPI,保存第三用户标识T-IMPI和第一用户标识IMPI的对应关系(T-IMPI,IMPI)。根据IMPI获取IFC规则,IFC规则包括应用服务器列表AS list。According to the corresponding relationship (IMPI*, IMPI) between the second user identifier IMPI* and the first user identifier IMPI, the HSS obtains the first user identifier IMPI, generates the third user identifier T-IMPI, and saves the third user identifier T-IMPI and The first user identifies the corresponding relationship of the IMPI (T-IMPI, IMPI). Obtain the IFC rules according to IMPI, and the IFC rules include the application server list AS list.
其中,T-IMPI包含MCC、MNC、RI等路由信息。可选的,T-IMPI可以是基于第二用户标识IMPI*中的路由信息RouteInfo和加密部分生成。或者,T-IMPI可以是基于第二用户标识IMPI*中的路由信息RouteInfo和随机生成的字符串生成。可选的,T-IMPI还可以是HSS基于第一用户标识IMPI中的路由信息和剩余部分生成;或者,T-IMPI可以是HSS基于第一用户标识IMPI中的路由信息和随机生成的字符串生成;或者T-IMPI可以是基于其他方式生成,本发明不做限定。The T-IMPI includes routing information such as MCC, MNC, and RI. Optionally, the T-IMPI may be generated based on the routing information RouteInfo and the encrypted part in the second user identifier IMPI*. Alternatively, the T-IMPI may be generated based on the routing information RouteInfo in the second user identity IMPI* and a randomly generated character string. Optionally, the T-IMPI may also be generated by the HSS based on the routing information and the remainder in the first user identity IMPI; or, the T-IMPI may be a character string randomly generated by the HSS based on the routing information in the first user identity IMPI and the remainder. or the T-IMPI may be generated based on other methods, which is not limited in the present invention.
HSS向S-CSCF发送服务器分配响应Diameter SAA,服务器分配响应Diameter SAA携带IFC规则(包括AS list),以及第三用户标识T-IMPI。The HSS sends the server allocation response Diameter SAA to the S-CSCF, and the server allocation response Diameter SAA carries the IFC rules (including the AS list) and the third user identity T-IMPI.
S-CSCF保存第三用户标识T-IMPI与P-CSCF地址、IFC规则(包括AS list)的对应关系(T-IMPI,P-CSCF IP,IFC规则(包括AS list))。The S-CSCF saves the correspondence between the third user identifier T-IMPI, the P-CSCF address, and the IFC rules (including the AS list) (T-IMPI, P-CSCF IP, IFC rules (including the AS list)).
S-CSCF向I-CSCF发送200OK信息,200OK信息携带T-IMPI。The S-CSCF sends a 200 OK message to the I-CSCF, and the 200 OK message carries the T-IMPI.
I-CSCF向P-CSCF发送200OK信息,200OK信息携带T-IMPI。The I-CSCF sends a 200 OK message to the P-CSCF, and the 200 OK message carries the T-IMPI.
P-CSCF保存第三用户标识和/或UE地址和/或S-CSCF地址和/或互联网协议安全IPSec链接的对应关系(T-IMPI和/或UE IP和/或S-CSCF IP和/或IPSec链接);向UE发送200OK信息,可选的,200OK信息携带第三用户标识T-IMPI。从而建立S-CSCF与UE之间的会话连接。The P-CSCF maintains the correspondence between the third user identity and/or the UE address and/or the S-CSCF address and/or the Internet Protocol secure IPSec link (T-IMPI and/or UE IP and/or S-CSCF IP and/or IPSec link); send 200 OK information to the UE, optionally, the 200 OK information carries the third user identity T-IMPI. Thus, a session connection between the S-CSCF and the UE is established.
UE保存T-IMPI。The UE saves the T-IMPI.
图10所示的实施例中,在完成对UE的注册认证后,S-CSCF或者HSS生成与第一用户标识或者第二用户标识对应的第三用户标识,将第三用户标识作为临时用户标识下发给UE,用于后续UE使用第三用户标识进行注册,能够避免后续注册过程中无需对第一用户标识或第二用户标识再次加密与解密,从而提高信息发送效率。In the embodiment shown in FIG. 10 , after completing the registration and authentication of the UE, the S-CSCF or the HSS generates a third user identity corresponding to the first user identity or the second user identity, and uses the third user identity as a temporary user identity It is issued to the UE for subsequent registration by the UE using the third user identifier, which can avoid the need to encrypt and decrypt the first user identifier or the second user identifier again in the subsequent registration process, thereby improving information sending efficiency.
方式三:如图11所示,UE首次注册时,HSS生成第三用户标识T-IMPI,并保存第三用户标识T-IMPI与第一用户标识IMPI的对应关系(T-IMPI,IMPI),HSS将第三用户标识T-IMPI发送给UE,后续UE注册过程中使用第三用户标识T-IMPI作为用户标识。具体方法如下:Mode 3: As shown in Figure 11, when the UE registers for the first time, the HSS generates a third user identity T-IMPI, and saves the correspondence between the third user identity T-IMPI and the first user identity IMPI (T-IMPI, IMPI), The HSS sends the third user identity T-IMPI to the UE, and the third user identity T-IMPI is used as the user identity in the subsequent UE registration process. The specific method is as follows:
UE向P-CSCF发送注册请求,注册请求携带第三用户标识T-IMPI。The UE sends a registration request to the P-CSCF, where the registration request carries the third user identity T-IMPI.
P-CSCF接收注册请求后,向DNS发送用于查询I-CSCF的地址的查询请求,查询请求携带第三用户标识,接收DNS返回的携带I-CSCF地址的查询响应,向I-CSCF发送注册请求。After receiving the registration request, the P-CSCF sends a query request for querying the address of the I-CSCF to the DNS. The query request carries the third user identifier, receives the query response returned by the DNS and carries the address of the I-CSCF, and sends the registration request to the I-CSCF. ask.
I-CSCF接收注册请求,向DRA发送用户授权请求,携带第三用户标识T-IMPI。The I-CSCF receives the registration request, and sends a user authorization request to the DRA, carrying the third user identifier T-IMPI.
DRA根据用户授权请求中第三用户标识的路由信息,获得HSS地址,并向HSS发送用户授权请求,携带T-IMPI。The DRA obtains the HSS address according to the routing information of the third user identifier in the user authorization request, and sends the user authorization request to the HSS, carrying the T-IMPI.
HSS接收用户授权请求,根据第三用户标识T-IMPI与第一用户标识IMPI的对应关系(T-IMPI,IMPI),获得第一用户标识IMPI,根据第一用户标识获取S-CSCF地址。The HSS receives the user authorization request, obtains the first user identifier IMPI according to the correspondence between the third user identifier T-IMPI and the first user identifier IMPI (T-IMPI, IMPI), and obtains the S-CSCF address according to the first user identifier.
HSS通过DRA向I-CSCF发送用户鉴权响应,用户鉴权响应携带S-CSCF地址。HSS从 S-CSCF接收多媒体鉴权请求,根据T-IMPI查询并保存第三用户标识与第一用户标识的对应关系(T-IMPI,IMPI),获取第一用户标识IMPI,并计算用于用户鉴权的认证向量。并通过各个网元将携带T-IMPI与认证向量的未授权信息发送至UE。The HSS sends a user authentication response to the I-CSCF through the DRA, and the user authentication response carries the S-CSCF address. The HSS receives the multimedia authentication request from the S-CSCF, queries and saves the correspondence between the third user identifier and the first user identifier (T-IMPI, IMPI) according to the T-IMPI, obtains the first user identifier IMPI, and calculates the IMPI for the user Authentication vector for authentication. The unauthorized information carrying the T-IMPI and the authentication vector is sent to the UE through each network element.
UE根据UE与HSS的共享密钥与安全算法对认证向量进行计算,生成认证响应,通过I-CSCF向HSS发送用户授权请求,用户授权请求携带T-IMPI。The UE calculates the authentication vector according to the shared key and security algorithm of the UE and the HSS, generates an authentication response, and sends a user authorization request to the HSS through the I-CSCF, and the user authorization request carries the T-IMPI.
HSS接收用户授权请求,根据第三用户标识T-IMPI与第一用户标识IMPI的对应关系(T-IMPI,IMPI),获得第一用户标识IMPI,根据IMPI获取S-CSCF地址。The HSS receives the user authorization request, obtains the first user identifier IMPI according to the correspondence between the third user identifier T-IMPI and the first user identifier IMPI (T-IMPI, IMPI), and obtains the S-CSCF address according to the IMPI.
HSS通过DRA向I-CSCF发送用户鉴权响应,用户鉴权响应携带S-CSCF地址。The HSS sends a user authentication response to the I-CSCF through the DRA, and the user authentication response carries the S-CSCF address.
I-CSCF根据接收到的S-CSCF地址,向S-CSCF发送注册请求,注册请求携带T-IMPI与认证响应。The I-CSCF sends a registration request to the S-CSCF according to the received S-CSCF address, and the registration request carries the T-IMPI and the authentication response.
S-CSCF对认证响应进行校验,完成对UE的注册认证。The S-CSCF verifies the authentication response and completes the registration and authentication of the UE.
在对UE认证后,S-CSCF向HSS发送服务器分配请求,服务器分配请求携带T-IMPI。After authenticating the UE, the S-CSCF sends a server allocation request to the HSS, and the server allocation request carries the T-IMPI.
HSS根据服务器分配请求查询保存的第一用户标识与第三用户标识的对应关系(T-IMPI,IMPI),获得第一用户标识。根据第一用户标识获取用户注册信息(Initial Filter Criteria,IFC)规则,IFC规则包括应用服务器列表AS list。The HSS queries the stored correspondence between the first user identifier and the third user identifier (T-IMPI, IMPI) according to the server allocation request, and obtains the first user identifier. The user registration information (Initial Filter Criteria, IFC) rule is obtained according to the first user identifier, and the IFC rule includes the application server list AS list.
HSS向S-CSCF发送服务器分配响应Diameter SAA,服务器分配响应Diameter SAA包括IFC规则(包括AS list)。The HSS sends the server allocation response Diameter SAA to the S-CSCF, and the server allocation response Diameter SAA includes the IFC rules (including the AS list).
S-CSCF保存第三用户标识与P-CSCF地址、IFC规则(包括AS list)的对应关系,获得IFC规则(包括AS list)。The S-CSCF saves the correspondence between the third user identity, the P-CSCF address, and the IFC rules (including the AS list), and obtains the IFC rules (including the AS list).
S-CSCF向I-CSCF发送200OK信息。The S-CSCF sends a 200 OK message to the I-CSCF.
I-CSCF向P-CSCF发送200OK信息。The I-CSCF sends a 200 OK message to the P-CSCF.
P-CSCF向UE发送200OK信息,从而建立S-CSCF与UE之间的会话连接。The P-CSCF sends a 200 OK message to the UE, thereby establishing a session connection between the S-CSCF and the UE.
S-CSCF根据保存的IFC规则中的服务器列表AS list,向AS发送注册请求,该注册请求携带T-IMPI。The S-CSCF sends a registration request to the AS according to the server list AS list in the saved IFC rules, and the registration request carries the T-IMPI.
AS向HSS请求第一用户标识。The AS requests the HSS for the first user identity.
HSS根据请求中包含的T-IMPI查询第三用户标识与第一用户标识的对应关系(T-IMPI,IMPI),获得第一用户标识,然后向AS返回第一用户标识。The HSS queries the correspondence between the third user identifier and the first user identifier (T-IMPI, IMPI) according to the T-IMPI included in the request, obtains the first user identifier, and then returns the first user identifier to the AS.
AS接收HSS发送的第一用户标识,获得AS对应的用户数据,并向S-CSCF发送200OK信息,200OK信息携带用户数据。从而建立网络内部之间的连接,完成终端设备的身份标识的注册。The AS receives the first user identifier sent by the HSS, obtains user data corresponding to the AS, and sends a 200OK message to the S-CSCF, where the 200OK message carries the user data. Thereby, the connection between the inside of the network is established, and the registration of the identity of the terminal device is completed.
图11所示的实施例中,终端设备注册与认证的流程中,使用第三用户标识作为用户标识,HSS根据第三用户标识与第一用户标识的对应关系,获得第一用户标识,避免了对第一用户标识的加密与解密的流程,能够提高信息发送效率。In the embodiment shown in FIG. 11 , in the process of terminal device registration and authentication, the third user identifier is used as the user identifier, and the HSS obtains the first user identifier according to the corresponding relationship between the third user identifier and the first user identifier, avoiding the need for The process of encrypting and decrypting the first user identifier can improve the information sending efficiency.
