CN1893722A - Method for binding IP multi-media subsystem authentication and acess-in layer authentication - Google Patents
Method for binding IP multi-media subsystem authentication and acess-in layer authentication Download PDFInfo
- Publication number
- CN1893722A CN1893722A CNA2005100932168A CN200510093216A CN1893722A CN 1893722 A CN1893722 A CN 1893722A CN A2005100932168 A CNA2005100932168 A CN A2005100932168A CN 200510093216 A CN200510093216 A CN 200510093216A CN 1893722 A CN1893722 A CN 1893722A
- Authority
- CN
- China
- Prior art keywords
- cscf
- authentication
- information
- user
- hss
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
本发明公开了一种IP多媒体子系统鉴权和接入层鉴权绑定的方法,包括:P-CSCF接收到UE发送来的注册报文后,根据所述注册报文中的信息确定CLF;P-CSCF向所述CLF查询UE在接入网中的附着信息得到查询结果,并将携带所述查询结果的注册报文发送给I-CSCF;I-CSCF将所述注册报文转发给归属用户服务器HSS告知的S-CSCF;S-CSCF根据从HSS获取的业务层鉴权和接入层鉴权绑定的鉴权方式,对UE进行鉴权得到鉴权结果,并将所述鉴权结果发送给UE。本发明由业务层的HSS决定用户的鉴权方式,S-CSCF完成鉴权过程,更具合理性。本发明的技术方案对现有IMS AKA流程的改动较小,具有容易实现的优点。
The invention discloses a binding method of IP multimedia subsystem authentication and access layer authentication, comprising: after receiving a registration message sent by UE, P-CSCF determines the CLF according to the information in the registration message ; The P-CSCF queries the CLF for the attachment information of the UE in the access network to obtain a query result, and sends a registration message carrying the query result to the I-CSCF; the I-CSCF forwards the registration message to The S-CSCF notified by the home subscriber server HSS; the S-CSCF performs authentication on the UE to obtain the authentication result according to the binding authentication mode of the service layer authentication and the access layer authentication obtained from the HSS, and sends the authentication result The right result is sent to UE. In the present invention, the HSS of the business layer decides the authentication mode of the user, and the S-CSCF completes the authentication process, which is more reasonable. The technical solution of the invention requires little modification to the existing IMS AKA process, and has the advantage of being easy to implement.
Description
技术领域technical field
本发明涉及IP多媒体业务子网络(IMS)中对用户终端鉴权的技术领域,特别是一种IP多媒体子系统鉴权和接入层鉴权绑定的方法。The invention relates to the technical field of user terminal authentication in an IP multimedia service sub-network (IMS), in particular to a binding method of IP multimedia subsystem authentication and access layer authentication.
背景技术Background technique
在固定下一代(NGN)网络以及移动网络中,通常可以将网络分为接入网络和业务网络。用户通过接入网络运营商的接入网络接入到IP网络上,然后再通过一个或多个业务网络运营商的业务网络享用不同的业务,例如语音、视频、流媒体等业务。In a fixed next generation (NGN) network and a mobile network, the network can generally be divided into an access network and a service network. Users access the IP network through the access network of the access network operator, and then enjoy different services, such as voice, video, and streaming media, through the service network of one or more service network operators.
如果接入网络和业务网络不属于同一个运营商时,接入网络对用户的鉴权和业务网络对用户的鉴权是相互独立的。在此种情况下,一个用户若要享用某种业务,通常需要两次鉴权,一次为接入层的鉴权,在通过接入层的鉴权后用户能够接入到NGN网络;另一次为业务层的鉴权,在通过业务层鉴权后用户可以享用该业务网络提供的业务。If the access network and the service network do not belong to the same operator, the authentication of the user by the access network and the authentication of the user by the service network are independent of each other. In this case, if a user wants to enjoy a certain service, usually two authentications are required, one is the authentication of the access layer, after passing the authentication of the access layer, the user can access the NGN network; the other is the authentication of the access layer. For the authentication of the service layer, the user can enjoy the services provided by the service network after passing the authentication of the service layer.
如果业务网络和接入网络属于同一个运营商时,或者业务网络运营商和接入网络运营商之间存在某种合作关系时,在某些组网情况下,业务网络运营商可以将业务层的鉴权同接入层的鉴权绑定,即在用户通过接入层鉴权后,就认为该用户是安全的,不再需要进行业务层的鉴权。If the service network and the access network belong to the same operator, or there is a cooperative relationship between the service network operator and the access network operator, in some networking situations, the service network operator can The authentication of the access layer is bound with the authentication of the access layer, that is, after the user passes the authentication of the access layer, the user is considered to be safe, and the authentication of the service layer is no longer required.
在现有的IP多媒体业务子网络(IP Multimedia Core Network Subsystem,IMS)接入层中,一般使用基于IMS认证的密钥协商(AKA)流程实现IMS业务层对用户的鉴权。In the existing IP Multimedia Service Subnetwork (IP Multimedia Core Network Subsystem, IMS) access layer, generally use IMS authentication-based Key Agreement (AKA) process to realize the authentication of the IMS service layer to the user.
参考图1,AKA流程包括以下步骤:Referring to Figure 1, the AKA process includes the following steps:
步骤101,用户终端(User Equipment,UE)向代理呼叫会话控制功能实体(Proxy-Call Session Control Function,P-CSCF)发送注册报文Register。
步骤102,P-CSCF作为会话发起协议(Session Initial Protocol,SIP)代理服务器,将UE的注册报文Register转发给询问呼叫会话控制功能实体(Interrogaing-Call Session Control Function,I-CSCF)。
步骤103,I-CSCF跟归属用户服务器(Home Subscribe Server,HSS)之间通过Cx-Selection-Info消息选择相应的服务呼叫会话控制功能实体(Service-Call Session Control Function,S-CSCF),即I-CSCF向HSS发出请求,查找HSS中的用户属性来确定由哪个S-CSCF处理该注册报文。Step 103, I-CSCF selects corresponding service call session control function entity (Service-Call Session Control Function, S-CSCF) by Cx-Selection-Info message between I-CSCF and home subscriber server (Home Subscribe Server, HSS), i.e. I - The CSCF sends a request to the HSS, and searches the user attributes in the HSS to determine which S-CSCF is to process the registration message.
步骤104,I-CSCF将UE的注册报文Register转发给步骤103中所确定S-CSCF。In step 104, the I-CSCF forwards the UE's registration message Register to the S-CSCF determined in step 103.
步骤105,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 105, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user will be performed in this S-CSCF.
步骤106,S-CSCF向HSS发送AV-Req消息,请求该用户的鉴权向量。In step 106, the S-CSCF sends an AV-Req message to the HSS to request the user's authentication vector.
步骤107,HSS向S-CSCF发送AV-Req-Resp消息,将该用户的鉴权向量,发送给S-CSCF。Step 107, the HSS sends an AV-Req-Resp message to the S-CSCF, and sends the user's authentication vector to the S-CSCF.
步骤108,S-CSCF根据在步骤107中获得的鉴权向量以及UE的注册报文,判断出该用户需要进行鉴权,然后向I-CSCF发送4xx Auth_Challenge消息,表示需要进行鉴权,并携带有与鉴权相关的信息。其中4xx表示一类错误,xx代表从00~99的一个数字。
步骤109,I-CSCF将所述4xx Auth_Challenge消息发送给P-CSCF。
步骤110,P-CSCF将所述4xx Auth_Challenge消息发送给UE。
步骤111,UE接收到所述4xx Auth_Challenge消息后,重新向P-CSCF发送新的注册报文Register,并且该Register携带有认证参数。
步骤112,P-CSCF将UE的注册报文Register发送给I-CSCF。In step 112, the P-CSCF sends the UE's Register message to the I-CSCF.
步骤113,I-CSCF接收到所述注册报文Register后,与HSS之间通过Cx-Query确定该UE注册报文给哪个S-CSCF处理,即I-CSCF向HSS查询用户注册报文给哪个S-CSCF处理,HSS根据保存的S-CSCF指示信息告知I-CSCF处理该用户注册报文的S-CSCF。Step 113, after the I-CSCF receives the registration message Register, it determines with the HSS which S-CSCF the UE registration message is for processing through Cx-Query, that is, the I-CSCF queries the HSS for which S-CSCF the user registration message is for The S-CSCF processes, and the HSS informs the I-CSCF of the S-CSCF that processes the user registration message according to the stored S-CSCF indication information.
步骤114,I-CSCF将注册报文Register转发给步骤113确定的S-CSCF。In step 114, the I-CSCF forwards the registration message Register to the S-CSCF determined in step 113.
步骤115,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF。In step 115, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user is in this S-CSCF.
步骤116,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。Step 116, the S-CSCF and the HSS obtain the subscription data information of the user through the Cx-Pull message.
步骤117,S-CSCF根据所述用户的签约数据信息和UE注册报文Register中的认证参数,进行鉴权。如果鉴权成功,S-CSCF向I-CSCF发送2xxAuth_OK消息,表示注册成功,其中2xx表示成功相应的消息,xx为00~99的一个数字。如果鉴权失败,则S-CSCF向I-CSCF发送表示鉴权失败的消息。
步骤118,如果鉴权成功,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。如果鉴权失败,则I-CSCF将上述表示鉴权失败的消息发送给P-CSCF。
步骤119,如果鉴权成功,P-CSCF将上述2xx Auth_OK消息发送给UE。如果鉴权失败,则P-CSCF将上述表示鉴权失败的消息发送给UE。
法国电信在电信和互联网融合业务以及高级网络协议六次会议中间会议(TISPAN 6bis)上提出了一种实现IMS业务层鉴权和接入层鉴权绑定的方案。该方案在网络附着子系统(Network Attach Sub System,NASS)中的连接位置功能实体(Connection Location Function,CLF)上保存有UE的IP地址与接入用户标识(subscription-id)的对应关系、以及该UE业务层鉴权和接入层鉴权绑定的绑定标识,其中用户每个连接都有一个接入用户标识。France Telecom proposed a solution to realize the binding of IMS service layer authentication and access layer authentication at the TISPAN 6bis interim meeting of telecommunications and Internet convergence services and advanced network protocols. In this solution, the connection location function entity (Connection Location Function, CLF) in the Network Attachment Subsystem (Network Attach Sub System, NASS) stores the corresponding relationship between the IP address of the UE and the access user identification (subscription-id), and The binding identifier for binding the UE service layer authentication and access layer authentication, wherein each connection of a user has an access user identifier.
