CN120302289A - Core network IMS joint authentication access method and system - Google Patents
Core network IMS joint authentication access method and system Download PDFInfo
- Publication number
- CN120302289A CN120302289A CN202510439688.1A CN202510439688A CN120302289A CN 120302289 A CN120302289 A CN 120302289A CN 202510439688 A CN202510439688 A CN 202510439688A CN 120302289 A CN120302289 A CN 120302289A
- Authority
- CN
- China
- Prior art keywords
- core network
- joint
- joint authentication
- user
- authentication token
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种核心网IMS联合认证接入方法,核心网接收UE的初始注册请求,初始注册请求包括用户永久标识符和联合鉴权的请求标识;核心网依据联合鉴权的请求标识触发联合认证流程,生成联合鉴权令牌,将其同步推送至IP多媒体子系统,并将联合鉴权令牌的JAT值加入认证成功响应发送给UE,以使UE成功接入5G核心网,IP多媒体子系统将联合鉴权令牌与UE的用户永久标识符绑定,并标记UE注册状态为预认证完成,以在用户后续向IP多媒体子系统发起注册时,跳过AKA鉴权流程并直接依据联合鉴权令牌验证UE的用户身份进行注册。与现有技术相比,本发明可显著降低网络负载与时延,提升网络资源利用率与响应速度,增强网络在高并发场景下的稳定性。
The present invention discloses a core network IMS joint authentication access method, the core network receives an initial registration request from a UE, the initial registration request includes a user permanent identifier and a joint authentication request identifier; the core network triggers a joint authentication process according to the joint authentication request identifier, generates a joint authentication token, pushes it synchronously to an IP multimedia subsystem, and adds the JAT value of the joint authentication token to an authentication success response and sends it to the UE, so that the UE successfully accesses the 5G core network, the IP multimedia subsystem binds the joint authentication token to the user permanent identifier of the UE, and marks the UE registration status as pre-authentication completed, so that when the user subsequently initiates registration to the IP multimedia subsystem, the AKA authentication process is skipped and the user identity of the UE is directly verified according to the joint authentication token for registration. Compared with the prior art, the present invention can significantly reduce network load and delay, improve network resource utilization and response speed, and enhance network stability in high concurrency scenarios.
Description
Technical Field
The invention relates to the field of communication, in particular to a core network IMS joint authentication access method.
Background
In modern communication networks, user Equipment (UE) needs to complete identity authentication through USIM card to ensure security of network access. In 5G and IP multimedia subsystems, the authentication flow involves the following steps:
Core network authentication, namely, the UE initiates an authentication request to the core network, and the HSS/UDM verifies the identity of the user and generates a secret key. The 5G authentication mechanism implements user identity protection through public key encryption based on SUPI (subscription permanent identifier) and SUCI (encrypted SUPI).
IMS authentication, in which, UE needs to send the same authentication request to the IP multimedia subsystem again, IMS acquires the authentication vector through HSS and completes the mutual authentication. The IMS Authentication mechanism is based on an AKA (Authentication AND KEY AGREEMENT) protocol, and performs bidirectional Authentication through the shared key of the ISIM card and the HSS.
However, the prior art has the following problems:
1. the dual authentication leads to signaling redundancy, that is, the IMS and the core network need to process the same authentication request respectively, the HSS/UDM needs to repeatedly calculate the authentication vector, and the signaling load is increased.
2. And the signaling storm risk is that when the user quantity is increased suddenly, the network congestion is aggravated by the double authentication flow, and the fault recovery time is prolonged.
3. And the resource waste is that the two times of authentication consume computing resources and bandwidth, and the network efficiency is reduced.
Therefore, there is an urgent need for a core network IMS joint authentication access method that can solve the above-mentioned problems.
Disclosure of Invention
The invention aims to provide a core network IMS joint authentication access method and a system, which can obviously reduce network load and time delay.