图12所示的通信装置可以用于执行上述图4-图11所描述的方法实施例中第二签约服务器的部分或全部功能。其中,该通信装置还可以为芯片系统。图12所示的通信装置可以包括通信单元1201和处理单元1202。通信单元1201用于实现本申请上述信息发送方法中的第二签约服务器的收发操作;处理单元1202用于实现本申请上述信息发送方法中的第二签约服务器的数据处理功能。The communication apparatus shown in FIG. 12 may be used to execute part or all of the functions of the second subscription server in the method embodiments described in the foregoing FIG. 4 to FIG. 11 . Wherein, the communication device may also be a chip system. The communication apparatus shown in FIG. 12 may include a communication unit 1201 and a processing unit 1202 . The communication unit 1201 is used to implement the sending and receiving operations of the second subscription server in the above information sending method of this application; the processing unit 1202 is used to implement the data processing function of the second subscription server in the above information sending method of this application.
图12所示的通信装置可以用于执行上述图4-图11所描述的方法实施例中第一签约服务器的部分或全部功能。其中,该通信装置还可以为芯片系统。图12所示的通信装置可以包括 通信单元1201和处理单元1202。通信单元1201用于实现本申请上述信息发送方法中的第一签约服务器的收发操作;处理单元1202用于实现本申请上述信息发送方法中的第一签约服务器的数据处理功能。The communication apparatus shown in FIG. 12 may be used to execute part or all of the functions of the first subscription server in the method embodiments described in the foregoing FIG. 4 to FIG. 11 . Wherein, the communication device may also be a chip system. The communication apparatus shown in FIG. 12 may include a communication unit 1201 and a processing unit 1202. The communication unit 1201 is used to implement the sending and receiving operations of the first subscription server in the above information sending method of this application; the processing unit 1202 is used to implement the data processing function of the first subscription server in the above information sending method of this application.
图12所示的通信装置可以用于执行上述图4-图11所描述的方法实施例中第一服务器的部分或全部功能。其中,该通信装置还可以为芯片系统。图12所示的通信装置可以包括通信单元1201和处理单元1202。通信单元1201用于实现本申请上述信息发送方法中的第一服务器的收发操作;处理单元1202用于实现本申请上述信息发送方法中的第一服务器的数据处理功能。The communication apparatus shown in FIG. 12 may be used to execute part or all of the functions of the first server in the method embodiments described in the foregoing FIG. 4 to FIG. 11 . Wherein, the communication device may also be a chip system. The communication apparatus shown in FIG. 12 may include a communication unit 1201 and a processing unit 1202 . The communication unit 1201 is used to implement the sending and receiving operation of the first server in the above information sending method of the present application; the processing unit 1202 is used to implement the data processing function of the first server in the above information sending method of the present application.
图12所示的通信装置可以用于执行上述图4-图11所描述的方法实施例中第一终端设备的部分或全部功能。其中,该通信装置还可以为芯片系统。图12所示的通信装置可以包括通信单元1201和处理单元1202。通信单元1201用于实现本申请上述信息发送方法中的第一终端设备的收发操作;处理单元1202用于实现本申请上述信息发送方法中的第一终端设备的数据处理功能。The communication apparatus shown in FIG. 12 may be used to execute part or all of the functions of the first terminal device in the method embodiments described in the foregoing FIG. 4 to FIG. 11 . Wherein, the communication device may also be a chip system. The communication apparatus shown in FIG. 12 may include a communication unit 1201 and a processing unit 1202 . The communication unit 1201 is used to implement the sending and receiving operation of the first terminal device in the above information sending method of the present application; the processing unit 1202 is used to implement the data processing function of the first terminal device in the above information sending method of the present application.
图12所示的通信装置可以用于执行上述图4-图11所描述的方法实施例中第二终端设备的部分或全部功能。其中,该通信装置还可以为芯片系统。图12所示的通信装置可以包括通信单元1201和处理单元1202。通信单元1201用于实现本申请上述信息发送方法中的第二终端设备的收发操作;处理单元1202用于实现本申请上述信息发送方法中的第二终端设备的数据处理功能。The communication apparatus shown in FIG. 12 may be used to execute part or all of the functions of the second terminal device in the method embodiments described in FIG. 4 to FIG. 11 . Wherein, the communication device may also be a chip system. The communication apparatus shown in FIG. 12 may include a communication unit 1201 and a processing unit 1202 . The communication unit 1201 is used to implement the transceiving operation of the second terminal device in the above information sending method of the present application; the processing unit 1202 is used to implement the data processing function of the second terminal device in the above information sending method of the present application.
如图13所示为本申请实施例提供的一种通信装置1300,用于实现上述图4-图11所描述的方法实施例中第二签约服务器、或第一服务器、或第一签约服务器、或第一终端设备、或第二终端设备的功能;或该装置可以是用于第二签约服务器、或第一服务器、或第一签约服务器、或第一终端设备、或第二终端设备的装置。用于第二签约服务器的装置可以为第二签约服务器内的芯片系统或芯片。用于第一服务器的装置可以为第一服务器内的芯片系统或芯片。用于第一签约服务器的装置可以为第一签约服务器内的芯片系统或芯片。用于第一终端设备的装置可以为第一终端设备内的芯片系统或芯片。用于第二终端设备的装置可以为第二终端设备内的芯片系统或芯片。其中,芯片系统可以由芯片构成,也可以包含芯片和其他分立器件。As shown in FIG. 13, a communication apparatus 1300 provided by an embodiment of the present application is used to implement the second subscription server, or the first server, or the first subscription server, or the function of the first terminal device, or the second terminal device; or the apparatus may be an apparatus for the second subscription server, or the first server, or the first subscription server, or the first terminal device, or the second terminal device . The means for the second subscription server may be a system-on-chip or a chip within the second subscription server. The means for the first server may be a system-on-a-chip or a chip within the first server. The means for the first subscription server may be a chip system or chip within the first subscription server. The means for the first terminal device may be a chip system or a chip in the first terminal device. The means for the second terminal device may be a system-on-a-chip or a chip in the second terminal device. Wherein, the chip system may be composed of chips, and may also include chips and other discrete devices.
通信装置1300包括至少一个处理器1302,用于实现本申请上述信息发送方法中的第二签约服务器的数据处理功能;或用于实现本申请上述信息发送方法中的第一服务器的数据处理功能;或用于实现本申请上述信息发送方法中的第一签约服务器的数据处理功能;或用于实现本申请上述信息发送方法中的第一终端设备的数据处理功能;或用于实现本申请上述信息发送方法中的第二终端设备的数据处理功能。The communication device 1300 includes at least one processor 1302 for implementing the data processing function of the second subscription server in the above information sending method of the present application; or for realizing the data processing function of the first server in the above information sending method of the present application; Or used to realize the data processing function of the first subscription server in the above information sending method of this application; or used to implement the data processing function of the first terminal device in the above information sending method of this application; or used to implement the above information of this application The data processing function of the second terminal device in the sending method.
装置1300还可以包括通信接口1301,用于实现本申请上述信息发送方法中的第二签约服务器的收发操作;或用于实现本申请上述信息发送方法中的第一服务器的收发操作;或用于实现本申请上述信息发送方法中的第一签约服务器的收发操作;或用于实现本申请上述信息发送方法中的第一终端设备的收发操作;或用于实现本申请上述信息发送方法中的第二终端设备的收发操作。The apparatus 1300 may further include a communication interface 1301 for implementing the sending and receiving operations of the second subscription server in the above information sending method of the present application; or for realizing the sending and receiving operations of the first server in the above information sending method of the present application; or for Realize the sending and receiving operation of the first subscription server in the above information sending method of the present application; or be used to realize the sending and receiving operation of the first terminal device in the above information sending method of the present application; or be used to realize the first in the above information sending method of the present application. Two terminal equipment send and receive operations.
在本申请实施例中,通信接口可以是收发器、电路、总线、模块或其它类型的通信接口,用于通过传输介质和其它设备进行通信。例如,通信接口1301用于装置1300中的装置可以和其它设备进行通信。处理器1302利用通信接口1301收发数据,并用于实现上述方法实施 例的方法。In this embodiment of the present application, the communication interface may be a transceiver, a circuit, a bus, a module or other types of communication interfaces, which are used to communicate with other devices through a transmission medium. For example, the communication interface 1301 is used by the apparatus in the apparatus 1300 to communicate with other devices. The processor 1302 uses the communication interface 1301 to send and receive data, and is used to implement the methods of the above method embodiments.
装置1300还可以包括至少一个存储器1303,用于存储程序指令和/或数据。存储器1303和处理器1302耦合。本申请实施例中的耦合是装置、单元或模块之间的间接耦合或通信连接,可以是电性,机械或其它的形式,用于装置、单元或模块之间的信息交互。处理器1302可能和存储器1303协同操作。处理器1302可能执行存储器1303中存储的程序指令。至少一个存储器中的至少一个可以包括于处理器中。The apparatus 1300 may also include at least one memory 1303 for storing program instructions and/or data. Memory 1303 and processor 1302 are coupled. The coupling in the embodiments of the present application is an indirect coupling or communication connection between devices, units or modules, which may be in electrical, mechanical or other forms, and is used for information exchange between devices, units or modules. The processor 1302 may cooperate with the memory 1303 . The processor 1302 may execute program instructions stored in the memory 1303 . At least one of the at least one memory may be included in the processor.
本申请实施例中不限定上述通信接口1301、处理器1302以及存储器1303之间的具体连接介质。本申请实施例在图13中以存储器1303、处理器1302以及通信接口1301之间通过总线1304连接,总线在图13中以粗线表示,其它部件之间的连接方式,仅是进行示意性说明,并不引以为限。总线可以分为地址总线、数据总线、控制总线等。为便于表示,图13中仅用一条粗线表示,但并不表示仅有一根总线或一种类型的总线。The specific connection medium between the communication interface 1301 , the processor 1302 , and the memory 1303 is not limited in the embodiments of the present application. In the embodiment of the present application, the memory 1303, the processor 1302, and the communication interface 1301 are connected by a bus 1304 in FIG. 13. The bus is represented by a thick line in FIG. 13, and the connection between other components is only for schematic illustration. , is not limited. The bus can be divided into address bus, data bus, control bus and so on. For ease of presentation, only one thick line is used in FIG. 13, but it does not mean that there is only one bus or one type of bus.
装置1300具体是用于站点、第一站点、第二站点或接入点的装置时,例如装置1300具体是芯片或者芯片系统时,通信接口1301所输出或接收的可以是基带信号。装置1300具体是站点、第一站点、第二站点或接入点时,通信接口1301所输出或接收的可以是射频信号。在本申请实施例中,处理器可以是通用处理器、数字信号处理器、专用集成电路、现场可编程门阵列或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件,可以实现或者执行本申请实施例中的公开的各方法、步骤及逻辑框图。通用处理器可以是微处理器或者任何常规的处理器等。结合本申请实施例所公开的方法的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。When the device 1300 is specifically a device used for a station, a first station, a second station or an access point, for example, when the device 1300 is a chip or a chip system, the communication interface 1301 may output or receive baseband signals. When the apparatus 1300 is specifically a station, a first station, a second station or an access point, the output or reception of the communication interface 1301 may be a radio frequency signal. In this embodiment of the present application, the processor may be a general-purpose processor, a digital signal processor, an application-specific integrated circuit, a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, or a discrete hardware component, which can implement or The methods, steps and logic block diagrams disclosed in the embodiments of this application are executed. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the methods disclosed in conjunction with the embodiments of the present application may be directly embodied as executed by a hardware processor, or executed by a combination of hardware and software modules in the processor.