参考图2,该方案的大致流程如下:Referring to Figure 2, the general flow of the program is as follows:
步骤201,UE向P-CSCF发送注册报文Register。In
步骤202,P-CSCF根据注册报文的源IP地址向CLF查询UE的附着信息,附着信息中有UE的接入用户标识,及业务层鉴权与接入层绑定的指示。In step 202, the P-CSCF queries the CLF for the UE's attachment information according to the source IP address of the registration message. The attachment information includes the UE's access user ID and an indication of service layer authentication and access layer binding.
步骤203,P-CSCF比较UE的接入用户标识和注册报文中鉴权头域中的私有用户标识,如果两者一致,则说明IMS业务层鉴权成功,执行步骤205及其后续步骤,否则鉴权失败执行步骤204向UE发送鉴权失败消息403Forbidden。In step 203, the P-CSCF compares the UE's access user ID with the private user ID in the authentication header field in the registration message. If the two are consistent, then the IMS service layer authentication is successful, and step 205 and its subsequent steps are executed. Otherwise, if the authentication fails,
步骤205,P-CSCF继续将UE的注册报文Register转发给I-CSCF,报文中携带鉴权是否成功指示。In step 205, the P-CSCF continues to forward the UE's registration message Register to the I-CSCF, and the message carries an indication of whether the authentication is successful.
步骤206,I-CSCF跟HSS之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向HSS发出请求,查找HSS中的用户属性来确定由哪个S-CSCF处理该注册报文。Step 206, the I-CSCF and the HSS select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the HSS, and searches the user attributes in the HSS to determine which S-CSCF handles the registration report arts.
步骤207,I-CSCF将注册报文Register发送给步骤206中所确定S-CSCF。In step 207, the I-CSCF sends the registration message Register to the S-CSCF determined in step 206.
步骤208,S-CSCF确认用户注册成功后,没有再向HSS请求用户的鉴权向量,而是直接和HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行,以及和HSS之间通过Cx-Pull消息下载用户的签约数据。Step 208, after the S-CSCF confirms that the user has successfully registered, it does not request the user's authentication vector from the HSS, but directly communicates with the HSS through a Cx-Put message, updates the S-CSCF indication information on the HSS, and informs the HSS of the user Subsequent processing is carried out in this S-CSCF, and the subscription data of the user is downloaded through the Cx-Pull message between the S-CSCF and the HSS.
步骤209,S-CSCF向I-CSCF回2xx消息,表示鉴权成功。In
步骤210,I-CSCF将所述2xx鉴权成功消息发送给P-CSCF。
步骤211,P-CSCF将所述2xx鉴权成功消息发送给UE。
上述技术方案中,要求注册消息Register中携带的私有用户标识与用户的接入用户标识一致,即业务层的私有用户标识和接入层的用户标识是同一个标识,但是很多情况下,业务网络运营商和接入网络运营商并不是同一个运营商,强制要求他们使用相同的标识会限制网络应用的灵活性。在网络接入层的附着子系统中指示业务层鉴权和接入层绑定,也是不合理的,应该由业务层中相关设备(如HSS)来指示,接入层网络只负责提供相关信息。由P-CSCF来完成鉴权工作,也是不合理的,合理的方式应是归属地的S-CSCF来完成业务层的鉴权工作,P-CSCF同样只需要负责提供鉴权相关的信息。In the above technical solution, the private user ID carried in the registration message Register is required to be consistent with the user's access user ID, that is, the private user ID of the service layer and the user ID of the access layer are the same ID, but in many cases, the service network Operators and access network operators are not the same operator, forcing them to use the same identity will limit the flexibility of network applications. It is also unreasonable to indicate service layer authentication and access layer binding in the attachment subsystem of the network access layer. It should be indicated by relevant equipment (such as HSS) in the service layer, and the access layer network is only responsible for providing relevant information. . It is also unreasonable for the P-CSCF to complete the authentication work. The reasonable way should be that the home S-CSCF completes the authentication work of the service layer, and the P-CSCF is also only responsible for providing authentication-related information.
发明内容Contents of the invention
有鉴于此,本发明的目的在于提出一种由业务层决定用户鉴权方式的IP多媒体子系统鉴权和接入层鉴权绑定的方法。In view of this, the purpose of the present invention is to propose a method for binding IP multimedia subsystem authentication and access layer authentication in which the user authentication mode is determined by the service layer.
根据上述目的,本发明提供了一种IP多媒体子系统鉴权和接入层鉴权绑定的方法,该方法包括以下步骤:A.P-CSCF接收到UE发送来的注册报文后,根据所述注册报文中的信息以及预先设置的注册报文中的信息与CLF的对应关系确定CLF;According to the above purpose, the present invention provides a method for binding IP multimedia subsystem authentication and access layer authentication, the method includes the following steps: after A.P-CSCF receives the registration message sent by UE, The information in the registration message and the correspondence between the information in the preset registration message and the CLF determine the CLF;
B.P-CSCF向所述CLF查询UE在接入网中的附着信息得到查询结果,并将携带所述查询结果的注册报文发送给I-CSCF;B. The P-CSCF queries the CLF for the attachment information of the UE in the access network to obtain a query result, and sends a registration message carrying the query result to the I-CSCF;
C.I-CSCF将所述注册报文转发给HSS告知的S-CSCF;C. The I-CSCF forwards the registration message to the S-CSCF notified by the HSS;
D.S-CSCF根据从HSS获取的业务层鉴权和接入层鉴权绑定的鉴权方式,对UE进行鉴权得到鉴权结果,并将所述鉴权结果发送给UE。D. The S-CSCF authenticates the UE to obtain the authentication result according to the binding authentication mode of the service layer authentication and the access layer authentication obtained from the HSS, and sends the authentication result to the UE.
在上述方案中,步骤A之前进一步包括:A1.UE向S-CSCF发送注册报文;A2.S-CSCF向HSS请求所述UE的鉴权向量;A3.HSS根据预先设置的用户鉴权签约数据判断所述UE的鉴权方式是否为业务层鉴权与接入层鉴权绑定,并在是的情况下向S-CSCF发送包括所述鉴权方式的消息;A4.S-CSCF向UE发送包括所述鉴权方式的消息;A5.UE接收到所述包括鉴权方式的消息后,向P-CSCF发送新的注册报文;步骤A、步骤B及步骤C中所述的注册报文为所述新的注册报文。In the above solution, before step A, it further includes: A1. UE sends a registration message to S-CSCF; A2. S-CSCF requests the HSS for the authentication vector of the UE; The data judges whether the authentication method of the UE is the binding of the service layer authentication and the access layer authentication, and if yes, sends a message including the authentication method to the S-CSCF; A4. The UE sends a message including the authentication method; A5. After receiving the message including the authentication method, the UE sends a new registration message to the P-CSCF; the registration described in step A, step B and step C The message is the new registration message.
在上述方案中,步骤D之前进一步包括:S-CSCF向HSS请求所述UE的鉴权向量;HSS根据预先设置的用户鉴权签约数据判断所述UE的鉴权方式是否为业务层鉴权与接入层鉴权绑定,并在是的情况下向S-CSCF发送包括所述鉴权方式的消息。In the above solution, before step D, it further includes: the S-CSCF requests the HSS for the authentication vector of the UE; the HSS judges whether the authentication mode of the UE is service layer authentication and The access layer authenticates and binds, and if yes, sends a message including the authentication mode to the S-CSCF.
所述HSS根据预先设置的用户鉴权签约数据判断所述UE的鉴权方式是否为业务层鉴权与接入层鉴权绑定的步骤之后进一步包括:在所述UE的鉴权方式不是业务层鉴权与接入层鉴权绑定的情况下,按照密钥协商AKA流程进行处理。The HSS further includes, after the step of judging whether the UE's authentication mode is binding service layer authentication and access layer authentication according to the preset user authentication subscription data: if the UE's authentication mode is not service In the case that layer authentication is bound with access layer authentication, it is processed according to the key agreement AKA process.
步骤A中所述注册报文中的信息为接入运营商标识或所述注册报文源IP地址。The information in the registration message in step A is the access operator identifier or the source IP address of the registration message.
较佳地,所述注册报文包括接入用户标识;预先在CLF中保存了与所述接入用户标识对应的UE在接入网中的附着信息;步骤B中所述P-CSCF向所述CLF查询UE在接入网中的附着信息得到查询结果的步骤包括:P-CSCF根据所述接入用户标识向所述CLF查询UE在接入网中的附着信息;在CLF中存在与所述接入用户标识对应的IP地址信息的附着信息时,CLF向P-CSCF返回包括所述IP地址信息的查询结果,否则向P-CSCF返回查询失败的查询结果。Preferably, the registration message includes the access user identifier; the attachment information of the UE in the access network corresponding to the access user identifier is stored in the CLF in advance; in step B, the P-CSCF sends the The step of the CLF querying the attachment information of the UE in the access network to obtain the query result includes: P-CSCF queries the CLF for the attachment information of the UE in the access network according to the access user identifier; When attaching information of the IP address information corresponding to the access user identifier, the CLF returns a query result including the IP address information to the P-CSCF, otherwise returns a query result of query failure to the P-CSCF.