In order to achieve the above purpose, the invention provides a core network IMS joint authentication access method, wherein a core network receives an initial registration request of UE, the initial registration request comprises a user permanent identifier and a joint authentication request identifier, the core network triggers a joint authentication flow according to the joint authentication request identifier, the joint authentication token and user context information are synchronously pushed to an IP multimedia subsystem according to the user permanent identifier, the joint authentication token is added to an authentication success response and returned to the UE, so that the UE successfully accesses a 5G core network, the user context information comprises the user permanent identifier, the IP multimedia subsystem binds the joint authentication token and the user permanent identifier of the UE, and marks the registration state of the UE as pre-authentication completion, so that when a user subsequently initiates registration to the IP multimedia subsystem, the user identity of the UE is directly verified according to the joint authentication token to perform registration.
Preferably, the core network further generates an authentication vector before randomly generating the joint authentication token according to the user permanent identifier to obtain a shared key, derives a service key and an access layer key according to the shared key, and transmits the service key and the access layer key to an AMF network element of the core network for subsequent air interface encryption and communication security protection. The scheme leads the service passwords and the access layer passwords to be uniformly derived from the shared secret key by the core network, thereby simplifying the complex process of secret key management. And the shared secret key is uniformly derived by the core network and is independent of the encryption secret key in the IMS, so that the risk of linkage leakage is avoided.
Preferably, the core network randomly generates a joint authentication token according to the user permanent identifier and the shared key, wherein the joint authentication token comprises a JAT value, a JAT validity period and an integrity check code, and the JAT validity period is bound with the validity period of the shared key. The invention binds the shared secret key and the life cycle of the JAT validity period, and based on the timeliness integrity check code, the core network synchronously updates the combined authentication token to the IMS, thereby ensuring that the combined authentication token cannot be counterfeited and is valid for a single time. Moreover, the dynamic JAT mechanism is based on a time-lapse integrity check code verification and key isolation technology, reduces redundant calculation, effectively resists replay attack and man-in-the-middle threat, and improves the safety remarkably compared with the traditional double authentication.
Specifically, the core network randomly generates the joint authentication token according to the user permanent identifier, the time stamp, the random number and the shared key, so that the security of the joint authentication token is further improved.
More specifically, the joint authentication token is obtained by substituting the user permanent identifier, the time stamp, the random number and the shared key into the HMAC algorithm, and three data of the time stamp, the random number and the shared key are encrypted through one HMAC algorithm, so that single HMAC calculation replaces multiple encryption, and the consumption of calculation resources is reduced by 30%.
The method comprises the steps that after receiving the authentication success response, the UE monitors the JAT validity period, when the joint authentication token is close to expiration, a token update request is sent to the core network, the core network regenerates the joint authentication token according to the token update request, and the joint authentication token is synchronized to the IP multimedia subsystem.
Specifically, when receiving an SIP registration request carrying a JAT value sent by a UE, the IP multimedia subsystem verifies the validity of a joint authentication token corresponding to the JAT value, if the joint authentication token is valid, the registration information of the UE is marked as registered, the IP address and the JAT validity period of the UE are recorded, a request permission response is returned to the UE, so that the UE successfully accesses the IP multimedia subsystem, if the validity of the joint authentication token is invalid, a refusal permission response is returned to the UE, and a standard IMS AKA flow is executed to perform SIP registration verification. When the joint authentication token is registered, the original SIP registration flow can be automatically switched to, and the continuity of the service is ensured.
More specifically, the user context information further includes a JAT valid value and an IP address of the UE, the IP address of the UE is allocated by the core network, the IP multimedia subsystem further determines whether the user context information corresponding to the JAT value is consistent after the joint authentication token is valid, if so, marks the registration information of the UE as registered, returns a request permission response to the UE, if not, triggers a context synchronization mechanism of the core network and the IP multimedia subsystem, synchronously updates JATT the joint authentication token and the user context information from the core network, and performs consistency verification of the user context information again.
Preferably, the user permanent identifier in the initial registration request is a user permanent identifier encrypted by the UE using a public key, and after the core network receives the initial registration request, the core network decrypts the user permanent identifier using a private key and verifies the validity of the user, and executes the next step to continue the joint authentication flow when the UE is legal.