作为示例,图14为本申请实施例提供的另一种通信装置1400的结构示意图。该通信装置1400可以是第二签约服务器、或第一服务器、或第一签约服务器、或第一终端设备、或第二终端设备。通信装置1400可执行上述方法实施例中第二签约服务器、或第一服务器、或第一签约服务器、或第一终端设备、或第二终端设备所执行的操作。As an example, FIG. 14 is a schematic structural diagram of another communication apparatus 1400 provided by an embodiment of the present application. The communication apparatus 1400 may be a second subscription server, or a first server, or a first subscription server, or a first terminal device, or a second terminal device. The communication apparatus 1400 may perform the operations performed by the second subscription server, or the first server, or the first subscription server, or the first terminal device, or the second terminal device in the foregoing method embodiments.
为了便于说明,图14仅示出了通信装置1400的主要部件。如图14所示,通信装置1400包括处理器、存储器、射频电路、天线以及输入输出装置。处理器主要用于对通信协议以及通信数据进行处理,以及对整个通信装置1400进行控制,执行软件程序,处理软件程序的数据,例如用于支持通信装置1400执行图4-图11所描述的流程。存储器主要用于存储软件程序和数据。射频电路主要用于基带信号与射频信号的转换以及对射频信号的处理。天线主要用于收发电磁波形式的射频信号。通信装置1400还可以包括输入输出装置,例如触摸屏、显示屏,键盘等主要用于接收用户输入的数据以及对用户输出数据。需要说明的是,有些种类的通信装置1400可以不具有输入输出装置。For convenience of explanation, FIG. 14 only shows the main components of the communication device 1400 . As shown in FIG. 14, the communication device 1400 includes a processor, a memory, a radio frequency circuit, an antenna, and an input and output device. The processor is mainly used to process the communication protocol and communication data, control the entire communication device 1400, execute software programs, and process data of the software programs, for example, to support the communication device 1400 to execute the flow described in FIG. 4-FIG. 11 . The memory is mainly used to store software programs and data. The radio frequency circuit is mainly used for the conversion of the baseband signal and the radio frequency signal and the processing of the radio frequency signal. Antennas are mainly used to send and receive radio frequency signals in the form of electromagnetic waves. The communication device 1400 may also include an input and output device, such as a touch screen, a display screen, a keyboard, etc., which are mainly used for receiving data input by the user and outputting data to the user. It should be noted that some types of communication devices 1400 may not have an input/output device.
当通信装置1400开机后,处理器可以读取存储单元中的软件程序,解释并执行软件程序的,处理软件程序的数据。当需要通过无线发送数据时,处理器对待发送的数据进行基带处理后,输出基带信号至射频电路,射频电路将基带信号进行射频处理后将射频信号通过天线以电磁波的形式向外发送。当有数据发送到通信装置1400时,射频电路通过天线接收到射频信号,将射频信号转换为基带信号,并将基带信号输出至处理器,处理器将基带信号转换为数据并对该数据进行处理。After the communication device 1400 is powered on, the processor can read the software program in the storage unit, interpret and execute the software program, and process the data of the software program. When data needs to be sent wirelessly, the processor performs baseband processing on the data to be sent, and outputs the baseband signal to the radio frequency circuit. The radio frequency circuit performs radio frequency processing on the baseband signal and sends the radio frequency signal through the antenna in the form of electromagnetic waves. When data is sent to the communication device 1400, the radio frequency circuit receives the radio frequency signal through the antenna, converts the radio frequency signal into a baseband signal, and outputs the baseband signal to the processor, and the processor converts the baseband signal into data and processes the data .
本领域技术人员可以理解,为了便于说明,图14仅示出了一个存储器和处理器。在实际的通信装置1400中,可以存在多个处理器和存储器。存储器也可以称为存储介质或者存储设备等,本申请实施例对此不做限制。Those skilled in the art can understand that, for the convenience of description, FIG. 14 only shows one memory and one processor. In an actual communication device 1400, there may be multiple processors and memories. The memory may also be referred to as a storage medium or a storage device, etc., which is not limited in this embodiment of the present application.
作为一种可选的实现方式,处理器可以包括基带处理器和中央处理器(central processing unit,CPU),基带处理器主要用于对通信协议以及通信数据进行处理,CPU主要用于对整个通信装置1400进行控制,执行软件程序,处理软件程序的数据。可选的,该处理器还可以是网络处理器(network processor,NP)或者CPU和NP的组合。处理器还可以进一步包括硬件芯片。上述硬件芯片可以是专用集成电路(application-specific integrated circuit,ASIC),可编程逻辑器件(programmale logic device,PLD)或其组合。上述PLD可以是复杂可编程逻辑器件(complex programmale logic device,CPLD),现场可编程逻辑门阵列(field-programmale gate array,FPGA),通用阵列逻辑(generic array logic,GAL)或其任意组合。存储器可以包括易失性存储器(volatile memory),例如随机存取存储器(random-access memory,RAM);存储器也可以包括非易失性存储器(non-volatile memory),例如快闪存储器(flash memory),硬盘(hard disk drive,HDD)或固态硬盘(solid-state drive,SSD);存储器还可以包括上述种类的存储器的组合。As an optional implementation manner, the processor may include a baseband processor and a central processing unit (CPU). The baseband processor is mainly used to process communication protocols and communication data, and the CPU is mainly used to process the entire communication The apparatus 1400 controls, executes a software program, and processes data of the software program. Optionally, the processor may also be a network processor (NP) or a combination of CPU and NP. The processor may further include a hardware chip. The above-mentioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (programmale logic device, PLD) or a combination thereof. The above PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a general array logic (GAL) or any combination thereof. The memory may include volatile memory (volatile memory), such as random-access memory (RAM); the memory may also include non-volatile memory (non-volatile memory), such as flash memory (flash memory) , a hard disk drive (HDD) or a solid-state drive (SSD); the memory may also include a combination of the above-mentioned types of memory.
示例性的,在本申请实施例中,如图14所示,可以将具有收发功能的天线和射频电路视为通信装置1400的通信单元1401,将具有处理功能的处理器视为通信装置1400的处理单元1402。Exemplarily, in this embodiment of the present application, as shown in FIG. 14 , an antenna and a radio frequency circuit with a transceiver function can be regarded as the communication unit 1401 of the communication device 1400 , and a processor with a processing function can be regarded as a part of the communication device 1400 . Processing unit 1402.
通信单元1401也可以称为收发器、收发机、收发装置、收发单元等,用于实现收发功能。可选的,可以将通信单元1401中用于实现接收功能的器件视为接收单元,将通信单元1401中用于实现发送功能的器件视为发送单元,即通信单元1401包括接收单元和发送单元。示例性的,接收单元也可以称为接收机、接收器、接收电路等,发送单元可以称为发射机、发射器或者发射电路等。The communication unit 1401 may also be referred to as a transceiver, a transceiver, a transceiver device, a transceiver unit, etc., and is used to implement a transceiver function. Optionally, the device for implementing the receiving function in the communication unit 1401 may be regarded as a receiving unit, and the device for implementing the transmitting function in the communication unit 1401 may be regarded as a transmitting unit, that is, the communication unit 1401 includes a receiving unit and a transmitting unit. Exemplarily, the receiving unit may also be referred to as a receiver, a receiver, a receiving circuit, and the like, and the transmitting unit may be referred to as a transmitter, a transmitter, or a transmitting circuit, or the like.
在一些实施例中,通信单元1401、处理单元1402可能集成为一个器件,也可以分离为不同的器件,此外,处理器与存储器也可以集成为一个器件,或分立为不同器件。In some embodiments, the communication unit 1401 and the processing unit 1402 may be integrated into one device or separated into different devices. In addition, the processor and the memory may also be integrated into one device or separated into different devices.
其中,通信单元1401可用于执行上述方法实施例中通信装置1400的收发操作。处理单元1402可用于执行上述方法实施例中通信装置1400的数据处理操作。The communication unit 1401 may be configured to perform the transceiving operations of the communication apparatus 1400 in the above method embodiments. The processing unit 1402 may be configured to perform data processing operations of the communication apparatus 1400 in the above method embodiments.
本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质中存储有指令,当其在处理器上运行时,上述方法实施例的方法流程得以实现。Embodiments of the present application further provide a computer-readable storage medium, where instructions are stored in the computer-readable storage medium, and when the computer-readable storage medium is executed on a processor, the method flow of the foregoing method embodiment is implemented.
本申请实施例还提供一种计算机程序产品,当计算机程序产品在处理器上运行时,上述方法实施例的方法流程得以实现。The embodiment of the present application further provides a computer program product, when the computer program product runs on the processor, the method flow of the above method embodiment is realized.
需要说明的是,对于前述的各方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请并不受所描述的动作顺序的限制,因为依据本申请,某些操作可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作和模块并不一定是本申请所必须的。It should be noted that, for the sake of simple description, the foregoing method embodiments are all expressed as a series of action combinations, but those skilled in the art should know that the present application is not limited by the described action sequence. Because in accordance with the present application, certain operations may be performed in other orders or concurrently. Secondly, those skilled in the art should also know that the embodiments described in the specification are all preferred embodiments, and the actions and modules involved are not necessarily required by the present application.
本申请提供的各实施例的描述可以相互参照,对各个实施例的描述都各有侧重,某个实施例中没有详述的部分,可以参见其他实施例的相关描述。为描述的方便和简洁,例如关于本申请实施例提供的各装置、设备的功能以及执行的操作可以参照本申请方法实施例的相关描述,各方法实施例之间、各装置实施例之间也可以互相参考、结合或引用。The descriptions of the embodiments provided in this application may refer to each other, and the descriptions of the various embodiments have their own emphasis. For the parts that are not described in detail in a certain embodiment, reference may be made to the relevant descriptions of other embodiments. For the convenience and brevity of description, for example, regarding the functions and operations of each device and device provided in the embodiments of the present application, reference may be made to the related descriptions of the method embodiments of the present application, and also between the method embodiments and the device embodiments. There may be mutual reference, combination or reference.
最后应说明的是:以上各实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述各实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present application, but not to limit them; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some or all of the technical features thereof can be equivalently replaced; and these modifications or replacements do not make the essence of the corresponding technical solutions deviate from the technical solutions of the embodiments of the present application. scope.