较佳地,所述注册报文包括私有用户标识;预先在CLF中保存了与所述私有用户标识对应的UE在接入网中的附着信息;步骤B中所述P-CSCF向所述CLF查询UE在接入网中的附着信息得到查询结果的步骤包括:P-CSCF根据所述私有用户标识向所述CLF查询UE在接入网中的附着信息;在CLF中存在与所述私有用户标识对应的IP地址信息的附着信息时,CLF向P-CSCF返回包括所述IP地址信息的查询结果,否则向P-CSCF返回查询失败的查询结果。Preferably, the registration message includes a private user identifier; the attachment information of the UE corresponding to the private user identifier in the access network is stored in the CLF in advance; in step B, the P-CSCF reports to the CLF The step of querying the UE's attachment information in the access network to obtain the query result includes: P-CSCF queries the CLF for the UE's attachment information in the access network according to the private user identifier; When identifying the attachment information of the corresponding IP address information, the CLF returns a query result including the IP address information to the P-CSCF, otherwise returns a query result of query failure to the P-CSCF.
步骤B进一步包括P-CSCF将所收到的注册报文的源IP地址发送给I-CSCF的步骤;步骤C进一步包括I-CSCF将所述注册报文源IP地址转发给所述S-CSCF的步骤;步骤D中所述对UE进行鉴权得到鉴权结果的步骤包括:在所述查询结果包括IP地址信息时,S-CSCF比较所述P-CSCF所收到的注册报文源IP源地址与所述查询结果中的IP地址信息,如果一致,则得到鉴权成功的鉴权结果,否则得到鉴权失败的鉴权结果;在所述查询结果为查询失败信息时,S-CSCF得到鉴权失败的鉴权结果。Step B further includes the step of P-CSCF sending the source IP address of the received registration message to I-CSCF; step C further includes I-CSCF forwarding the source IP address of the registration message to the S-CSCF The step; the step of authenticating the UE in step D to obtain the authentication result includes: when the query result includes IP address information, the S-CSCF compares the source IP address of the registration message received by the P-CSCF If the source address is consistent with the IP address information in the query result, an authentication result of successful authentication is obtained; otherwise, an authentication result of authentication failure is obtained; when the query result is query failure information, the S-CSCF The authentication result of authentication failure is obtained.
较佳地,预先在CLF中保存了与注册报文源IP地址对应的UE在接入网中的附着信息;步骤B中所述P-CSCF向所述CLF查询UE在接入网中的附着信息得到查询结果的步骤包括:P-CSCF根据所述注册报文源IP地址向所述CLF查询UE在接入网中的附着信息;在CLF中存在与所述注册报文源IP地址对应的接入用户关联信息的附着信息时,CLF向P-CSCF返回包括所述接入用户关联信息的查询结果,否则向P-CSCF返回查询失败的查询结果。Preferably, the attachment information of the UE in the access network corresponding to the source IP address of the registration message is stored in the CLF in advance; in step B, the P-CSCF queries the CLF for the attachment information of the UE in the access network The step of obtaining the query result from the information includes: P-CSCF queries the CLF for the attachment information of the UE in the access network according to the source IP address of the registration message; When accessing the attachment information of the user-associated information, the CLF returns a query result including the accessed user-associated information to the P-CSCF, otherwise returns a query result of query failure to the P-CSCF.
步骤D中所述对UE进行鉴权得到鉴权结果之前进一步包括S-CSCF从HSS获得预先保存在HSS的绑定的接入用户关联信息的步骤;步骤D中所述对UE进行鉴权得到鉴权结果的步骤包括:在所述查询结果包括接入用户关联信息时,S-CSCF比较所述从HSS获得的绑定的接入用户关联信息与所述查询结果中的接入用户关联信息,如果一致,则得到鉴权成功的鉴权结果,否则得到鉴权失败的鉴权结果;在所述查询结果为查询失败信息时,S-CSCF得到鉴权失败的鉴权结果。In Step D, before authenticating the UE to obtain the authentication result, it further includes the step that the S-CSCF obtains from the HSS the bound access user association information stored in the HSS in advance; in Step D, the UE is authenticated to obtain The step of authenticating the result includes: when the query result includes access user association information, the S-CSCF compares the bound access user association information obtained from the HSS with the access user association information in the query result , if consistent, obtain an authentication result of successful authentication, otherwise obtain an authentication result of failed authentication; when the query result is query failure information, the S-CSCF obtains an authentication result of failed authentication.
在上述方案中,所述接入用户关联信息为接入用户标识、位置信息或IP地址信息。In the above solution, the access user association information is access user identifier, location information or IP address information.
从上述方案中可以看出,本发明通过接入用户标识、私有用户标识或注册报文源IP地址查询CLF中的附着信息,并且由HSS决定用户的鉴权方式,以及由S-CSCF进行鉴权成功与否的判断。与现有技术不同,本发明与现有技术相比,由业务层的HSS决定用户的鉴权方式,由S-CSCF完成鉴权过程,更具有合理性。并且,本发明根据接入运营商标识定位CLF,并采用接入用户标识向CLF查询用户附着信息,此时不要求业务层用户标识和接入用户标识一定相同。同时考虑到实际组网的情况,简化方案,本方案同样支持当业务运营商和接入运营商为同一个运营商且IP地址得到较好的规划、业务层私有用户标识和接入用户标识为同一个时,可以用注册报文源IP地址来定位CLF,用业务层私有用户标识或注册报文源IP地址去CLF查询用户在接入网络的附着信息。并且,在S-CSCF鉴权的时候,通过比较从CLF查询得到的IP地址信息与P-CSCF所接收的注册报文的源IP地址、或者比较从CLF查询得到的接入用户关联信息与从HSS获得的绑定的接入用户关联信息,在两者一致的时候得到鉴权成功的结果,在两者不一致的时候得到鉴权失败的结果。因此本方案与现有技术相比更具有通用性和灵活性,在方案上符合业务层鉴权的原则,实现方式更合理、更具有逻辑性,另外本发明的技术方案对现有IMS AKA流程的改动较小,流程基本一致,只是认证参数的变化,和现有IMS AKA的流程更容易融合,具有容易实现的优点。It can be seen from the above scheme that the present invention queries the attachment information in the CLF through the access user ID, the private user ID or the source IP address of the registration message, and the HSS determines the user authentication mode, and the S-CSCF performs the authentication. Judgment on success or failure. Different from the prior art, in the present invention, compared with the prior art, the HSS of the service layer decides the authentication mode of the user, and the S-CSCF completes the authentication process, which is more reasonable. Moreover, the present invention locates the CLF according to the access operator ID, and uses the access user ID to query the CLF for user attachment information. At this time, it is not required that the service layer user ID and the access user ID must be the same. At the same time, considering the actual networking situation and simplifying the solution, this solution also supports when the service operator and the access operator are the same operator and the IP address is well planned, and the private user ID of the service layer and the access user ID are At the same time, you can use the source IP address of the registration message to locate the CLF, and use the service layer private user ID or the source IP address of the registration message to go to the CLF to query the user's attachment information in the access network. And, when the S-CSCF is authenticated, by comparing the IP address information obtained from the CLF query with the source IP address of the registration message received by the P-CSCF, or by comparing the access user association information obtained from the CLF query with the When the bound access user association information obtained by the HSS is consistent, an authentication success result is obtained, and when the two are inconsistent, an authentication failure result is obtained. Therefore, compared with the prior art, this solution has more versatility and flexibility, conforms to the principle of business layer authentication in the solution, and has a more reasonable and logical implementation mode. In addition, the technical solution of the present invention is more effective to the existing IMS AKA process. The changes are relatively small, and the process is basically the same, except for the change of authentication parameters, which is easier to integrate with the existing IMS AKA process, and has the advantage of being easy to implement.
附图说明Description of drawings
图1为AKA鉴权机制的流程示意图;FIG. 1 is a schematic flow chart of the AKA authentication mechanism;
图2为现有技术的流程示意图;Fig. 2 is the schematic flow chart of prior art;
图3a和图3b为本发明第一实施例的流程示意图;3a and 3b are schematic flow charts of the first embodiment of the present invention;
图4a和图4b为本发明第二实施例的流程示意图;4a and 4b are schematic flow charts of the second embodiment of the present invention;
图5a和图5b为本发明第三实施例的流程示意图;5a and 5b are schematic flow charts of the third embodiment of the present invention;
图6a和图6b为本发明第四实施例的流程示意图;6a and 6b are schematic flow charts of a fourth embodiment of the present invention;
图7a和图7b为本发明第五实施例的流程示意图。7a and 7b are schematic flow charts of a fifth embodiment of the present invention.
具体实施方式Detailed ways
为使本发明的目的、技术方案和优点更加清楚,以下举实施例对本发明进一步详细说明。In order to make the purpose, technical solution and advantages of the present invention clearer, the following examples are given to further describe the present invention in detail.
本发明的第一实施例以AKA流程为基础,给出了一种IMS业务层鉴权和接入层鉴权绑定的方法。第一实施例中,预先在HSS保存用户的鉴权签约数据,鉴权签约数据表明该用户的鉴权方式是否为业务层鉴权与接入层鉴权绑定。Based on the AKA process, the first embodiment of the present invention provides a binding method of IMS service layer authentication and access layer authentication. In the first embodiment, the user's authentication subscription data is stored in the HSS in advance, and the authentication subscription data indicates whether the user's authentication mode is the binding of the service layer authentication and the access layer authentication.