The invention also provides a core network IMS joint authentication access system, which comprises a core network and an IP multimedia subsystem, wherein the core network comprises an interface module for communicating with UE, an authentication management module and a communication module for communicating with the IP multimedia subsystem, the interface module receives an initial registration request sent by the UE, analyzes a user permanent identifier and a joint authentication request identifier in the initial registration request to trigger a joint authentication program, the authentication management module generates a joint authentication token according to the user permanent identifier after triggering the joint authentication program, synchronously pushes the joint authentication token and user context information to the IP multimedia subsystem through the communication module, returns a joint authentication success response to the UE through the interface module, the user context information comprises the user permanent identifier, and the IP multimedia subsystem receives the joint authentication token and the user permanent identifier, analyzes the joint authentication token and the user permanent identifier of the UE to trigger the joint authentication program, marks the registration state of the UE to be the pre-authentication completion, and directly authenticates the user according to the joint authentication when the user initiates the IP registration with the user context information to the IP multimedia subsystem.
Preferably, the interface module is an AMF network element, the communication module is a NEF network element, the authentication management module comprises AUSF network elements and a UDM network element, the AMF network element sends a user permanent identifier to AUSF network elements and triggers a joint authentication program, the AUSF network element requests the UDM network element to decrypt the user permanent identifier, the UDM network element decrypts the user permanent identifier, generates a joint authentication token according to the user permanent identifier, returns the user permanent identifier and the joint authentication token to the AUSF network element, synchronously pushes the joint authentication token and user context information to an IP multimedia subsystem through the NEF network element, and the AUSF network element adds the joint authentication token to an authentication success response and sends the authentication success response to the UE through the AMF network element.
Compared with the traditional IMS which needs to independently initiate AKA cognition and needs two HSS interactions, the invention simplifies IMS cognition into single token verification, realizes cross-system mutual authentication by utilizing the dynamically generated joint authentication token, reduces the repeated authentication request of a core network and IMS (IP multimedia subsystem), reduces the signaling interaction times by more than 50 percent, obviously reduces network load and time delay, improves the network resource utilization rate and response speed, and enhances the stability of the network under a high concurrency scene. In addition, the core network of the invention automatically pushes the combined authentication token to the IMS terminal when generating the combined authentication token each time, thereby ensuring that the IMS obtains the latest combined authentication token in real time.
Drawings
Fig. 1 is a flow chart of the core network IMS joint authentication access method of the present invention.
Fig. 2 is a block diagram of an IMS joint authentication access method for a core network according to the present invention.
Detailed Description
In order to describe the technical content, the constructional features, the achieved objects and effects of the present invention in detail, the following description is made in connection with the embodiments and the accompanying drawings.
Referring to fig. 1 and 2, the present invention discloses a core network IMS joint authentication access system including a core network and an IP Multimedia Subsystem (IMS), the core network IMS joint authentication access system being configured to perform a core network IMS joint authentication access method. The core network IMS joint authentication access method comprises steps S1 to S8.
S1, the UE sends an initial registration request (NAS information) to the 5G core network through gnb (base station), where the initial registration request includes a user permanent identifier and a request identifier of joint authentication. The core network in this embodiment is a 5G core network, and the core network may be used to form a 6G network, so that the core network IMS joint authentication access method and system of the present invention are the core network IMS joint authentication access method and system of the 6G network.
Wherein the user permanent identifier is an encrypted user permanent identifier. Specifically, the UE encrypts the user permanent identifier SUPI using the public key of the 5G core network to generate an encrypted user permanent identifier SUPI, which may also be referred to as an encrypted temporary identifier SUCI. The temporary identifier SUCI complies with the 3gpp TS 33.501 specification.
The UE establishes a connection with a base station through RRC (radio resource control) and transmits an initial registration request (NAS message). The request identifier of the combined authentication in the initial registration request is the request type of the combined authentication, and is an identifier of the combined authentication.
Wherein the initial registration request further includes a security function type (UE Security Capabilities) of the UE.
S2, the 5G core network receives an initial registration request of the UE and generates a joint authentication token (JAT, joint authentication token).