Claims (38)

  1. 一种信息发送方法,其特征在于,所述方法应用于包括第一终端设备和第二终端设备的通信系统;所述通信系统还包括所述第一终端设备对应的第一签约服务器和所述第二终端设备对应的第二签约服务器,所述第一终端设备具有第一身份标识,所述第二终端设备具有第二身份标识,所述第一终端设备是通信主叫方,所述第二终端设备是通信被叫方;所述方法包括:A method for sending information, characterized in that the method is applied to a communication system including a first terminal device and a second terminal device; the communication system further includes a first subscription server corresponding to the first terminal device and the A second subscription server corresponding to a second terminal device, the first terminal device has a first identity, the second terminal device has a second identity, the first terminal is a communication calling party, the first Two terminal devices are called parties of communication; the method includes:
    所述第二签约服务器从第一服务器接收第一标识信息,所述第一标识信息包括所述第一终端设备的第三身份标识和第二终端设备的第四身份标识,所述第三身份标识为对所述第一身份标识加密得到的身份标识,所述第四身份标识为对所述第二身份标识加密得到的身份标识,或者第一标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;The second subscription server receives first identification information from the first server, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal, the third identification The identifier is the identity identifier obtained by encrypting the first identifier, the fourth identifier is the identifier obtained by encrypting the second identifier, or the first identifier information includes the first identifier and the second identifier. One of the identification marks, and the fifth identification mark obtained by encrypting the other of the first identification mark and the second identification mark;
    所述第二签约服务器向所述第一签约服务器发送第一请求,所述第一请求携带所述第一标识信息;所述第一请求用于请求所述第一身份标识和/或所述第二身份标识;The second subscription server sends a first request to the first subscription server, where the first request carries the first identification information; the first request is used to request the first identification and/or the first identification second identification;
    所述第二签约服务器从所述第一签约服务器接收第一响应;所述第一响应携带所述第一身份标识和/或所述第二身份标识;the second subscription server receives a first response from the first subscription server; the first response carries the first identity and/or the second identity;
    所述第二签约服务器根据所述第一身份标识和/或所述第二身份标识得到第二标识信息,所述第二标识信息包括所述第一终端设备的第六身份标识和第二终端设备的第七身份标识,所述第六身份标识为对所述第一身份标识加密得到的身份标识,所述第七身份标识为对所述第二身份标识加密得到的身份标识,或者第二标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;The second subscription server obtains second identification information according to the first identification and/or the second identification, and the second identification information includes the sixth identification of the first terminal device and the second terminal The seventh identity of the device, the sixth identity is the identity obtained by encrypting the first identity, the seventh identity is the identity obtained by encrypting the second identity, or the second identity The identification information includes one of the first identification and the second identification, and an eighth identification obtained by encrypting the other of the first identification and the second identification;
    所述第二签约服务器向所述第一服务器发送所述第二标识信息。The second subscription server sends the second identification information to the first server.
  2. 根据权利要求1所述的方法,其特征在于,所述第六身份标识为对所述第一身份标识使用第四密钥加密得到的身份标识,所述第七身份标识为对所述第二身份标识使用第五密钥加密得到的身份标识,所述第八身份标识为对所述第一身份标识和第二身份标识中的另一个使用第六密钥加密得到的身份标识。The method according to claim 1, wherein the sixth identity is an identity obtained by encrypting the first identity with a fourth key, and the seventh identity is an identity of the second The identity identifier is an identity identifier obtained by encrypting the fifth key, and the eighth identity identifier is an identity identifier obtained by encrypting the other one of the first identity identifier and the second identity identifier using the sixth key.
  3. 根据权利要求2所述的方法,其特征在于,所述第五密钥为所述第二终端设备的公钥。The method according to claim 2, wherein the fifth key is a public key of the second terminal device.
  4. 一种信息发送方法,其特征在于,所述方法应用于包括第一终端设备和第二终端设备的通信系统;所述通信系统还包括所述第二终端设备对应的第二签约服务器,所述第一终端设备具有第一身份标识,所述第二终端设备具有第二身份标识,所述第一终端设备是通信主叫方,所述第二终端设备是通信被叫方;所述方法包括:A method for sending information, characterized in that the method is applied to a communication system including a first terminal device and a second terminal device; the communication system further includes a second subscription server corresponding to the second terminal device, the The first terminal device has a first identity identifier, the second terminal device has a second identity identifier, the first terminal device is a communication calling party, and the second terminal device is a communication called party; the method includes :
    第一服务器从所述第一终端设备获取第一标识信息,所述第一标识信息包括所述第一终端设备的第三身份标识和第二终端设备的第四身份标识,所述第三身份标识为对所述第一身份标识加密得到的身份标识,所述第四身份标识为对所述第二身份标识加密得到的身份标识,或者第一标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;The first server acquires first identification information from the first terminal device, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal device, the third identification The identifier is the identity identifier obtained by encrypting the first identifier, the fourth identifier is the identifier obtained by encrypting the second identifier, or the first identifier information includes the first identifier and the second identifier. One of the identification marks, and the fifth identification mark obtained by encrypting the other of the first identification mark and the second identification mark;
    所述第一服务器根据所述第二终端设备的第四身份标识中的参数中的至少一个,确定所述第二签约服务器,所述参数包括国家码和国家目的码,或者包括国家码、国家目的码和路由指示;The first server determines the second subscription server according to at least one of the parameters in the fourth identity of the second terminal device, and the parameters include a country code and a country purpose code, or include a country code, a country destination codes and routing instructions;
    所述第一服务器将所述第一标识信息发送给所述第二签约服务器。The first server sends the first identification information to the second subscription server.
  5. 根据权利要求4所述的方法,其特征在于,所述方法还包括:The method according to claim 4, wherein the method further comprises:
    所述第一服务器从所述第二签约服务器接收第二标识信息,所述第二标识信息包括所述 第一终端设备的第六身份标识和第二终端设备的第七身份标识,所述第六身份标识为对所述第一身份标识加密得到的身份标识,所述第七身份标识为对所述第二身份标识加密得到的身份标识,或者第二标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;The first server receives second identification information from the second signing server, the second identification information includes the sixth identification of the first terminal device and the seventh identification of the second terminal device, the first The six identifications are the identifications obtained by encrypting the first identifications, the seventh identifications are the identifications obtained by encrypting the second identifications, or the second identification information includes the first identifications and the One of the second identifications, and an eighth identification obtained by encrypting the other of the first identification and the second identification;
    所述第一服务器向所述第二终端设备发送所述第二标识信息。The first server sends the second identification information to the second terminal device.
  6. 一种信息发送方法,其特征在于,所述方法应用于包括第一终端设备和第二终端设备的通信系统;所述通信系统还包括所述第一终端设备对应的第一签约服务器和所述第二终端设备对应的第二签约服务器,所述第一终端设备具有第一身份标识,所述第二终端设备具有第二身份标识,所述第一终端设备是通信主叫方,所述第二终端设备是通信被叫方;所述方法包括:A method for sending information, characterized in that the method is applied to a communication system including a first terminal device and a second terminal device; the communication system further includes a first subscription server corresponding to the first terminal device and the A second subscription server corresponding to a second terminal device, the first terminal device has a first identity, the second terminal device has a second identity, the first terminal is a communication calling party, the first Two terminal devices are called parties of communication; the method includes:
    所述第一签约服务器从所述第二签约服务器接收第一请求,所述第一请求用于请求所述第一身份标识和/或所述第二身份标识,所述第一请求携带第一标识信息,所述第一标识信息包括所述第一终端设备的第三身份标识和第二终端设备的第四身份标识,所述第三身份标识为对所述第一身份标识加密得到的身份标识,所述第四身份标识为对所述第二身份标识加密得到的身份标识,或者第一标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;The first subscription server receives a first request from the second subscription server, where the first request is used to request the first identity and/or the second identity, and the first request carries the first Identification information, the first identification information includes the third identification of the first terminal device and the fourth identification of the second terminal device, and the third identification is an identity obtained by encrypting the first identification ID, the fourth ID is the ID obtained by encrypting the second ID, or the first ID information includes one of the first ID and the second ID, and the first ID The fifth identity mark obtained by another encryption in the mark and the second identity mark;
    所述第一签约服务器向所述第二签约服务器发送第一响应,所述第一响应携带所述第一身份标识和/或所述第二身份标识。The first subscription server sends a first response to the second subscription server, where the first response carries the first identity and/or the second identity.
  7. 根据权利要求6所述方法,其特征在于,所述方法还包括:The method according to claim 6, wherein the method further comprises:
    所述第一签约服务器使用第一密钥对所述第三身份标识进行解密,得到所述第一身份标识,和/或所述第一签约服务器使用第二密钥对所述第四身份标识进行解密,得到所述第二身份标识,或者所述第一签约服务器使用第三密钥对所述第五身份标识进行解密,得到所述第一身份标识和第二身份标识中的另一个。The first signing server uses the first key to decrypt the third identity to obtain the first identity, and/or the first signing server uses the second key to decrypt the fourth identity Decryption is performed to obtain the second identification, or the first signing server decrypts the fifth identification using a third key to obtain the other of the first identification and the second identification.
  8. 一种信息发送方法,其特征在于,所述方法应用于包括第一终端设备和第二终端设备的通信系统;所述第一终端设备具有第一身份标识,所述第二终端设备具有第二身份标识,所述第一终端设备是通信主叫方,所述第二终端设备是通信被叫方;所述方法包括:A method for sending information, characterized in that the method is applied to a communication system including a first terminal device and a second terminal device; the first terminal device has a first identity, and the second terminal device has a second identification, the first terminal device is the calling party of the communication, and the second terminal device is the called party of the communication; the method includes:
    所述第一终端设备确定第一标识信息,所述第一标识信息包括所述第一终端设备的第三身份标识和第二终端设备的第四身份标识,所述第三身份标识为对所述第一身份标识加密得到的身份标识,所述第四身份标识为对所述第二身份标识加密得到的身份标识,或者第一标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;The first terminal device determines first identification information, the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal device, and the third identification is for all The identity mark obtained by encrypting the first identity mark, the fourth identity mark is the identity mark obtained by encrypting the second identity mark, or the first identification information includes the first identity mark and the second identity mark. One, and the fifth identity that is obtained by encrypting the other in the first identity and the second identity;
    所述第一终端设备向第一服务器发送所述第一标识信息。The first terminal device sends the first identification information to the first server.
  9. 根据权利要求1~8任意一项所述的方法,其特征在于,所述第三身份标识为对所述第一身份标识使用第一密钥加密得到的身份标识,所述第四身份标识为对所述第二身份标识使用第二密钥加密得到的身份标识,所述第五身份标识为对所述第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。The method according to any one of claims 1 to 8, wherein the third identity is an identity obtained by encrypting the first identity with a first key, and the fourth identity is The identity mark obtained by encrypting the second identity mark with the second key, and the fifth identity mark is the identity obtained by encrypting the other one of the first identity mark and the second identity mark with the third key logo.
  10. 根据权利要求1~9任意一项所述的方法,其特征在于,所述第四身份标识为所述第一终端设备对所述第二身份标识使用第二密钥加密得到的身份标识;The method according to any one of claims 1 to 9, wherein the fourth identity is an identity obtained by encrypting the second identity by the first terminal device with a second key;
    所述第三身份标识为所述第一终端设备对所述第一身份标识使用第一密钥加密得到的身份标识;或者,所述第三身份标识为所述第一终端设备对应的所述第一签约服务器对所述第一身份标识使用第一密钥加密得到的身份标识。The third identity is an identity obtained by the first terminal device using a first key to encrypt the first identity; or, the third identity is the corresponding to the first terminal. The first signing server encrypts the first identification with an identification obtained by encrypting the first key.
  11. 根据权利要求1~10任意一项所述的方法,其特征在于,所述第五身份标识为所述第一终端设备对所述第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识,或者所述第五身份标识为所述第一终端设备对应的所述第一签约服务器对所述第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。The method according to any one of claims 1 to 10, wherein the fifth identification is that the first terminal device uses a third identification for the other of the first identification and the second identification The identity identifier obtained by key encryption, or the fifth identity identifier is that the first signing server corresponding to the first terminal device uses a third encryption key for the other of the first identity identifier and the second identity identifier. The identity ID obtained by encryption key.
  12. 根据权利要求7和权利要求9~11任意一项所述的方法,其特征在于,所述第一密钥、第二密钥和第三密钥中的至少一个为所述第一签约服务器与所述第一终端设备的共享密钥;The method according to claim 7 and any one of claims 9 to 11, wherein at least one of the first key, the second key and the third key is the first signing server and the the shared key of the first terminal device;
    或者,所述第一密钥、第二密钥和第三密钥中的至少一个为所述第一签约服务器根据所述第一终端设备的长期密钥与随机数产生的密钥;Or, at least one of the first key, the second key and the third key is a key generated by the first signing server according to the long-term key and the random number of the first terminal device;
    或者,所述第一密钥、第二密钥和第三密钥中的至少一个为所述第一签约服务器与所述第一终端设备根据目标算法产生的密钥。Alternatively, at least one of the first key, the second key and the third key is a key generated by the first signing server and the first terminal device according to a target algorithm.
  13. 一种信息发送方法,其特征在于,所述方法应用于包括第一终端设备和第二终端设备的通信系统;所述第一终端设备具有第一身份标识,所述第二终端设备具有第二身份标识,所述第一终端设备是通信主叫方,所述第二终端设备是通信被叫方;所述方法包括:A method for sending information, characterized in that the method is applied to a communication system including a first terminal device and a second terminal device; the first terminal device has a first identity, and the second terminal device has a second identification, the first terminal device is the calling party of the communication, and the second terminal device is the called party of the communication; the method includes:
    所述第二终端设备从第一服务器接收第二标识信息,所述第二标识信息包括所述第一终端设备的第六身份标识和第二终端设备的第七身份标识,所述第六身份标识为对所述第一身份标识加密得到的身份标识,所述第七身份标识为对所述第二身份标识加密得到的身份标识,或者第二标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;The second terminal device receives second identification information from the first server, where the second identification information includes a sixth identification of the first terminal device and a seventh identification of the second terminal device, the sixth identification The identifier is an identity identifier obtained by encrypting the first identity identifier, and the seventh identifier is an identity identifier obtained by encrypting the second identifier, or the second identifier information includes the first identifier and the second identifier. One of the identification marks, and the eighth identification mark obtained by encrypting the other of the first identification mark and the second identification mark;
    所述第二终端设备对所述第二标识信息进行解密,得到所述第一身份标识和/或所述第二身份标识。The second terminal device decrypts the second identification information to obtain the first identification and/or the second identification.
  14. 根据权利要求13所述的方法,其特征在于,所述第二终端设备对所述第二标识信息进行解密,得到所述第一身份标识和/或所述第二身份标识,包括:The method according to claim 13, wherein the second terminal device decrypts the second identification information to obtain the first identification and/or the second identification, comprising:
    所述第二终端设备使用第四密钥对所述第六身份标识解密,得到所述第一身份标识,使用第七密钥对所述第七身份标识解密,得到所述第二身份标识,或者使用第六密钥对所述第八身份标识解密,得到所述第一身份标识和第二身份标识中的另一个。The second terminal device uses the fourth key to decrypt the sixth identity to obtain the first identity, and uses the seventh key to decrypt the seventh identity to obtain the second identity, Or use the sixth key to decrypt the eighth identification to obtain the other of the first identification and the second identification.
  15. 根据权利要求14所述的方法,其特征在于,所述第七密钥为所述第二终端设备的公钥对应的私钥。The method according to claim 14, wherein the seventh key is a private key corresponding to the public key of the second terminal device.
  16. 根据权利要求2和权利要求14任意一项所述的方法,其特征在于,所述第四密钥、第五密钥和第六密钥中的至少一个为所述第二签约服务器与所述第二终端设备的共享密钥;The method according to any one of claim 2 and claim 14, wherein at least one of the fourth key, the fifth key and the sixth key is the second signing server and the the shared key of the second terminal device;
    或者,所述第四密钥、第五密钥和第六密钥中的至少一个为所述第二终端设备的长期密钥与随机数产生的密钥。Alternatively, at least one of the fourth key, the fifth key and the sixth key is a key generated by a long-term key of the second terminal device and a random number.
  17. 根据权利要求1~16任意一项所述的方法,其特征在于,所述第一服务器是所述第二终端设备所在网络的查询呼叫会话控制功能,或者是所述第二终端设备所在网络的路由代理节点。The method according to any one of claims 1 to 16, wherein the first server is a query call session control function of the network where the second terminal device is located, or is a function of the query call session control function of the network where the second terminal device is located. Routing proxy node.
  18. 一种信息发送装置,其特征在于,所述信息发送装置应用于第二终端设备对应的第二签约服务器中,所述第二签约服务器被包括于通信系统中,所述通信系统还包括第一终端设备、第二终端设备、所述第一终端设备对应的第一签约服务器;所述第一终端设备具有第一身份标识,所述第二终端设备具有第二身份标识,所述第一终端设备是通信主叫方,所述第二终端设备是通信被叫方,所述信息发送装置包括:An information sending apparatus, characterized in that the information sending apparatus is applied to a second subscription server corresponding to a second terminal device, the second subscription server is included in a communication system, and the communication system further includes a first subscription server. A terminal device, a second terminal device, and a first subscription server corresponding to the first terminal device; the first terminal device has a first identity, the second terminal has a second identity, and the first terminal The device is a communication calling party, the second terminal device is a communication called party, and the information sending device includes:
    通信单元,用于从第一服务器接收第一标识信息,所述第一标识信息包括所述第一终端 设备的第三身份标识和所述第二终端设备的第四身份标识,所述第三身份标识为对所述第一身份标识加密得到的身份标识,所述第四身份标识为对所述第二身份标识加密得到的身份标识,或者第一标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;a communication unit, configured to receive first identification information from a first server, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal, and the third identification The identity is an identity obtained by encrypting the first identity, the fourth identity is an identity obtained by encrypting the second identity, or the first identity information includes the first identity and the first identity. One of the two identifications, and a fifth identification obtained by encrypting the other of the first identification and the second identification;
    所述通信单元,还用于向所述第一签约服务器发送第一请求,所述第一请求携带所述第一标识信息;所述第一请求用于请求所述第一身份标识和/或所述第二身份标识;The communication unit is further configured to send a first request to the first subscription server, where the first request carries the first identification information; the first request is used to request the first identification and/or the second identity identifier;
    所述通信单元,还用于从所述第一签约服务器接收第一响应;所述第一响应携带所述第一身份标识和/或所述第二身份标识;The communication unit is further configured to receive a first response from the first subscription server; the first response carries the first identity and/or the second identity;
    处理单元,用于根据所述第一身份标识和/或所述第二身份标识得到第二标识信息,所述第二标识信息包括所述第一终端设备的第六身份标识和第二终端设备的第七身份标识,所述第六身份标识为对所述第一身份标识加密得到的身份标识,所述第七身份标识为对所述第二身份标识加密得到的身份标识,或者第二标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;A processing unit, configured to obtain second identification information according to the first identification and/or the second identification, where the second identification information includes the sixth identification of the first terminal device and the second identification of the second terminal device The seventh identity is the identity obtained by encrypting the first identity, the seventh identity is the identity obtained by encrypting the second identity, or the second identity The information includes one of the first identification and the second identification, and an eighth identification obtained by encrypting the other of the first identification and the second identification;
    所述通信单元,还用于向所述第一服务器发送所述第二标识信息。The communication unit is further configured to send the second identification information to the first server.
  19. 根据权利要求18所述的装置,其特征在于,所述第六身份标识为对所述第一身份标识使用第四密钥加密得到的身份标识,所述第七身份标识为对所述第二身份标识使用第五密钥加密得到的身份标识,所述第八身份标识为对所述第一身份标识和第二身份标识中的另一个使用第六密钥加密得到的身份标识。The device according to claim 18, wherein the sixth identity is an identity obtained by encrypting the first identity with a fourth key, and the seventh identity is an identity of the second The identity identifier is an identity identifier obtained by encrypting the fifth key, and the eighth identity identifier is an identity identifier obtained by encrypting the other one of the first identity identifier and the second identity identifier using the sixth key.
  20. 根据权利要求19所述的装置,其特征在于,所述第五密钥为所述第二终端设备的公钥。The apparatus according to claim 19, wherein the fifth key is a public key of the second terminal device.
  21. 一种信息发送装置,其特征在于,所述信息发送装置应用于第一服务器中,所述装置包括:An information sending apparatus, characterized in that, the information sending apparatus is applied in a first server, and the apparatus includes:
    处理单元,用于从第一终端设备获取第一标识信息;a processing unit, configured to obtain the first identification information from the first terminal device;
    所述第一终端设备包括于通信系统中,所述通信系统还包括第二终端设备、所述第二终端设备对应的第二签约服务器;所述第一终端设备具有第一身份标识,所述第二终端设备具有第二身份标识,所述第一终端设备是通信主叫方,所述第二终端设备是通信被叫方;The first terminal device is included in a communication system, and the communication system further includes a second terminal device and a second subscription server corresponding to the second terminal device; the first terminal device has a first identity, the The second terminal device has a second identity, the first terminal device is the calling party of the communication, and the second terminal device is the called party of the communication;
    所述第一标识信息包括所述第一终端设备的第三身份标识和第二终端设备的第四身份标识,所述第三身份标识为对所述第一身份标识加密得到的身份标识,所述第四身份标识为对所述第二身份标识加密得到的身份标识,或者第一标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;The first identification information includes the third identification of the first terminal device and the fourth identification of the second terminal, and the third identification is an identification obtained by encrypting the first identification, so The fourth identification is an identification obtained by encrypting the second identification, or the first identification information includes one of the first identification and the second identification, and the first identification and the second identification. A fifth identity identity obtained by encryption from another of the two identity identifiers;
    所述处理单元,还用于根据所述第二终端设备的第四身份标识中的参数中的至少一个,确定所述第二签约服务器,所述参数包括国家码和国家目的码,或者包括国家码、国家目的码和路由指示;The processing unit is further configured to determine the second subscription server according to at least one of the parameters in the fourth identity of the second terminal device, where the parameters include a country code and a country purpose code, or include a country code, country destination code and routing instructions;
    通信单元,用于将所述第一标识信息发送给所述第二签约服务器。A communication unit, configured to send the first identification information to the second subscription server.
  22. 根据权利要求21所述的装置,其特征在于,The device of claim 21, wherein:
    所述通信单元,还用于从所述第二签约服务器接收第二标识信息,所述第二标识信息包括所述第一终端设备的第六身份标识和第二终端设备的第七身份标识,所述第六身份标识为对所述第一身份标识加密得到的身份标识,所述第七身份标识为对所述第二身份标识加密得到的身份标识,或者第二标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;The communication unit is further configured to receive second identification information from the second subscription server, where the second identification information includes the sixth identification of the first terminal device and the seventh identification of the second terminal device, The sixth identification is an identification obtained by encrypting the first identification, the seventh identification is an identification obtained by encrypting the second identification, or the second identification information includes the first identification. One of the identity mark and the second identity mark, and the eighth identity mark obtained by encrypting the other of the first identity mark and the second identity mark;
    所述通信单元,还用于向所述第二终端设备发送所述第二标识信息。The communication unit is further configured to send the second identification information to the second terminal device.
  23. 一种信息发送装置,其特征在于,所述信息发送装置应用于第一终端设备对应的第一签约服务器中,所述第一终端设备对应的第一签约服务器包括于通信系统中,所述通信系统还包括所述第一终端设备、第二终端设备、所述第二终端设备对应的第二签约服务器,所述第一终端设备具有第一身份标识,所述第二终端设备具有第二身份标识,所述第一终端设备是通信主叫方,所述第二终端设备是通信被叫方;所述装置包括:An information sending apparatus, characterized in that the information sending apparatus is applied in a first subscription server corresponding to a first terminal device, and the first subscription server corresponding to the first terminal device is included in a communication system, and the communication The system further includes the first terminal device, the second terminal device, and a second subscription server corresponding to the second terminal device, the first terminal device has a first identity, and the second terminal device has a second identity identification, the first terminal device is a communication calling party, and the second terminal device is a communication called party; the apparatus includes:
    通信单元,用于从所述第二签约服务器接收第一请求,所述第一请求用于请求所述第一身份标识和/或所述第二身份标识,所述第一请求携带第一标识信息,所述第一标识信息包括所述第一终端设备的第三身份标识和第二终端设备的第四身份标识,所述第三身份标识为对所述第一身份标识加密得到的身份标识,所述第四身份标识为对所述第二身份标识加密得到的身份标识,或者第一标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;A communication unit, configured to receive a first request from the second subscription server, where the first request is used to request the first identity and/or the second identity, and the first request carries the first identity information, the first identification information includes the third identification of the first terminal device and the fourth identification of the second terminal, and the third identification is the identification obtained by encrypting the first identification , the fourth identification is an identification obtained by encrypting the second identification, or the first identification information includes one of the first identification and the second identification, and the first identification and another encrypted fifth identification in the second identification;
    所述通信单元,还用于向所述第二签约服务器发送第一响应,所述第一响应携带所述第一身份标识和/或所述第二身份标识。The communication unit is further configured to send a first response to the second subscription server, where the first response carries the first identity and/or the second identity.
  24. 根据权利要求23所述的装置,其特征在于,所述装置还包括:The apparatus of claim 23, wherein the apparatus further comprises:
    处理单元,用于使用第一密钥对所述第三身份标识进行解密,得到所述第一身份标识,和/或所述第一签约服务器使用第二密钥对所述第四身份标识进行解密,得到所述第二身份标识,或者所述第一签约服务器使用第三密钥对所述第五身份标识进行解密,得到所述第一身份标识和第二身份标识中的另一个。A processing unit, configured to decrypt the third identity by using the first key to obtain the first identity, and/or the first signing server uses the second key to perform decryption on the fourth identity Decryption to obtain the second identification, or the first signing server decrypts the fifth identification using a third key to obtain the other of the first identification and the second identification.
  25. 一种信息发送装置,其特征在于,所述信息发送装置应用于第一终端设备中,所述第一终端设备包括于通信系统中,所述通信系统还包括第二终端设备;所述第一终端设备具有第一身份标识,所述第二终端设备具有第二身份标识,所述第一终端设备是通信主叫方,所述第二终端设备是通信被叫方;所述装置包括:An information sending apparatus, characterized in that the information sending apparatus is applied to a first terminal device, the first terminal device is included in a communication system, and the communication system further includes a second terminal device; the first terminal device The terminal equipment has a first identity identifier, the second terminal equipment has a second identity identifier, the first terminal equipment is a communication calling party, and the second terminal equipment is a communication called party; the apparatus includes:
    处理单元,用于确定第一标识信息,所述第一标识信息包括所述第一终端设备的第三身份标识和第二终端设备的第四身份标识,所述第三身份标识为对所述第一身份标识加密得到的身份标识,所述第四身份标识为对所述第二身份标识加密得到的身份标识,或者第一标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第五身份标识;a processing unit, configured to determine first identification information, where the first identification information includes a third identification of the first terminal device and a fourth identification of the second terminal, and the third identification is for the The identity mark obtained by encrypting the first identity mark, the fourth identity mark is the identity mark obtained by encrypting the second identity mark, or the first identification information includes one of the first identity mark and the second identity mark , and the fifth identity that is obtained by encrypting another of the first identity and the second identity;
    通信单元,用于向第一服务器发送所述第一标识信息。A communication unit, configured to send the first identification information to the first server.
  26. 根据权利要求18~25任意一项所述的装置,其特征在于,所述第三身份标识为对所述第一身份标识使用第一密钥加密得到的身份标识,所述第四身份标识为对所述第二身份标识使用第二密钥加密得到的身份标识,所述第五身份标识为对所述第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。The device according to any one of claims 18 to 25, wherein the third identity is an identity obtained by encrypting the first identity with a first key, and the fourth identity is The identity mark obtained by encrypting the second identity mark with the second key, and the fifth identity mark is the identity obtained by encrypting the other one of the first identity mark and the second identity mark with the third key logo.
  27. 根据权利要求18~26任意一项所述的装置,其特征在于,所述第四身份标识为所述第一终端设备对所述第二身份标识使用第二密钥加密得到的身份标识;The apparatus according to any one of claims 18 to 26, wherein the fourth identity is an identity obtained by encrypting the second identity by the first terminal device with a second key;
    所述第三身份标识为所述第一终端设备对所述第一身份标识使用第一密钥加密得到的身份标识;或者,所述第三身份标识为所述第一终端设备对应的所述第一签约服务器对所述第一身份标识使用第一密钥加密得到的身份标识。The third identity is an identity obtained by the first terminal device using a first key to encrypt the first identity; or, the third identity is the corresponding to the first terminal. The first signing server encrypts the first identification with an identification obtained by encrypting the first key.
  28. 根据权利要求18~27任意一项所述的装置,其特征在于,所述第五身份标识为所述第一终端设备对所述第一身份标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识,或者所述第五身份标识为所述第一终端设备对应的所述第一签约服务器对所述第一身份 标识和第二身份标识中的另一个使用第三密钥加密得到的身份标识。The apparatus according to any one of claims 18 to 27, wherein the fifth identity is that the first terminal device uses a third identity for the other of the first identity and the second identity The identity identifier obtained by key encryption, or the fifth identity identifier is that the first signing server corresponding to the first terminal device uses a third encryption key for the other of the first identity identifier and the second identity identifier. The identity ID obtained by encryption key.
  29. 根据权利要求24、权利要求26~28中任意一项所述的装置,其特征在于,所述第一密钥、第二密钥和第三密钥中的至少一个为所述第一签约服务器与所述第一终端设备的共享密钥;The apparatus according to claim 24 or any one of claims 26 to 28, wherein at least one of the first key, the second key and the third key is the first signing server a shared key with the first terminal device;
    或者,所述第一密钥、第二密钥和第三密钥中的至少一个为所述第一签约服务器根据所述第一终端设备的长期密钥与随机数产生的密钥;Or, at least one of the first key, the second key and the third key is a key generated by the first signing server according to the long-term key and the random number of the first terminal device;
    或者,所述第一密钥、第二密钥和第三密钥中的至少一个为所述第一签约服务器与所述第一终端设备根据目标算法产生的密钥。Or, at least one of the first key, the second key and the third key is a key generated by the first signing server and the first terminal device according to a target algorithm.
  30. 一种信息发送装置,其特征在于,所述信息发送装置应用于第二终端设备中,所述第二终端设备包括于通信系统中,所述通信系统还包括第一终端设备;所述第一终端设备具有第一身份标识,所述第二终端设备具有第二身份标识,所述第一终端设备是通信主叫方,所述第二终端设备是通信被叫方;所述装置包括:An information sending apparatus, characterized in that the information sending apparatus is applied in a second terminal device, the second terminal device is included in a communication system, and the communication system further includes a first terminal device; the first terminal device The terminal equipment has a first identity identifier, the second terminal equipment has a second identity identifier, the first terminal equipment is a communication calling party, and the second terminal equipment is a communication called party; the apparatus includes:
    通信单元,用于从第一服务器接收第二标识信息,所述第二标识信息包括所述第一终端设备的第六身份标识和第二终端设备的第七身份标识,所述第六身份标识为对所述第一身份标识加密得到的身份标识,所述第七身份标识为对所述第二身份标识加密得到的身份标识,或者第二标识信息包括所述第一身份标识和第二身份标识中的一个,以及对所述第一身份标识和第二身份标识中的另一个加密得到的第八身份标识;a communication unit, configured to receive second identification information from the first server, where the second identification information includes the sixth identification of the first terminal device and the seventh identification of the second terminal device, the sixth identification It is an identity mark obtained by encrypting the first identity mark, the seventh identity mark is an identity mark obtained by encrypting the second identity mark, or the second identification information includes the first identity mark and the second identity mark. One of the identifications, and the eighth identification that is obtained by encrypting the other of the first identification and the second identification;
    处理单元,用于对所述第二标识信息进行解密,得到所述第一身份标识和/或所述第二身份标识。A processing unit, configured to decrypt the second identification information to obtain the first identification and/or the second identification.
  31. 根据权利要求30所述的装置,其特征在于,所述处理单元对所述第二标识信息进行解密,得到所述第一身份标识和/或所述第二身份标识,具体为:The device according to claim 30, wherein the processing unit decrypts the second identification information to obtain the first identification and/or the second identification, specifically:
    使用第四密钥对所述第六身份标识解密,得到所述第一身份标识,使用第七密钥对所述第七身份标识解密,得到所述第二身份标识,或者使用第六密钥对所述第八身份标识解密,得到所述第一身份标识和第二身份标识中的另一个。Use the fourth key to decrypt the sixth identification to obtain the first identification, use the seventh key to decrypt the seventh identification to obtain the second identification, or use the sixth key Decrypt the eighth identification to obtain the other of the first identification and the second identification.
  32. 根据权利要求31所述的装置,其特征在于,所述第七密钥为所述第二终端设备的公钥对应的私钥。The apparatus according to claim 31, wherein the seventh key is a private key corresponding to the public key of the second terminal device.
  33. 根据权利要求19和权利要求31任意一项所述的装置,其特征在于,所述第四密钥、第五密钥和第六密钥中的至少一个为所述第二签约服务器与所述第二终端设备的共享密钥;The apparatus according to any one of claim 19 and claim 31, wherein at least one of the fourth key, the fifth key and the sixth key is the second signing server and the the shared key of the second terminal device;
    或者,所述第四密钥、第五密钥和第六密钥中的至少一个为所述第二终端设备的长期密钥与随机数产生的密钥。Alternatively, at least one of the fourth key, the fifth key and the sixth key is a key generated by a long-term key and a random number of the second terminal device.
  34. 根据权利要求18~33任意一项所述的装置,其特征在于,所述第一服务器是所述第二终端设备所在网络的查询呼叫会话控制功能,或者是所述第二终端设备所在网络的路由代理节点。The apparatus according to any one of claims 18 to 33, wherein the first server is a query call session control function of the network where the second terminal device is located, or is a function of the query call session control function of the network where the second terminal device is located. Routing proxy node.
  35. 一种通信装置,其特征在于,所述通信装置包括处理器,当所述处理器执行存储器中的计算机程序时,如权利要求1~17中任意一项所述的方法被执行。A communication device, characterized in that the communication device includes a processor, and when the processor executes a computer program in a memory, the method according to any one of claims 1 to 17 is executed.
  36. 一种通信装置,其特征在于,包括:处理器和存储器;A communication device, comprising: a processor and a memory;
    所述存储器,用于存储计算机程序;the memory for storing computer programs;
    所述处理器,用于执行所述存储器中存储的计算机程序,当所述程序被执行时,使得所述通信装置实现如权利要求1-17任一项所述的方法。The processor is configured to execute a computer program stored in the memory, and when the program is executed, causes the communication device to implement the method according to any one of claims 1-17.
  37. 一种计算机可读存储介质,其特征在于,用于存储计算机程序,当所述计算机程序在计算机上运行时,使得所述计算机执行如权利要求1至17中任一项所述的方法。A computer-readable storage medium, characterized in that it is used for storing a computer program, when the computer program runs on a computer, the computer causes the computer to execute the method according to any one of claims 1 to 17 .
  38. 一种计算机程序产品,其特征在于,包括计算机指令,当所述计算机指令在计算机上运行时,使得所述计算机执行如权利要求1-17任一项所述的方法。A computer program product, characterized in that it comprises computer instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1-17.
PCT/CN2021/130084 2020-11-12 2021-11-11 Information sending method and apparatus WO2022100666A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202011262056.6 2020-11-12
CN202011262056.6A CN114501417B (en) 2020-11-12 2020-11-12 Information sending method and device

Publications (1)

Publication Number Publication Date
WO2022100666A1 true WO2022100666A1 (en) 2022-05-19

Family

ID=81490452

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/130084 WO2022100666A1 (en) 2020-11-12 2021-11-11 Information sending method and apparatus

Country Status (2)

Country Link
CN (1) CN114501417B (en)
WO (1) WO2022100666A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115426178A (en) * 2022-09-01 2022-12-02 中国联合网络通信集团有限公司 Calling method, calling device, electronic equipment and computer readable medium
CN117596588A (en) * 2024-01-18 2024-02-23 中国电子科技集团公司第三十研究所 Method and device for dynamically updating long-term key of mobile communication network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2559298A1 (en) * 2006-09-08 2008-03-08 Obvious Solutions Inc. Method and system for encrypted message transmission
CN101729532A (en) * 2009-06-26 2010-06-09 中兴通讯股份有限公司 Method and system for transmitting delay media information of IP multimedia subsystem
CN109861946A (en) * 2017-11-30 2019-06-07 中国电信股份有限公司 Method, system and the call receiving apparatus of calling number verification
US20190364430A1 (en) * 2018-05-23 2019-11-28 Exfo Oy Method and arrangement for detecting subscriber identity
CN111914291A (en) * 2020-07-28 2020-11-10 广州市百果园信息技术有限公司 Message processing method, device, equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2010034879A1 (en) * 2008-09-29 2010-04-01 Nokia Corporation Hiding a device identity
US8949938B2 (en) * 2011-10-27 2015-02-03 Cisco Technology, Inc. Mechanisms to use network session identifiers for software-as-a-service authentication
EP3329699B1 (en) * 2015-07-31 2020-11-25 Samsung Electronics Co., Ltd. Methods and apparatuses for identity management across multiple planes
CN109039988B (en) * 2017-06-08 2022-02-22 中国移动通信集团河北有限公司 Registration method, device and equipment of IP multimedia subsystem

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2559298A1 (en) * 2006-09-08 2008-03-08 Obvious Solutions Inc. Method and system for encrypted message transmission
CN101729532A (en) * 2009-06-26 2010-06-09 中兴通讯股份有限公司 Method and system for transmitting delay media information of IP multimedia subsystem
CN109861946A (en) * 2017-11-30 2019-06-07 中国电信股份有限公司 Method, system and the call receiving apparatus of calling number verification
US20190364430A1 (en) * 2018-05-23 2019-11-28 Exfo Oy Method and arrangement for detecting subscriber identity
CN111914291A (en) * 2020-07-28 2020-11-10 广州市百果园信息技术有限公司 Message processing method, device, equipment and storage medium

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115426178A (en) * 2022-09-01 2022-12-02 中国联合网络通信集团有限公司 Calling method, calling device, electronic equipment and computer readable medium
CN115426178B (en) * 2022-09-01 2024-04-12 中国联合网络通信集团有限公司 Calling method, calling device, electronic equipment and computer readable medium
CN117596588A (en) * 2024-01-18 2024-02-23 中国电子科技集团公司第三十研究所 Method and device for dynamically updating long-term key of mobile communication network
CN117596588B (en) * 2024-01-18 2024-03-26 中国电子科技集团公司第三十研究所 Method and device for dynamically updating long-term key of mobile communication network

Also Published As

Publication number Publication date
CN114501417B (en) 2024-07-23
CN114501417A (en) 2022-05-13

Similar Documents

Publication Publication Date Title
US12028341B2 (en) Network slice authentication
US10419895B2 (en) Method and system for identity management across multiple planes
US9032201B2 (en) Hiding a device identity
US20100153726A1 (en) Authentication method, system, and apparatus thereof for inter-domain information communication
WO2022100666A1 (en) Information sending method and apparatus
EP2418817B1 (en) Application server for managing communications towards a set of user entities
US8782743B2 (en) Methods and apparatus for use in a generic bootstrapping architecture
US10200831B2 (en) Managing communications in heterogeneous communication networks
CN117177266A (en) Address acquisition method and device
CN105471820A (en) Processing method and processing device for converged communication terminal discovery and ability detection
WO2019184717A1 (en) Communication method and related product
US20230072838A1 (en) Virtual line registration system
CN100372329C (en) A registration method, proxy equipment, and registration system
EP4070523B1 (en) Interworking between a stand-alone non-public network (npn) and an internet protocol multimedia subsystem (ims)
CN103001935A (en) Authentication method and authentication system for UE (user equipment) of ILS (identity location separation) network in IMS (IP (internet protocol) multimedia subsystem) network
JP2012010051A (en) Ims authentication control system and ims authentication control method
KR102049587B1 (en) Apparatus for handling Application Server failure in called network, method thereof and computer recordable medium storing the method
WO2022062668A1 (en) Communication method and device
CN110324812B (en) International roaming communication method, international gateway, application server and communication system
CN110267360B (en) International roaming communication method, international gateway and communication system for group service
KR20230141740A (en) System and method to facilitate routing of level 1 numbers
CN117015957A (en) Call processing method, related equipment and storage medium
KR20220143563A (en) Wireless communication method and apparatus for supporting rcs
CN116321356A (en) Communication network system and communication method
WO2011140712A1 (en) Method and apparatus for implementing internet protocol multimedia sub-system sharing public user identity service for non- internet protocol multimedia sub-system terminal

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21891186

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21891186

Country of ref document: EP

Kind code of ref document: A1