参考图3a和图3b,第一实施例的流程如下:Referring to Figure 3a and Figure 3b, the flow of the first embodiment is as follows:
步骤301,UE向P-CSCF发送注册报文Register。In step 301, the UE sends a registration message Register to the P-CSCF.
步骤302,P-CSCF将UE的注册报文Register转发给I-CSCF。In step 302, the P-CSCF forwards the Register message of the UE to the I-CSCF.
步骤303,I-CSCF跟HSS之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向HSS发出请求,查找HSS中的用户属性来确定由哪个S-CSCF处理该注册报文。Step 303: The I-CSCF and the HSS select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the HSS to find out the user attributes in the HSS to determine which S-CSCF will process the registration report. arts.
步骤304,I-CSCF将UE的注册报文Register转发给步骤303中所确定S-CSCF。In step 304, the I-CSCF forwards the UE's registration message Register to the S-CSCF determined in step 303.
步骤305,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 305, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user will be performed in this S-CSCF.
步骤306,S-CSCF向HSS发送AV-Req消息,请求该用户的鉴权向量。In step 306, the S-CSCF sends an AV-Req message to the HSS to request the user's authentication vector.
步骤307,HSS检查用户的鉴权签约数据,根据鉴权签约数据判断该用户的鉴权方式是否为业务层鉴权与接入层鉴权绑定,如果是则执行步骤308及其后续步骤,否则执行AKA流程的步骤107至步骤119,进行一般的鉴权流程。Step 307, the HSS checks the user's authentication subscription data, judges according to the authentication subscription data whether the user's authentication method is the binding of service layer authentication and access layer authentication, and if so, executes step 308 and its subsequent steps, Otherwise, execute steps 107 to 119 of the AKA process to perform a general authentication process.
步骤308,HSS向S-CSCF发送AV-Req-Resp消息,与现有技术中发送的鉴权向量不同,本步骤里将该用户的鉴权方式信息发送给S-CSCF。In step 308, the HSS sends an AV-Req-Resp message to the S-CSCF. Different from the authentication vector sent in the prior art, in this step, the user's authentication mode information is sent to the S-CSCF.
步骤309,S-CSCF根据在步骤308中获得的鉴权方式信息,得知该用户的鉴权方式是业务层鉴权和接入层鉴权绑定,然后向I-CSCF发送4xxAuth_Challenge消息,并在消息的鉴权头域中表明鉴权方式是业务层鉴权和接入层鉴权绑定,即携带鉴权方式指示信息。In step 309, the S-CSCF learns that the user's authentication method is binding service layer authentication and access layer authentication according to the authentication method information obtained in step 308, and then sends a 4xxAuth_Challenge message to the I-CSCF, and In the authentication header field of the message, it is indicated that the authentication mode is the binding of the service layer authentication and the access layer authentication, that is, the authentication mode indication information is carried.
步骤310,I-CSCF将所述携带鉴权方式指示信息的4xx Auth_Challenge消息发送给P-CSCF。Step 310, the I-CSCF sends the 4xx Auth_Challenge message carrying the authentication mode indication information to the P-CSCF.
步骤311,P-CSCF将所述携带鉴权方式指示信息的4xx Auth_Challenge消息发送给UE。Step 311, the P-CSCF sends the 4xx Auth_Challenge message carrying the authentication mode indication information to the UE.
此时,由于P-CSCF根据该消息得知鉴权方式为业务层鉴权和接入层鉴权绑定,因此P-CSCF不需要建立和UE之间的安全联盟。At this time, since the P-CSCF learns from the message that the authentication mode is the binding of the service layer authentication and the access layer authentication, the P-CSCF does not need to establish a security association with the UE.
步骤312,UE接收到所述4xx Auth_Challenge消息后,重新向P-CSCF发送注册报文Register,该报文携带有接入运营商标识及接入用户标识。Step 312, after receiving the 4xx Auth_Challenge message, the UE sends a registration message Register to the P-CSCF again, and the message carries the access operator ID and the access user ID.
步骤313,P-CSCF根据注册报文中的运营商标识以及预先设置的运营商标识与CLF之间的对应关系确定CLF。In step 313, the P-CSCF determines the CLF according to the operator identifier in the registration message and the preset correspondence between the operator identifier and the CLF.
步骤314,P-CSCF根据注册报文中的接入用户标识,在上面确定的CLF中查询用户在接入层的附着信息。与现有技术不同的是,CLF中预先保存了与接入用户标识对应的附着信息的数据记录,所述附着信息包括IP地址信息、位置信息等,但不包括现有技术的绑定标识。如果CLF中没有该接入用户标识的数据记录,CLF会返回查询失败。In step 314, the P-CSCF searches the CLF determined above for the attachment information of the user at the access layer according to the access user identifier in the registration message. Different from the prior art, the data record of the attachment information corresponding to the access user ID is stored in the CLF in advance, and the attachment information includes IP address information, location information, etc., but does not include the binding ID of the prior art. If there is no data record of the access user ID in the CLF, the CLF will return query failure.
步骤315,P-CSCF将携带上一步骤中查询结果的注册报文Register以及P-CSCF所接收的该Register源IP地址发送给I-CSCF。如果前面的查询成功,则将查询得到的附着信息发送给I-CSCF;如果查询失败,则向I-CSCF上报查询失败信息。In step 315, the P-CSCF sends the registration message Register carrying the query result in the previous step and the source IP address of the Register received by the P-CSCF to the I-CSCF. If the previous query is successful, the attachment information obtained from the query is sent to the I-CSCF; if the query fails, the query failure information is reported to the I-CSCF.
步骤316,I-CSCF与HSS之间通过Cx-Query确定该UE注册报文给哪个S-CSCF处理,即I-CSCF向HSS查询该注册报文给哪个S-CSCF处理,HSS根据保存的S-CSCF指示信息告知I-CSCF处理该注册报文的S-CSCF。In step 316, the I-CSCF and the HSS determine which S-CSCF to process the UE registration message through Cx-Query, that is, the I-CSCF inquires from the HSS which S-CSCF the registration message is to process, and the HSS uses the saved S-CSCF to process the registration message. - The CSCF indication information informs the I-CSCF to process the S-CSCF of the registration message.
步骤317,I-CSCF将包含查询结果的注册报文Register以及P-CSCF所接收的该Register源IP地址转发给步骤316确定的S-CSCF。所述查询结果,在查询成功时为查询得到的附着信息,在查询失败时为上报的查询失败信息。In step 317, the I-CSCF forwards the Register packet containing the query result and the source IP address of the Register received by the P-CSCF to the S-CSCF determined in step 316. The query result is the attachment information obtained from the query when the query succeeds, and the query failure information reported when the query fails.
步骤318,在查询结果为查询得到的附着信息时,S-CSCF判断P-CSCF收到的注册报文Register的源IP地址与所述从CLF查询得到的附着信息中的IP地址信息是否一致,如果一致,则说明鉴权成功,执行步骤319及其后续流程,即向UE发送鉴权成功的消息;如果不一致,则说明鉴权失败,执行步骤331及其后续步骤,即向UE发送鉴权失败的消息。Step 318, when the query result is the attachment information obtained from the query, the S-CSCF judges whether the source IP address of the Register message Register received by the P-CSCF is consistent with the IP address information in the attachment information obtained from the CLF query, If they are consistent, it means that the authentication is successful, and step 319 and its subsequent steps are executed, that is, a message of successful authentication is sent to the UE; Failed message.
在查询结果为上报的查询失败信息时,也说明鉴权失败,执行步骤331及其后续步骤,即向UE发送鉴权失败的消息。When the query result is the reported query failure information, it also means that the authentication fails, and step 331 and its subsequent steps are executed, that is, a message of authentication failure is sent to the UE.
步骤319,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In
步骤320,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。In
步骤321,S-CSCF向I-CSCF发送2xx Auth_OK消息,表示鉴权成功。In
步骤322,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。
步骤323,P-CSCF将上述2xx Auth_OK消息发送给UE。In
如图3b所示的步骤331,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In
步骤332,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。In
步骤333,S-CSCF向I-CSCF发送鉴权失败的消息,表示鉴权失败。In step 333, the S-CSCF sends an authentication failure message to the I-CSCF, indicating that the authentication fails.
步骤334,I-CSCF将上述鉴权失败的消息发送给P-CSCF。Step 334, the I-CSCF sends the authentication failure message to the P-CSCF.
步骤335,P-CSCF将上述鉴权失败的消息发送给UE。In step 335, the P-CSCF sends the authentication failure message to the UE.
当接入网络运营商和业务网络运营商是同一个运营商时,由于接入用户标识和私有用户标识是相同的,NASS中不会下发接入运营商标识和接入用户标识给UE,可以采用如图4a和图4b所示的第二实施例的方法,第二实施例为第一实施例的简化方式,在第二实施例中,通过Register的源IP地址识别接入运营商及CLF,并且根据IMS业务层的私有用户标识在CLF查询UE在接入层的附着信息。与第一实施例一样,预先在HSS保存用户的鉴权签约数据,鉴权签约数据表明该用户的鉴权方式是否为业务层鉴权与接入层鉴权绑定。When the access network operator and the service network operator are the same operator, since the access user ID and the private user ID are the same, the NASS will not issue the access operator ID and the access user ID to the UE. The method of the second embodiment shown in Figure 4a and Figure 4b can be used, the second embodiment is a simplified method of the first embodiment, in the second embodiment, the source IP address of the Register is used to identify the access operator and CLF, and query the attachment information of the UE at the access layer in the CLF according to the private user identity of the IMS service layer. Like the first embodiment, the user's authentication subscription data is stored in the HSS in advance, and the authentication subscription data indicates whether the user's authentication mode is binding of service layer authentication and access layer authentication.