Specifically, the 5G core network receives an initial registration request (NAS information) sent by a base station, analyzes the initial registration information, acquires an encrypted user permanent identifier (SUCI) and a joint authentication request identifier, triggers a joint authentication process according to the joint authentication request identifier, randomly generates a joint authentication token (JAT, joint authentication token) according to the user permanent identifier, distributes an IE address for UE, synchronously pushes the joint authentication token and user context information to an IP multimedia subsystem, and sends the joint authentication token and a correlation parameter to the UE in an authentication success response, so that the UE successfully accesses the 5G core network, wherein the user context information comprises the IP address of the UE and the user permanent identifier, and the correlation parameter comprises the token type.
Preferably, the 5G core network generates a joint authentication token randomly according to the user permanent identifier, the time stamp, the random number and the shared key, the user context information and the associated parameters further comprise a JAT validity period, and the JAT validity period is bound with the validity period of the shared key.
Specifically, the 5G core network includes an AMF network element, AUSF network element, SEAF network element, a UDM network element, and a NEF network element. Step S2 specifically includes steps S21 to S26.
S21, the AMF network element receives an initial registration request of the UE sent by the base station, analyzes the encrypted user permanent identifier (SUCI) and the request identifier of the combined authentication, triggers the combined authentication flow, and sends the encrypted user permanent identifier (SUCI) to the AUSF network element.
S22, AUSF network element sends a request to the UDM network element to decrypt the user permanent identifier (SUCI), requesting decryption SUCI to obtain the user permanent identifier SUPI.
S23, the UDM network element decrypts the user permanent identifier (SUCI) to obtain a decrypted user permanent identifier SUPI, and generates a joint authentication token according to the user permanent identifier SUPI. Specifically, step S23 includes:
S231, the UDM network element uses the private key to decrypt the encrypted user permanent identifier (SUCI) so as to obtain a restored user permanent identifier SUPI, and the validity (such as subscription state and service authority) of the user is verified according to the user permanent identifier SUPI. If the rule goes on to the next step, how to reject the initial registration request and return a reject request response to the UE.
The UDM network element generates an authentication vector (RAND, AUTN, XRES x, KAUSF) according to the 5G AKA protocol to generate a shared key, and derives a service key (e.g., SEAF key) according to the shared key.
S233, the UDM network element generates a joint authentication token according to the user permanent identifier SUPI, the Timestamp (Timestamp), the random number (Nonce), the shared key (e.g. KAUSF), and then the UDM network element stores the joint authentication token in association with the user context information, including JAT validity period (e.g. 3600 seconds), IP address, service type (e.g. VoLTE) and QoS policy. The joint authentication token comprises a JAT value, a JAT validity period and an integrity check code. JAT validity period is bound to the validity period of the shared password.
The user permanent identifier SUPI, timestamp (Timestamp), random number (Nonce), and shared key (KAUSF for example) are substituted into SHA256 function in HMAC algorithm to calculate and obtain JAT value, then obtain joint authentication token containing JAT value, JAT validity period and integrity check code.
Specifically, the specific algorithm for JAT values is as follows:
Inputs of a user permanent identifier SUPI, a time stamp (Timestamp), a random number (Nonce), a shared key (e.g., KAUSF);
Calculation jat=hmac-SHA 256 (SUPI time Nonce KAUSF);
And data encapsulation, namely storing JAT in association with user context information (such as IP address and QoS strategy).
The following is a process for computing and acquiring the joint authentication token:
In summary, the joint authentication token of the present invention includes a JAT value (JAT Value), a JAT validity period (expiration Time) and an integrity check code (hmac or hmac parameters).
And S234, the UDM network element returns the decrypted user permanent identifier SUPI, the authentication vector and the joint authentication token to the AUSF network element.
And S235, triggering NEF network element synchronization by the UDM network element, wherein the UDM network element transmits a synchronization notification containing the joint authentication token and the user context information to the NEF network element through a 5G core network internal service mutual interface (such as Nudm _ DATAMANAGEMENT service).
S24, the NEF network element verifies the validity of the UDM network element (such as an OAuth 2.0 token or a bidirectional TLS certificate), and checks the HMAC signature (integrity check code) in the combined authentication token to confirm that the data is not tampered.