参照图4a和图4b,第二实施例包括以下步骤:Referring to Fig. 4a and Fig. 4b, the second embodiment comprises the following steps:
其中,步骤401至步骤411与第一实施例中的步骤301至步骤311相同。Wherein, Step 401 to Step 411 are the same as Step 301 to Step 311 in the first embodiment.
步骤401,UE向P-CSCF发送注册报文Register。In step 401, the UE sends a registration message Register to the P-CSCF.
步骤402,P-CSCF将UE的注册报文Register转发给I-CSCF。In step 402, the P-CSCF forwards the Register message of the UE to the I-CSCF.
步骤403,I-CSCF跟HSS之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向HSS发出请求,查找HSS中的用户属性来确定由哪个S-CSCF处理该注册报文。Step 403: The I-CSCF and the HSS select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the HSS to search the user attributes in the HSS to determine which S-CSCF is to process the registration report. arts.
步骤404,I-CSCF将UE的注册报文Register转发给步骤403中所确定S-CSCF。In step 404, the I-CSCF forwards the UE's registration message Register to the S-CSCF determined in
步骤405,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 405, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user will be performed in this S-CSCF.
步骤406,S-CSCF向HSS发送AV-Req消息,请求该用户的鉴权向量。In step 406, the S-CSCF sends an AV-Req message to the HSS to request the user's authentication vector.
步骤407,HSS检查用户的鉴权签约数据,根据鉴权签约数据判断该用户的鉴权方式是否为业务层鉴权与接入层鉴权绑定,如果是则执行步骤408及其后续步骤,否则执行AKA流程的步骤107至步骤119,进行一般的鉴权流程。Step 407, the HSS checks the user's authentication subscription data, judges according to the authentication subscription data whether the user's authentication method is the binding of service layer authentication and access layer authentication, and if so, executes step 408 and its subsequent steps, Otherwise, execute steps 107 to 119 of the AKA process to perform a general authentication process.
步骤408,HSS向S-CSCF发送AV-Req-Resp消息,与现有技术中发送的鉴权向量不同,本步骤里将该用户的鉴权方式信息发送给S-CSCF。In step 408, the HSS sends an AV-Req-Resp message to the S-CSCF. Different from the authentication vector sent in the prior art, in this step, the user's authentication mode information is sent to the S-CSCF.
步骤409,S-CSCF根据在步骤408中获得的鉴权方式信息,得知该用户的鉴权方式是业务层鉴权和接入层鉴权绑定,然后向I-CSCF发送4xxAuth_Challenge消息,并在消息的鉴权头域中表明鉴权方式是业务层鉴权和接入层鉴权绑定,即携带鉴权方式指示信息。In step 409, the S-CSCF learns that the user's authentication method is the binding of service layer authentication and access layer authentication according to the authentication method information obtained in step 408, and then sends a 4xxAuth_Challenge message to the I-CSCF, and In the authentication header field of the message, it is indicated that the authentication mode is the binding of the service layer authentication and the access layer authentication, that is, the authentication mode indication information is carried.
步骤410,I-CSCF将所述携带鉴权方式指示信息的4xx Auth_Challenge消息发送给P-CSCF。Step 410, the I-CSCF sends the 4xx Auth_Challenge message carrying the authentication mode indication information to the P-CSCF.
步骤411,P-CSCF将所述携带鉴权方式指示信息的4xx Auth_Challenge消息发送给UE。Step 411, the P-CSCF sends the 4xx Auth_Challenge message carrying the authentication mode indication information to the UE.
此时,由于P-CSCF根据该消息得知鉴权方式为业务层鉴权和接入层绑定,因此P-CSCF不需要建立和UE之间的安全联盟(SA)。At this time, since the P-CSCF learns from the message that the authentication mode is service layer authentication and access layer binding, the P-CSCF does not need to establish a Security Association (SA) with the UE.
步骤412,UE接收到所述4xx Auth_Challenge消息后,重新向P-CSCF发送注册报文Register,与第一实施例不同的是,该报文不需要携带接入运营商标识及接入用户标识,而是采用鉴权头域中携带现有技术中所述的私有用户标识,该标识在现有的IMS AKA流程中已有。Step 412: After receiving the 4xx Auth_Challenge message, the UE resends the registration message Register to the P-CSCF. Unlike the first embodiment, the message does not need to carry the access operator ID and the access user ID. Instead, the private user identifier described in the prior art is carried in the authentication header field, which already exists in the existing IMS AKA process.
步骤413,P-CSCF根据注册报文的源IP地址以及预先设置的源IP地址与CLF之间的对应关系确定CLF。In step 413, the P-CSCF determines the CLF according to the source IP address of the registration message and the preset correspondence between the source IP address and the CLF.
步骤414,P-CSCF根据注册报文鉴权头域中的私有用户标识,在上面确定的CLF中查询用户在接入层的附着信息。CLF中预先保存了与私有用户标识对应的附着信息的数据记录,所述附着信息包括IP地址信息、位置信息等,但不包括现有技术中的绑定标识。如果CLF中没有该私有用户标识的数据记录,CLF会返回查询失败。In step 414, the P-CSCF queries the CLF determined above for the attachment information of the user at the access layer according to the private user identifier in the authentication header field of the registration message. The data record of the attachment information corresponding to the private user ID is pre-stored in the CLF, and the attachment information includes IP address information, location information, etc., but does not include the binding ID in the prior art. If there is no data record of the private user ID in CLF, CLF will return query failure.
以下的步骤415至步骤423与第一实施例中的步骤315至步骤323相同。The following steps 415 to 423 are the same as steps 315 to 323 in the first embodiment.
步骤415,P-CSCF将携带上一步骤中查询结果的注册报文Register以及P-CSCF所接收的该Register源IP地址发送给I-CSCF。如果前面的查询成功,则将查询得到的附着信息发送给I-CSCF;如果查询失败,则向I-CSCF上报查询失败信息。In step 415, the P-CSCF sends the registration message Register carrying the query result in the previous step and the source IP address of the Register received by the P-CSCF to the I-CSCF. If the previous query is successful, the attachment information obtained from the query is sent to the I-CSCF; if the query fails, the query failure information is reported to the I-CSCF.
步骤416,I-CSCF与HSS之间通过Cx-Query确定该UE注册报文给哪个S-CSCF处理,即I-CSCF向HSS查询该注册报文给哪个S-CSCF处理,HSS根据保存的S-CSCF指示信息告知I-CSCF处理该注册报文的S-CSCF。In step 416, the I-CSCF and the HSS determine which S-CSCF to process the UE registration message through Cx-Query, that is, the I-CSCF queries the HSS which S-CSCF to process the registration message, and the HSS uses the stored S - The CSCF indication information informs the I-CSCF to process the S-CSCF of the registration message.
步骤417,I-CSCF将包含查询结果的注册报文Register以及P-CSCF所接收的Register源IP地址转发给步骤416确定的S-CSCF。所述查询结果,在查询成功时为查询得到的附着信息,在查询失败时为上报的查询失败信息。In step 417, the I-CSCF forwards the Register packet containing the query result and the source IP address of the Register received by the P-CSCF to the S-CSCF determined in step 416. The query result is the attachment information obtained from the query when the query succeeds, and the query failure information reported when the query fails.
步骤418,在查询结果为查询得到的附着信息时,S-CSCF判断P-CSCF收到的注册报文Register的源IP地址与所述从CLF查询得到的附着信息中的IP地址信息是否一致,如果一致,则说明鉴权成功,执行步骤419及其后续流程,即向UE发送鉴权成功的消息;如果不一致,则说明鉴权失败,执行步骤431及其后续步骤,即向UE发送鉴权失败的消息。Step 418, when the query result is the attachment information obtained from the query, the S-CSCF judges whether the source IP address of the Register message Register received by the P-CSCF is consistent with the IP address information in the attachment information obtained from the CLF query, If they are consistent, it means that the authentication is successful, and step 419 and its subsequent steps are executed, that is, a message of successful authentication is sent to the UE; Failed message.
在查询结果为上报的查询失败信息时,也说明鉴权失败,执行步骤331及其后续步骤,即向UE发送鉴权失败的消息。When the query result is the reported query failure information, it also means that the authentication fails, and step 331 and its subsequent steps are executed, that is, a message of authentication failure is sent to the UE.
步骤419,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In
步骤420,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。
步骤421,S-CSCF向I-CSCF发送2xx Auth_OK消息,表示鉴权成功。In
步骤422,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。Step 422, I-CSCF sends the above 2xx Auth_OK message to P-CSCF.
步骤423,P-CSCF将上述2xx Auth_OK消息发送给UE。Step 423, the P-CSCF sends the above 2xx Auth_OK message to the UE.
如图4b所示的步骤431,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 431 shown in Figure 4b, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user is performed in this S-CSCF.
步骤432,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。In step 432, the S-CSCF and the HSS obtain the subscription data information of the user through the Cx-Pull message.
步骤433,S-CSCF向I-CSCF发送鉴权失败的消息,表示鉴权失败。In step 433, the S-CSCF sends an authentication failure message to the I-CSCF, indicating that the authentication fails.
步骤434,I-CSCF将上述鉴权失败的消息发送给P-CSCF。Step 434, the I-CSCF sends the authentication failure message to the P-CSCF.
步骤435,P-CSCF将上述鉴权失败的消息发送给UE。Step 435, the P-CSCF sends the authentication failure message to the UE.
在第一实施例和第二实施例的方法中,UE在得到鉴权方式为业务层鉴权与接入层鉴权绑定后,才发送携带运营商标识和接入用户标识的注册报文。在本发明的第三实施例中,UE一开始就发送携带运营商标识和接入用户标识的注册报文。与第一实施例、第二实施例一样,第三实施例中预先在HSS保存用户的鉴权签约数据,鉴权签约数据表明该用户的鉴权方式是否为业务层鉴权与接入层鉴权绑定。In the methods of the first embodiment and the second embodiment, the UE sends the registration message carrying the operator ID and the access user ID after the authentication mode is bound to the service layer authentication and the access layer authentication . In the third embodiment of the present invention, the UE initially sends a registration message carrying the operator ID and the access user ID. Like the first embodiment and the second embodiment, in the third embodiment, the user's authentication subscription data is stored in the HSS in advance, and the authentication subscription data indicates whether the user's authentication method is service layer authentication and access layer authentication. Rights binding.
参考图5a和图5b,第二实施例的流程如下:Referring to Figure 5a and Figure 5b, the flow of the second embodiment is as follows:
步骤501,UE向P-CSCF发送注册报文Register,该报文携带有接入运营商标识及接入用户标识。In step 501, the UE sends a registration message Register to the P-CSCF, and the message carries an access operator identifier and an access user identifier.
步骤502,P-CSCF根据注册报文中的接入运营商标识以及预先设置的接入运营商标识与CLF之间的对应关系确定CLF。In step 502, the P-CSCF determines the CLF according to the access operator ID in the registration message and the preset correspondence between the access operator ID and the CLF.
步骤503,P-CSCF根据注册报文中的接入用户标识,在上面确定的CLF中查询用户在接入层的附着信息。CLF中预先保存了与私有用户标识对应的附着信息的数据记录,所述附着信息包括IP地址信息、位置信息等,但不包括现有技术中的绑定标识。如果CLF中没有该接入用户标识的数据记录,CLF会返回查询失败。In step 503, the P-CSCF searches the CLF determined above for the attachment information of the user at the access layer according to the access user identifier in the registration message. The data record of attachment information corresponding to the private user ID is pre-stored in the CLF, and the attachment information includes IP address information, location information, etc., but does not include the binding ID in the prior art. If there is no data record of the access user ID in the CLF, the CLF will return query failure.
步骤504,P-CSCF将携带上一步骤中查询结果的注册报文Register以及P-CSCF所接收的该注册报文源IP地址发送给I-CSCF。如果前面的查询成功,则将查询得到的附着信息发送给I-CSCF;如果查询失败,则向I-CSCF上报查询失败信息。In step 504, the P-CSCF sends the registration message Register carrying the query result in the previous step and the source IP address of the registration message received by the P-CSCF to the I-CSCF. If the previous query is successful, the attachment information obtained from the query is sent to the I-CSCF; if the query fails, the query failure information is reported to the I-CSCF.
步骤505,I-CSCF跟HSS之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向HSS发出请求,查找HSS中的用户属性来确定由哪个S-CSCF处理该注册报文。Step 505: The I-CSCF and the HSS select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the HSS to search the user attributes in the HSS to determine which S-CSCF will process the registration report arts.
步骤506,I-CSCF将包括上述查询结果的注册报文Register以及P-CSCF所接收的注册报文源IP地址转发给步骤505确定的S-CSCF。所述查询结果,在查询成功时为查询得到的附着信息,在查询失败时为上报的查询失败信息。In step 506, the I-CSCF forwards the Register message Register including the above query result and the source IP address of the register message received by the P-CSCF to the S-CSCF determined in step 505. The query result is the attachment information obtained from the query when the query succeeds, and the query failure information reported when the query fails.
步骤507,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 507, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user will be performed in this S-CSCF.
步骤508,S-CSCF向HSS发送AV-Req消息,请求该用户的鉴权向量。In step 508, the S-CSCF sends an AV-Req message to the HSS to request the user's authentication vector.
步骤509,HSS检查用户的鉴权签约数据,根据鉴权签约数据判断该用户的鉴权方式是否为业务层鉴权与接入层鉴权绑定,如果是则执行步骤510及其后续步骤,否则执行AKA流程的步骤107至步骤119,进行一般的鉴权流程。In step 509, the HSS checks the user's authentication subscription data, and judges according to the authentication subscription data whether the user's authentication method is the binding of service layer authentication and access layer authentication, and if so, execute step 510 and its subsequent steps, Otherwise, execute steps 107 to 119 of the AKA process to perform a general authentication process.
步骤510,HSS向S-CSCF发送AV-Req-Resp消息,与现有技术中发送的鉴权向量不同,本步骤里将该用户的鉴权方式信息发送给S-CSCF。In step 510, the HSS sends an AV-Req-Resp message to the S-CSCF. Different from the authentication vector sent in the prior art, in this step, the user's authentication mode information is sent to the S-CSCF.
步骤511,在查询结果为查询得到的附着信息时,S-CSCF判断P-CSCF收到的注册报文Register的源IP地址与所述从CLF查询得到的附着信息中的IP地址信息是否一致,如果一致,则说明鉴权成功,执行步骤512及其后续流程,即向UE发送鉴权成功的消息;如果不一致,则说明鉴权失败,执行步骤521及其后续步骤,即向UE发送鉴权失败的消息。Step 511, when the query result is the attachment information obtained from the query, the S-CSCF judges whether the source IP address of the Register message Register received by the P-CSCF is consistent with the IP address information in the attachment information obtained from the CLF query, If they are consistent, it means that the authentication is successful, and step 512 and its subsequent steps are executed, that is, a message of successful authentication is sent to the UE; Failed message.
在查询结果为上报的查询失败信息时,也说明鉴权失败,执行步骤521及其后续步骤,即向UE发送鉴权失败的消息。When the query result is the reported query failure information, it also means that the authentication fails, and step 521 and its subsequent steps are executed, that is, a message of authentication failure is sent to the UE.
步骤512,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 512, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user will be performed in this S-CSCF.
步骤513,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。Step 513, the S-CSCF and the HSS obtain the subscription data information of the user through the Cx-Pull message.
步骤514,S-CSCF向I-CSCF发送2xx Auth_OK消息,表示鉴权成功。In step 514, the S-CSCF sends a 2xx Auth_OK message to the I-CSCF, indicating that the authentication is successful.
步骤515,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。Step 515, I-CSCF sends the above 2xx Auth_OK message to P-CSCF.
步骤516,P-CSCF将上述2xx Auth_OK消息发送给UE。Step 516, P-CSCF sends the above 2xx Auth_OK message to UE.
如图5b所示的步骤521,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 521 shown in Figure 5b, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user is performed in this S-CSCF.
步骤522,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。In step 522, the S-CSCF and the HSS obtain the subscription data information of the user through the Cx-Pull message.
步骤523,S-CSCF向I-CSCF发送鉴权失败的消息,表示鉴权失败。In step 523, the S-CSCF sends an authentication failure message to the I-CSCF, indicating that the authentication fails.
步骤524,I-CSCF将上述鉴权失败的消息发送给P-CSCF。Step 524, the I-CSCF sends the authentication failure message to the P-CSCF.
步骤525,P-CSCF将上述鉴权失败的消息发送给UE。In step 525, the P-CSCF sends the authentication failure message to the UE.
与第二实施例一样,当接入网络运营商和业务网络运营商是同一个运营商时,由于接入用户标识和私有用户标识是相同的,NASS中不会下发接入运营商标识和接入用户标识给UE,可以采用如图6a和图6b所示的第四实施例的方法,第四实施例为第三实施例的简化方式,在第四实施例中,通过Register的源IP地址识别接入运营商及CLF,并且根据IMS业务层的私有用户标识在CLF查询UE在接入层的附着信息。与第一实施例一样,预先在HSS保存用户的鉴权签约数据,鉴权签约数据表明该用户的鉴权方式是否为业务层鉴权与接入层鉴权绑定。As in the second embodiment, when the access network operator and the service network operator are the same operator, since the access user ID and the private user ID are the same, the access operator ID and the private user ID will not be issued in NASS. To access the user ID to the UE, the method of the fourth embodiment shown in Figure 6a and Figure 6b can be used. The fourth embodiment is a simplified method of the third embodiment. In the fourth embodiment, the source IP of the Register The address identifies the access operator and the CLF, and queries the UE's attachment information at the access layer in the CLF according to the private user ID of the IMS service layer. Like the first embodiment, the user's authentication subscription data is stored in the HSS in advance, and the authentication subscription data indicates whether the user's authentication mode is binding of service layer authentication and access layer authentication.
参考图6a和图6b,第四实施例包括以下步骤:Referring to Fig. 6a and Fig. 6b, the fourth embodiment comprises the following steps:
步骤601,UE向P-CSCF发送注册报文Register,与第三实施例不同的是,该报文不需要携带接入运营商标识及接入用户标识,而是在鉴权头域中携带现有技术中所述的私有用户标识。In step 601, the UE sends a registration message Register to the P-CSCF. Unlike the third embodiment, the message does not need to carry the access operator ID and the access user ID, but carries the current ID in the authentication header field. There is a private user ID as described in the technique.
步骤602,P-CSCF根据注册报文的源IP地址以及预先设置的源IP地址与CLF之间的对应关系确定CLF。In step 602, the P-CSCF determines the CLF according to the source IP address of the registration message and the preset correspondence between the source IP address and the CLF.
步骤603,P-CSCF根据注册报文鉴权头域中的私有用户标识,在上面确定的CLF中查询用户在接入层的附着信息。CLF中预先保存了与私有用户标识对应的附着信息的数据记录,所述附着信息包括IP地址信息、位置信息等,但不包括现有技术中的绑定标识。如果CLF中没有该私有用户标识的数据记录,CLF会返回查询失败。In step 603, the P-CSCF queries the CLF determined above for the attachment information of the user at the access layer according to the private user identifier in the authentication header field of the registration message. The data record of attachment information corresponding to the private user ID is pre-stored in the CLF, and the attachment information includes IP address information, location information, etc., but does not include the binding ID in the prior art. If there is no data record of the private user ID in CLF, CLF will return query failure.