S25, AUSF network element receives user permanent identifier SUPI, authentication vector and joint authentication token returned by UDM network element, and returns authentication vector (5G AKA challenge, RAND/AUTN) and joint authentication token to AMF network element. At the same time AUSF network element passes the shared Key (KAUSF) and the joint authentication token to SEAF network element (security anchor function).
S26, SEAF generates a service key (e.g. Kseaf) and an access layer key (e.g. KgNB) according to the shared Key (KAUSF) and the joint authentication token, and transmits the service key (e.g. Kseaf) and the access layer key (e.g. KgNB) to the AMF network element for subsequent air interface encryption and integrity protection. The service key (e.g., kseaf) is used for security of communications between SEAF network elements and AUSF network elements within the 5G core network. The access layer key (e.g., kgNB) is used to secure communications between the 5G core network and the base station, UE.
And S3, synchronously pushing the joint authentication token and user context information to an HSS network element of the IP multimedia subsystem by the NEF network element, wherein the user context information comprises an IP address of the UE and a user permanent identifier, and the association parameter comprises a token type.
The NEF network element pushes a synchronous authentication request (POST/sync-jat request) to the HSS network element of the IP multimedia subsystem through Nnef _ DataSync service, and the message body is a joint authentication token and user context information in JSON or Protobuf format.
S4, the HSS network element of the IP multimedia subsystem stores the joint authentication token, binds the joint authentication token with a user permanent identifier (also can be an IP Multimedia Private Identifier (IMPI)) of the UE, records the user context information and marks the registration state of the UE as pre-authentication completion, so that when the user subsequently initiates registration to the IP multimedia subsystem, the AKA authentication flow is skipped.
The IP multimedia subsystem comprises a P-CSCF network element, an I-CSCF network element, an S-CSCF network element and an HSS network element.
And S5, the AUSF network element transmits the joint authentication token and the association parameter joining authentication success response to the UE through the AMF network element so that the UE can be successfully accessed to the 5G core network.
The AUSF network element takes the joint authentication token as a part of authentication success response, adds a JAT-ontainer field in the authentication success response (5G NAS (Non-Access Stratum) message) and comprises a JAT value and associated parameters (such as a JAT validity period and a token type), and sends the JAT value and the associated parameters to the UE through the AMF network element. So far the UE successfully accesses the 5G core network.
And S6, after receiving the authentication success response, the UE extracts the joint authentication token and the associated parameters, stores the joint authentication token and binds the joint authentication token with the IMS service identifier.
Specifically, after the UE receives the authentication success response, the security module (USIM or terminal TEE) of the UE extracts the JAT value and JAT validity period in the authentication success response, and verifies the validity of the HMAC in the joint authentication token by using the derived key derived from the shared key (verifies the HMAC parameter in the joint authentication token by using the KAUSF derived key). If the verification is successful, the UE stores the combined authentication token in a secure storage area (such as a USIM card or a terminal security chip) and binds with an IMS service identifier (such as an IMPI).
If the combined Authentication token fails to verify (e.g. HMAC verification fails), the UE triggers a rollback procedure, and the UE re-initiates an independent IMS Authentication request (traditional registration Authentication procedure), namely, the UE initiates an Authentication request to a 5G core network and an IP multimedia subsystem respectively, a UDM network element of the 5G core network verifies the identity of the user and generates a key, the identity of the UE is verified according to the key, the UE sends the same Authentication request to the IP multimedia subsystem again, the IP multimedia subsystem acquires an Authentication vector through an HSS network element and completes bidirectional Authentication, and based on an AKA (Authentication AND KEY AGREEMENT) protocol, the bidirectional Authentication is completed through an ISIM card and an HSS shared key.
After receiving the authentication success response, the UE sends a token update request to the 5G core network according to the monitoring JAT validity period when the joint authentication token is close to expiration; and the 5G core network regenerates a joint authentication token according to the token updating request, synchronizes the joint authentication token to the IP multimedia subsystem, so that the IP multimedia subsystem stores the updated joint authentication token, and binds the updated joint authentication token with a user permanent identifier of the UE.
The step S3 and the step S5 may be performed simultaneously or sequentially without a specific sequence.