以下的步骤604至步骤625与第三实施例中的步骤504至步骤525相同。The following steps 604 to 625 are the same as steps 504 to 525 in the third embodiment.
步骤604,P-CSCF将携带上一步骤中查询结果的注册报文Register以及P-CSCF所接收的该注册报文源IP地址发送给I-CSCF。如果前面的查询成功,则将查询得到的附着信息发送给I-CSCF;如果查询失败,则向I-CSCF上报查询失败信息。In step 604, the P-CSCF sends the registration message Register carrying the query result in the previous step and the source IP address of the registration message received by the P-CSCF to the I-CSCF. If the previous query is successful, the attachment information obtained from the query is sent to the I-CSCF; if the query fails, the query failure information is reported to the I-CSCF.
步骤605,I-CSCF跟HSS之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向HSS发出请求,查找HSS中的用户属性来确定由哪个S-CSCF处理该注册报文。Step 605: The I-CSCF and the HSS select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the HSS to find the user attributes in the HSS to determine which S-CSCF will process the registration report arts.
步骤606,I-CSCF将包括上述查询结果的注册报文Register以及所述P-CSCF所接收的该注册报文源IP地址转发给步骤605确定的S-CSCF。所述查询结果,在查询成功时为查询得到的附着信息,在查询失败时为上报的查询失败信息。In step 606, the I-CSCF forwards the registration message Register including the above query result and the source IP address of the registration message received by the P-CSCF to the S-CSCF determined in step 605. The query result is the attachment information obtained from the query when the query succeeds, and the query failure information reported when the query fails.
步骤607,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 607, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user will be performed in this S-CSCF.
步骤608,S-CSCF向HSS发送AV-Req消息,请求该用户的鉴权向量。In step 608, the S-CSCF sends an AV-Req message to the HSS to request the user's authentication vector.
步骤609,HSS检查用户的鉴权签约数据,根据鉴权签约数据判断该用户的鉴权方式是否为业务层鉴权与接入层鉴权绑定,如果是则执行步骤610及其后续步骤,否则执行AKA流程的步骤107至步骤119,进行一般的鉴权流程。Step 609, the HSS checks the user's authentication subscription data, and judges according to the authentication subscription data whether the user's authentication method is the binding of service layer authentication and access layer authentication, and if so, execute step 610 and its subsequent steps, Otherwise, execute steps 107 to 119 of the AKA process to perform a general authentication process.
步骤610,HSS向S-CSCF发送AV-Req-Resp消息,与现有技术中发送的鉴权向量不同,本步骤里将该用户的鉴权方式信息发送给S-CSCF。In step 610, the HSS sends an AV-Req-Resp message to the S-CSCF. Different from the authentication vector sent in the prior art, in this step, the user's authentication mode information is sent to the S-CSCF.
步骤611,在查询结果为查询得到的附着信息时,S-CSCF判断P-CSCF收到的注册报文Register的源IP地址与所述从CLF查询得到的附着信息中的IP地址信息是否一致,如果一致,则说明鉴权成功,执行步骤612及其后续流程,即向UE发送鉴权成功的消息;如果不一致,则说明鉴权失败,执行步骤521及其后续步骤,即向UE发送鉴权失败的消息。Step 611, when the query result is the attachment information obtained from the query, the S-CSCF judges whether the source IP address of the Register message Register received by the P-CSCF is consistent with the IP address information in the attachment information obtained from the CLF query, If they are consistent, it means that the authentication is successful, and step 612 and its subsequent procedures are executed, that is, a message of successful authentication is sent to the UE; Failed message.
在查询结果为上报的查询失败信息时,也说明鉴权失败,执行步骤621及其后续步骤,即向UE发送鉴权失败的消息。When the query result is the reported query failure information, it also means that the authentication fails, and step 621 and its subsequent steps are executed, that is, a message of authentication failure is sent to the UE.
步骤612,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 612, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user will be performed in this S-CSCF.
步骤613,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。Step 613, the S-CSCF and the HSS obtain the subscription data information of the user through the Cx-Pull message.
步骤614,S-CSCF向I-CSCF发送2xx Auth_OK消息,表示鉴权成功。In step 614, the S-CSCF sends a 2xx Auth_OK message to the I-CSCF, indicating that the authentication is successful.
步骤615,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。Step 615, I-CSCF sends the above 2xx Auth_OK message to P-CSCF.
步骤616,P-CSCF将上述2xx Auth_OK消息发送给UE。In step 616, the P-CSCF sends the above 2xx Auth_OK message to the UE.
如图6b所示的步骤621,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 621 shown in Figure 6b, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user will be performed in this S-CSCF.
步骤622,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。In
步骤623,S-CSCF向I-CSCF发送鉴权失败的消息,表示鉴权失败。In step 623, the S-CSCF sends an authentication failure message to the I-CSCF, indicating that the authentication fails.
步骤624,I-CSCF将上述鉴权失败的消息发送给P-CSCF。Step 624, the I-CSCF sends the authentication failure message to the P-CSCF.
步骤625,P-CSCF将上述鉴权失败的消息发送给UE。Step 625, the P-CSCF sends the authentication failure message to the UE.
在第一实施例至第四实施例的方法中,S-CSCF通过比较P-CSCF所收到的注册报文Register的源IP地址与从CLF查询得到的IP地址信息是否一致来进行鉴权,在本发明的第五实施例中,S-CSCF通过比较预先保存在HSS的绑定的接入用户关联信息和从CLF查询得到的接入用户关联信息来进行鉴权,其中所述接入用户关联信息可以是接入用户标识(access useridentity)、位置信息(location information)、IP地址信息等,这里以接入用户标识为例说明实现过程。第五实施例中,以注册报文源IP地址为例说明确定CLF以及从CLF查询用户关联信息的过程,但是从前面的实施例能够看出,可以使用其他参数实现这一过程,这里不再赘述。In the methods of the first embodiment to the fourth embodiment, the S-CSCF performs authentication by comparing whether the source IP address of the registration message Register received by the P-CSCF is consistent with the IP address information obtained from the CLF query, In the fifth embodiment of the present invention, the S-CSCF performs authentication by comparing the bound access user association information stored in the HSS in advance with the access user association information obtained from the CLF query, wherein the access user The associated information may be access user identity, location information, IP address information, etc. Here, the implementation process is described by taking the access user identity as an example. In the fifth embodiment, the process of determining the CLF and querying the user association information from the CLF is described by taking the source IP address of the registration message as an example. However, it can be seen from the previous embodiments that other parameters can be used to realize this process, which will not be repeated here. repeat.
参考图7a和图7b,第二实施例的流程如下:Referring to Figure 7a and Figure 7b, the flow of the second embodiment is as follows:
步骤701,UE向P-CSCF发送注册报文Register。In step 701, the UE sends a registration message Register to the P-CSCF.
步骤702,P-CSCF根据注册报文的源IP地址以及预先设置的IP地址与CLF之间的对应关系确定CLF。In step 702, the P-CSCF determines the CLF according to the source IP address of the registration message and the preset correspondence between the IP address and the CLF.
步骤703,P-CSCF根据注册报文的源IP地址,在上面确定的CLF中查询用户的接入用户标识。CLF中预先保存了与源IP地址对应的UE的附着信息的数据记录。所述附着信息至少包括接入用户关联信息,这里接入用户关联信息为接入用户标识。如果CLF中没有该源IP地址的数据记录,CLF会返回查询失败。In step 703, the P-CSCF searches the CLF determined above for the access user ID of the user according to the source IP address of the registration message. The data record of the attachment information of the UE corresponding to the source IP address is stored in the CLF in advance. The attachment information includes at least access user association information, where the access user association information is an access user identifier. If there is no data record of the source IP address in CLF, CLF will return query failure.
步骤704,P-CSCF将携带上一步骤中查询结果的注册报文Register发送给I-CSCF。如果前面的查询成功,则将查询得到的接入用户标识作为查询结果发送给I-CSCF;如果查询失败,则将查询失败信息作为查询结果上报给I-CSCF。In step 704, the P-CSCF sends the registration message Register carrying the query result in the previous step to the I-CSCF. If the previous query is successful, the access user ID obtained from the query is sent to the I-CSCF as the query result; if the query fails, the query failure information is reported to the I-CSCF as the query result.
步骤705,I-CSCF跟HSS之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向HSS发出请求,查找HSS中的该UE的用户属性来确定由哪个S-CSCF处理该注册报文。Step 705: The I-CSCF and the HSS select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the HSS to search the user attributes of the UE in the HSS to determine which S-CSCF will handle it The registration message.
步骤706,I-CSCF将包括上述查询结果的注册报文Register转发给步骤705确定的S-CSCF。所述查询结果,在查询成功时为查询得到的接入用户标识,在查询失败时为上报的查询失败信息。In step 706, the I-CSCF forwards the Register message Register including the query result to the S-CSCF determined in step 705. The query result is the access user ID obtained from the query when the query is successful, and is the reported query failure information when the query fails.
步骤707,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 707, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user will be performed in this S-CSCF.
步骤708,S-CSCF向HSS发送AV-Req消息,请求该用户的鉴权向量。In step 708, the S-CSCF sends an AV-Req message to the HSS to request the user's authentication vector.
步骤709,HSS检查用户的鉴权签约数据,根据鉴权签约数据判断该用户的鉴权方式是否为业务层鉴权与接入层鉴权绑定,如果是则执行步骤710及其后续步骤,否则执行AKA流程的步骤107至步骤119,进行一般的鉴权流程。Step 709, the HSS checks the user's authentication subscription data, judges according to the authentication subscription data whether the user's authentication method is the binding of service layer authentication and access layer authentication, and if so, executes step 710 and its subsequent steps, Otherwise, execute steps 107 to 119 of the AKA process to perform a general authentication process.
步骤710,HSS向S-CSCF发送AV-Req-Resp消息,与现有技术中发送的鉴权向量不同,本步骤里将该用户的鉴权方式信息以及接入用户标识下发给S-CSCF。In step 710, the HSS sends an AV-Req-Resp message to the S-CSCF, which is different from the authentication vector sent in the prior art. In this step, the user's authentication method information and access user ID are sent to the S-CSCF .
步骤711,在查询结果为查询得到的接入用户标识时,S-CSCF判断所述从CLF查询得到的接入用户标识与HSS下发的接入用户标识是否一致,如果一致,则说明鉴权成功,执行步骤712及其后续流程,即向UE发送鉴权成功的消息;如果不一致,则说明鉴权失败,执行步骤521及其后续步骤,即向UE发送鉴权失败的消息。Step 711, when the query result is the access user ID obtained from the query, the S-CSCF judges whether the access user ID obtained from the CLF query is consistent with the access user ID issued by the HSS, and if they are consistent, it means authentication If successful, execute step 712 and its subsequent procedures, that is, send a message of successful authentication to the UE; if not, it means that the authentication fails, and perform step 521 and its subsequent steps, that is, send a message of authentication failure to the UE.
在查询结果为上报的查询失败信息时,也说明鉴权失败,执行步骤721及其后续步骤,即向UE发送鉴权失败的消息。When the query result is the reported query failure information, it also means that the authentication fails, and step 721 and subsequent steps are executed, that is, a message of authentication failure is sent to the UE.
步骤712,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 712, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user will be performed in this S-CSCF.
步骤713,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。In
步骤714,S-CSCF向I-CSCF发送2xx Auth_OK消息,表示鉴权成功。In
步骤715,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。
步骤716,P-CSCF将上述2xx Auth_OK消息发送给UE。
如图7b所示的步骤721,S-CSCF与HSS之间通过Cx-Put消息,更新HSS上的S-CSCF指示信息,告知HSS该用户后续的处理在本S-CSCF进行。In step 721 shown in Figure 7b, the S-CSCF and the HSS update the S-CSCF indication information on the HSS through a Cx-Put message, and inform the HSS that the subsequent processing of the user is performed in this S-CSCF.
步骤722,S-CSCF与HSS通过Cx-Pull消息获取用户的签约数据信息。In
步骤723,S-CSCF向I-CSCF发送鉴权失败的消息,表示鉴权失败。In step 723, the S-CSCF sends an authentication failure message to the I-CSCF, indicating that the authentication fails.
步骤724,I-CSCF将上述鉴权失败的消息发送给P-CSCF。Step 724, the I-CSCF sends the authentication failure message to the P-CSCF.
步骤725,P-CSCF将上述鉴权失败的消息发送给UE。Step 725, the P-CSCF sends the authentication failure message to the UE.
以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection.
Claims (11)
Priority Applications (9)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100932168A CN100442926C (en) | 2005-07-05 | 2005-08-19 | A method for binding IP multimedia subsystem authentication and access layer authentication |
| BRPI0612687-1A BRPI0612687B1 (en) | 2005-07-05 | 2006-07-05 | IP MULTIMEDIA SUBSYSTEM AUTHENTICATION METHOD |
| PCT/CN2006/001569 WO2007003140A1 (en) | 2005-07-05 | 2006-07-05 | An authentication method of internet protocol multimedia subsystem |
| AT06753103T ATE453282T1 (en) | 2005-07-05 | 2006-07-05 | AUTHENTICATION PROCEDURE FOR THE IP MULTIMEDIA SUBSYSTEM |
| DE602006011282T DE602006011282D1 (en) | 2005-07-05 | 2006-07-05 | AUTHENTICATION PROCEDURE FOR THE IP MULTIMEDIA SUBSYSTEM |
| EP06753103A EP1853032B1 (en) | 2005-07-05 | 2006-07-05 | An authentication method for the ip multimedia subsystem |
| CN200680010294.XA CN101151869B (en) | 2005-07-05 | 2006-07-05 | Internet protocol multimedia subsystem authorization method |
| US11/842,668 US7974604B2 (en) | 2005-07-05 | 2007-08-21 | Method of authentication in IP multimedia subsystem |
| US13/092,413 US8364121B2 (en) | 2005-07-05 | 2011-04-22 | Method of authentication in IP multimedia subsystem |
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510082907 | 2005-07-05 | ||
| CN200510082907.8 | 2005-07-05 | ||
| CNB2005100932168A CN100442926C (en) | 2005-07-05 | 2005-08-19 | A method for binding IP multimedia subsystem authentication and access layer authentication |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1893722A true CN1893722A (en) | 2007-01-10 |
| CN100442926C CN100442926C (en) | 2008-12-10 |
Family
ID=37598124
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100932168A Expired - Lifetime CN100442926C (en) | 2005-07-05 | 2005-08-19 | A method for binding IP multimedia subsystem authentication and access layer authentication |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100442926C (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008113292A1 (en) * | 2007-03-16 | 2008-09-25 | Huawei Technologies Co., Ltd. | A method, apparatus and system for obtaining cs domain attaching state |
| WO2009024076A1 (en) * | 2007-08-21 | 2009-02-26 | Huawei Technologies Co., Ltd. | Method for configuring service and entity for storing service configuration |
| CN101291332B (en) * | 2008-05-23 | 2012-06-13 | 中兴通讯股份有限公司 | Implementing method of multimedia name card on terminal |
| CN103581112A (en) * | 2012-07-20 | 2014-02-12 | 中国移动通信集团浙江有限公司 | Authentication method and device for PBX having access to IMS |
| CN104066109A (en) * | 2014-06-30 | 2014-09-24 | 中国联合网络通信集团有限公司 | IMS network registration management method, device and system |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1853032B1 (en) | 2005-07-05 | 2009-12-23 | Huawei Technologies Co., Ltd. | An authentication method for the ip multimedia subsystem |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| DE10116547A1 (en) * | 2001-04-03 | 2002-10-10 | Nokia Corp | Registration of a terminal in a data network |
| US6859651B2 (en) * | 2002-03-28 | 2005-02-22 | Nokia Corporation | Method and system for re-authentication in IP multimedia core network system (IMS) |
| EP1414212B1 (en) * | 2002-10-22 | 2005-10-12 | Telefonaktiebolaget LM Ericsson (publ) | Method and system for authenticating users in a telecommunication system |
-
2005
- 2005-08-19 CN CNB2005100932168A patent/CN100442926C/en not_active Expired - Lifetime
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2008113292A1 (en) * | 2007-03-16 | 2008-09-25 | Huawei Technologies Co., Ltd. | A method, apparatus and system for obtaining cs domain attaching state |
| WO2009024076A1 (en) * | 2007-08-21 | 2009-02-26 | Huawei Technologies Co., Ltd. | Method for configuring service and entity for storing service configuration |
| US8265622B2 (en) | 2007-08-21 | 2012-09-11 | Huawei Technologies Co., Ltd. | Method and saving entity for setting service |
| CN101291332B (en) * | 2008-05-23 | 2012-06-13 | 中兴通讯股份有限公司 | Implementing method of multimedia name card on terminal |
| CN103581112A (en) * | 2012-07-20 | 2014-02-12 | 中国移动通信集团浙江有限公司 | Authentication method and device for PBX having access to IMS |
| CN103581112B (en) * | 2012-07-20 | 2016-12-21 | 中国移动通信集团浙江有限公司 | Subscriber exchange accesses method for authenticating and the device of internet protocol multimedia subsystem network |
| CN104066109A (en) * | 2014-06-30 | 2014-09-24 | 中国联合网络通信集团有限公司 | IMS network registration management method, device and system |
| CN104066109B (en) * | 2014-06-30 | 2018-01-26 | 中国联合网络通信集团有限公司 | IMS network registration management method, device and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN100442926C (en) | 2008-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101053231A (en) | Message-based conveyance of load control information | |
| CN1674577A (en) | Router and SIP server | |
| CN101064866A (en) | Method and system for routing address of short message | |
| CN1898973A (en) | Method and apparatus to facilitate inter-an hrpd hard handoff | |
| CN1820490A (en) | Communication system, call connection server, terminal device, and communication method | |
| CN101052154A (en) | IP multimedia sub system and its coding and decoding switching control method | |
| CN1859395A (en) | IP Multimedia Subsystem Service Realization System and Method | |
| CN101052161A (en) | Method and system for realizing IMS business intercommunication | |
| CN1897578A (en) | Message conversion and converting system | |
| CN1794675A (en) | Method of establishing instant data transmission channel to realize instant message transmission | |
| CN101030964A (en) | Session controller and controlling method | |
| CN1832473A (en) | A method and device for processing session messages in IMS network | |
| CN1716953A (en) | Methods for Session Initiation Protocol Authentication | |
| CN1893427A (en) | Method for conducting business support ability consultation | |
| CN1913437A (en) | Initial session protocol application network and device and method for set-up safety channel | |
| CN1870777A (en) | Method, network and equipment for selecting called route | |
| CN101047655A (en) | Message route method and system based on IP transmission | |
| CN1859380A (en) | Method for obtaining off line message | |
| CN1842211A (en) | A method and system for implementing routing control | |
| CN1913503A (en) | Control method and system of session route path | |
| CN1925519A (en) | Telephone call method and telephone terminal | |
| CN1968138A (en) | Subscriber registration information management method and apparatus in IMS network | |
| CN101060703A (en) | User equipment switching policy and charging control method | |
| CN101047629A (en) | Implementing method of customer multi-media tag service | |
| CN1893722A (en) | Method for binding IP multi-media subsystem authentication and acess-in layer authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20081210 |