S7, when the IMS service is needed, the UE initiates a SIP registration request to the IMS network element by carrying a JAT value.
Specifically, the UE adds a custom field JAT value to the SIP registration request, and sends the SIP registration request carrying the JAT value to a P-CSCF network element (proxy CSCF) of the IP multimedia subsystem.
S8, after the P-CSCF network element of the IP multimedia subsystem receives the SIP registration request, the SIP registration request is forwarded to the I-CSCF network element and then forwarded to the S-CSCF network element. The S-CSCF network element sends MAR (Multimedia-Auth-Request) information to the HSS network element and carries a JAT value, the HSS network element acquires a stored joint authentication token according to the JAT value, verifies the validity of the corresponding verification joint authentication token (whether a time stamp is out of date or whether a hash value is matched or not), updates user registration information of the UE through the S-CSCF network element if the verification is passed, marks the registration information of the UE as registered, records the IP address and the JAT validity period of the UE, and returns a Request permission response to the UE in an original path so that the UE successfully accesses the IP Multimedia subsystem. The request grant response is a MAA (Multimedia-Auth-Answer) message. Wherein, the SIP registration request also carries the user permanent identifier of the UE.
If the validity verification of the combined authentication token is not passed, the HSS network element returns a refusal permission response to the UE in the original path, and executes a standard IMS AKA flow to perform SIP registration verification.
Specifically, the HSS network element of the IP multimedia subsystem further acquires user context information corresponding to the joint authentication token where the HSS network element is located according to the JAT value, verifies whether the user context information corresponding to the joint authentication token is consistent (including whether the user context information is within the JAT validity period, whether the IP address is consistent, etc.), if so, returns a determination result to the S-CSCF network element in an original path, updates user registration information of the UE to the S-CSCF network element, marks the registration information of the UE as registered, records the IP address and JAT validity period of the UE, and returns a request permission response to the UE in the original path, so that the UE successfully accesses the IP multimedia subsystem. If the HSS network element judges that the user context information is inconsistent, triggering a context synchronization mechanism of the 5G core network and the IP multimedia subsystem, synchronously updating the stored joint authentication token and the user context information from the 5G core network through a subscription/notification function of the NEF network, then verifying whether the user context information corresponding to the joint authentication token is consistent again, if the user context information is inconsistent for a plurality of times, returning a refusal permission response to the UE by an original path, and executing a standard IMS AKA flow to perform SIP registration verification. The SIP registration request is sent from the IP address of the user and can be identified and acquired by the IP multimedia subsystem.
In the invention, in the 5G core network, the UDM network element and the NEF network element are based on 3GPP SBI (service interface) and use HTTP/2 protocol to carry out communication interaction. And communication interaction is carried out between the 5G core network and the IP multimedia subsystem by using an extended Nnef interface (3 GPP TS 29.503) between the NEF network element and the HSS network element, so that the JAT_update operation type is supported. Therefore, the HSS network element of the IP multimedia subsystem of the invention simultaneously supports the joint authentication token and the traditional authentication vector storage, simultaneously allows two registration modes and registration flows, can support the coexistence of new and old systems, and allows operators to upgrade the network in stages.
UE (User Equipment) user equipment such as a smart phone, an internet of things terminal and other equipment accessing a communication network. USIM (Universal Subscriber Identity Module) a universal user identity module for storing user identity information and a secret key for network authentication and secure communication. IMS (IP Multimedia Subsystem) IP multimedia subsystem, core network architecture supporting multimedia services such as voice, video, etc. 5G Core Network (5G Core Network) the 5G Core Network provides efficient data transmission and Network slicing functions. HSS/UDM (Home Subscriber Server/Unified DATA MANAGEMENT) home subscriber server/Unified data management, storing subscriber subscription data and handling authentication requests. gNB (Next Generation Node B) G base station is in charge of wireless access between UE and 5G core network, and processes signaling of physical layer and RRC layer. AMF (ACCESS AND Mobility Management Function) is an access and mobility management function responsible for access control, mobility management (e.g., handover), registration and connection state management for the UE. AUSF (Authentication Server Function) authentication server function, processing user authentication request, interacting with UDM/HSS to complete authentication vector generation. UDM (Unified DATA MANAGEMENT)/HSS (Home Subscriber Server ) stores subscriber subscription data (e.g. SUPI, service rights), generates authentication vectors (e.g. 5G AKA parameters). SEAF (Security Anchor Function) a security anchor function, managing security context between UE and 5G core network, deriving access stratum keys (e.g. KgNB). NEF (Network Exposure Function) a network open function, providing a network capability open interface, allowing external systems (e.g., IMS) to access 5G core network data. SMF (Session Management Function) session management function, which manages the establishment, modification and release of user session and assigns IP address. The P-CSCF (Proxy-Call Session Control Function) is a Proxy session control function, the ingress node of the IMS network, responsible for receiving the SIP request of the UE and forwarding to the I-CSCF/S-CSCF. And the I-CSCF (Interrogating-CSCF) queries the session control function, queries the HSS according to the user identification (such as IMPI) and determines the S-CSCF to which the user belongs. The S-CSCF (Serving-CSCF) is used for controlling the service session, and the IMS core network element is used for executing user authentication, session control and service triggering. Signaling storms (SIGNALING STORM) are network congestion or paralysis caused by signaling requests exceeding the network processing capacity.
The foregoing description of the preferred embodiments of the present invention is not intended to limit the scope of the claims, which follow, as defined in the claims.
Claims (10)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510439688.1A CN120302289A (en) | 2025-04-09 | 2025-04-09 | Core network IMS joint authentication access method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202510439688.1A CN120302289A (en) | 2025-04-09 | 2025-04-09 | Core network IMS joint authentication access method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN120302289A true CN120302289A (en) | 2025-07-11 |
Family
ID=96268245
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202510439688.1A Pending CN120302289A (en) | 2025-04-09 | 2025-04-09 | Core network IMS joint authentication access method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN120302289A (en) |
-
2025
- 2025-04-09 CN CN202510439688.1A patent/CN120302289A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10694376B2 (en) | Network authentication method, network device, terminal device, and storage medium | |
| US8595485B2 (en) | Security management method and system for WAPI terminal accessing IMS network | |
| CN102638794B (en) | Authentication and cryptographic key negotiation method, authentication method, system and equipment | |
| EP3752941A1 (en) | Security management for service authorization in communication systems with service-based architecture | |
| KR101309426B1 (en) | Method and system for recursive authentication in a mobile network | |
| CN101594616B (en) | Authentication method, server, user equipment and communication system | |
| JP2019527504A (en) | Unified authentication for heterogeneous networks | |
| US20130046971A1 (en) | Authentication method, system and device | |
| WO2020088026A1 (en) | Authentication method employing general bootstrapping architecture (gba) and related apparatus | |
| JP2009517937A (en) | Method and apparatus for distributing key information | |
| US20230396602A1 (en) | Service authorization method and system, and communication apparatus | |
| EP2702741A1 (en) | Authenticating a device in a network | |
| CN114946153B (en) | Method, device and system for generating and managing application key in communication network for encrypted communication with service application | |
| WO2012058896A1 (en) | Method and system for single sign-on | |
| CN116546491A (en) | Method, device and system for anchor key generation and management for encrypted communication with a service application in a communication network | |
| CN101965739A (en) | System and method of user authentication in wireless communication networks | |
| US8726023B2 (en) | Authentication using GAA functionality for unidirectional network connections | |
| CN100384120C (en) | Method for Authenticating Terminal User Identity Module in IP Multimedia Subsystem | |
| CN116567633B (en) | Identity authentication method, system and equipment based on ECDSA signature algorithm | |
| CN114762294B (en) | Authentication enhancements | |
| CN104683343A (en) | A method for a terminal to quickly log in to a WiFi hotspot | |
| CN103067345A (en) | Method and system for varied GBA guiding | |
| WO2011035579A1 (en) | Authentication method, system and terminal for wireless local area network authentication and privacy infrastructure (wapi) terminal accessing ip multimedia subsystem (ims) network | |
| CN120302289A (en) | Core network IMS joint authentication access method and system | |
| Zhang et al. | Security Management in the Next Generation Wireless Networks. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |