[go: up one dir, main page]

CN101001145B - Authentication method for supporting terminal roaming of non-IP multimedia service subsystem - Google Patents

Authentication method for supporting terminal roaming of non-IP multimedia service subsystem Download PDF

Info

Publication number
CN101001145B
CN101001145B CN2006100055419A CN200610005541A CN101001145B CN 101001145 B CN101001145 B CN 101001145B CN 2006100055419 A CN2006100055419 A CN 2006100055419A CN 200610005541 A CN200610005541 A CN 200610005541A CN 101001145 B CN101001145 B CN 101001145B
Authority
CN
China
Prior art keywords
authentication
cscf
mode
authenticating result
parameter
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2006100055419A
Other languages
Chinese (zh)
Other versions
CN101001145A (en
Inventor
何承东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN2006100055419A priority Critical patent/CN101001145B/en
Publication of CN101001145A publication Critical patent/CN101001145A/en
Application granted granted Critical
Publication of CN101001145B publication Critical patent/CN101001145B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)

Abstract

本发明公开了一种NGN网络中支持非IMS终端漫游的认证方法,包括:S-CSCF收到P-CSCF/I-CSCF发来的包含位置信息的注册报文,并向UPSF查询鉴权方式和鉴权数据后,根据从UPSF返回的混合鉴权信息,对UE进行鉴权处理得到鉴权结果,并将所述鉴权结果发送给UE。本发明给出的鉴权方案配置简单,后向兼容性好,对现有规范影响小,方案的扩展也很自然,容易实现,从而可以为用户提供灵活的鉴权方式的支持。

Figure 200610005541

The invention discloses an authentication method supporting non-IMS terminal roaming in an NGN network, comprising: S-CSCF receives a registration message containing location information sent by P-CSCF/I-CSCF, and queries UPSF for an authentication method After summing up the authentication data, according to the hybrid authentication information returned from the UPSF, the UE is authenticated to obtain an authentication result, and the authentication result is sent to the UE. The authentication scheme provided by the invention is simple in configuration, good in backward compatibility, has little influence on the existing norms, and the expansion of the scheme is natural and easy to realize, thereby providing support for flexible authentication modes for users.

Figure 200610005541

Description

支持非IP多媒体业务子系统终端漫游的认证方法 Authentication method supporting non-IP multimedia service subsystem terminal roaming

技术领域technical field

本发明涉及因特网协议(IP)多媒体业务子系统(IMS)领域,特别是一种下一代(NGN)网络中支持IP多媒体业务子系统终端漫游的认证方法。 The invention relates to the field of Internet Protocol (IP) Multimedia Service Subsystem (IMS), in particular to an authentication method for supporting IP Multimedia Service Subsystem terminal roaming in the next generation (NGN) network. the

背景技术Background technique

在固定下一代(NGN)网络以及移动网络中,通常可以将网络分为接入网络和业务网络。用户通过接入网络运营商的接入网络接入到IP网络上,然后再通过一个或多个业务网络运营商的业务网络享用不同的业务,例如语音、视频、流媒体等业务。 In a fixed next generation (NGN) network and a mobile network, the network can generally be divided into an access network and a service network. Users access the IP network through the access network of the access network operator, and then enjoy different services, such as voice, video, and streaming media, through the service network of one or more service network operators. the

如果接入网络和业务网络不属于同一个运营商时,接入网络对用户的鉴权和业务网络对用户的鉴权是相互独立的。在此种情况下,一个用户若要享用某种业务,通常需要两次鉴权,一次为接入层的鉴权,在通过接入层的鉴权后用户能够接入到NGN网络;另一次为业务层的鉴权,在通过业务层鉴权后用户可以享用该业务网络提供的业务。 If the access network and the service network do not belong to the same operator, the authentication of the user by the access network and the authentication of the user by the service network are independent of each other. In this case, if a user wants to enjoy a certain service, usually two authentications are required, one is the authentication of the access layer, after passing the authentication of the access layer, the user can access the NGN network; the other is the authentication of the access layer. For the authentication of the service layer, the user can enjoy the services provided by the service network after passing the authentication of the service layer. the

如果业务网络和接入网络属于同一个运营商时,或者业务网络运营商和接入网络运营商之间存在某种合作关系时,在某些组网情况下,业务网络运营商可以将业务层的鉴权同接入层的鉴权绑定,即在用户通过接入层鉴权后,就认为该用户是安全的,不再需要进行业务层的鉴权。为便于以后的描述,这种鉴权方式称为“IMS业务层鉴权和接入层鉴权绑定”鉴权方式,即NASS-Bundled鉴权方式。 If the service network and the access network belong to the same operator, or there is a cooperative relationship between the service network operator and the access network operator, in some networking situations, the service network operator can The authentication of the access layer is bound with the authentication of the access layer, that is, after the user passes the authentication of the access layer, the user is considered to be safe, and the authentication of the service layer is no longer required. For the convenience of description later, this authentication method is called "IMS service layer authentication and access layer authentication binding" authentication method, that is, NASS-Bundled authentication method. the

目前电信和互联网融合业务以及高级网络协议(TISPAN)的鉴权方式方式有三种:HTTP DIGEST AKA、HTTP DIGEST、NASS-Bundled。对于有IP多媒体用户标识模块或通用用户标识模块(ISIM/USIM)的IMS终端 用户,其认证方式由终端能力决定,此时只能采用HTTP DIGEST AKA鉴权方式以提高安全性;对于没有ISIM/USIM的非IMS终端用户,其认证方式由网络侧用户数据库服务实体UPSF实体中的配置决定,此时可能采用HTTP DIGEST或者NASS-Bundled中的一种鉴权方式。 At present, there are three authentication methods for telecommunications and Internet convergence services and advanced network protocols (TISPAN): HTTP DIGEST AKA, HTTP DIGEST, and NASS-Bundled. For IMS terminal users with IP Multimedia Subscriber Identity Module or Universal Subscriber Identity Module (ISIM/USIM), the authentication method is determined by the terminal capability. At this time, only HTTP DIGEST AKA authentication method can be used to improve security; for users without ISIM/USIM For non-IMS terminal users of USIM, the authentication method is determined by the configuration in the UPSF entity of the user database service entity on the network side. At this time, an authentication method in HTTP DIGEST or NASS-Bundled may be used. the

参考图1,NASS-Bundled鉴权方式的流程如下: Referring to Figure 1, the flow of the NASS-Bundled authentication method is as follows:

步骤101,网络附着子系统(NASS)接入层附着认证,在连接位置功能实体(Connection Location Function,CLF)上记录用户终端(UE)的位置信息。 Step 101, network attachment subsystem (NASS) access layer attach authentication, and record the location information of the user terminal (UE) on the connection location function entity (Connection Location Function, CLF). the

步骤102,UE向代理呼叫会话控制功能实体(Proxy-Call Session ControlFunction,P-CSCF)发送注册报文REGISTER消息,该报文携带有接入运营商标识及接入用户标识。 Step 102, the UE sends a registration message REGISTER message to the Proxy-Call Session Control Function (P-CSCF), and the message carries the access operator ID and the access user ID. the

步骤103,P-CSCF通过检查REGISTER消息中是否包含安全协商参数(例如Security-Client)来判断是否需要建立和UE之间的安全联盟。如果有此参数,则需要建立,如果没有此参数,则不需要建立。一般来说,密钥协商(HTTP DIGEST AKA)的情况肯定有此参数,而NASS-Bundled和超文本传输协议摘要(HTTP DIGEST)的情况肯定没有此参数。 In step 103, the P-CSCF judges whether it is necessary to establish a security association with the UE by checking whether the REGISTER message contains security negotiation parameters (such as Security-Client). If there is this parameter, it needs to be established; if there is no such parameter, it does not need to be established. In general, the case of Key Agreement (HTTP DIGEST AKA) definitely has this parameter, while the case of NASS-Bundled and Hypertext Transfer Protocol Digest (HTTP DIGEST) definitely does not. the

步骤104,P-CSCF根据注册报文中的接入运营商标识以及预先设置的接入运营商标识与CLF之间的对应关系确定CLF。然后,P-CSCF根据注册报文的源IP地址,在上面确定的CLF中查询用户的位置信息。 In step 104, the P-CSCF determines the CLF according to the access operator ID in the registration message and the preset correspondence between the access operator ID and the CLF. Then, the P-CSCF queries the location information of the user in the CLF determined above according to the source IP address of the registration message. the

步骤105,由于CLF中预先保存了与源IP地址对应的位置信息,因此在本步骤中CLF向P-CSCF返回相应的位置信息及其他信息。 Step 105, since the location information corresponding to the source IP address is stored in the CLF in advance, so in this step, the CLF returns the corresponding location information and other information to the P-CSCF. the

步骤106,P-CSCF将携带上一步骤中查询得到的位置信息及其他信息的注册报文REGISTER发送给询问呼叫会话控制功能实体(Interrogaing-CallSession Control Function,I-CSCF)。 Step 106, P-CSCF sends the registration message REGISTER carrying the location information and other information queried in the previous step to the Interrogating-Call Session Control Function (I-CSCF). the

步骤107,I-CSCF向用户数据库(UPSF)发送用户授权请求(UAR)消息。 In step 107, the I-CSCF sends a user authorization request (UAR) message to the user database (UPSF). the

步骤108,UPSF返回用户授权应答(UAA)消息。 In step 108, the UPSF returns a User Authorization Answer (UAA) message. the

步骤109,I-CSCF根据从UPSF返回的消息选择相应的服务呼叫会话控制功能实体(Service-Call Session Control Function,S-CSCF),即选择由哪个S-CSCF处理该注册报文。 Step 109, the I-CSCF selects the corresponding Service-Call Session Control Function (Service-Call Session Control Function, S-CSCF) according to the message returned from the UPSF, that is, selects which S-CSCF to process the registration message. the

步骤110,I-CSCF将包括上述位置信息的注册报文REGISTER转发给上面确定的S-CSCF。 Step 110, the I-CSCF forwards the registration message REGISTER including the above location information to the S-CSCF determined above. the

步骤111,S-CSCF通过REGISTER消息中是否包含Integrity-Protected参数来判断是哪种认证方式。如果有此参数,则肯定是HTTP DIGEST AKA方式,S-CSCF发给UPSF的鉴权请求只是为了请求鉴权参数;如果没有此参数,则需要向UPSF查询配置的鉴权方式,S-CSCF发给UPSF的请求是为了请求鉴权方式和相应的鉴权参数。由于这里采用NASS-Bundled鉴权方式,所以REGISTER消息中不包含Integrity-Protected参数。S-CSCF向UPSF发送多媒体鉴权请求(MAR)消息,请求用户的鉴权向量和相应的鉴权参数。 In step 111, the S-CSCF judges which authentication method it is based on whether the REGISTER message contains the Integrity-Protected parameter. If there is this parameter, it must be the HTTP DIGEST AKA method. The authentication request sent by S-CSCF to UPSF is only to request authentication parameters; The request to UPSF is to request authentication mode and corresponding authentication parameters. Since the NASS-Bundled authentication method is adopted here, the Integrity-Protected parameter is not included in the REGISTER message. The S-CSCF sends a Multimedia Authentication Request (MAR) message to the UPSF, requesting the user's authentication vector and corresponding authentication parameters. the

步骤112,UPSF检查用户的鉴权签约数据,发现该用户的鉴权方式是NASS-Bundled鉴权方式。 In step 112, the UPSF checks the authentication subscription data of the user, and finds that the authentication method of the user is NASS-Bundled authentication method. the

步骤113,UPSF向S-CSCF发送多媒体鉴权应答(MAA)消息,返回用户的鉴权方式和鉴权参数即位置信息。 In step 113, the UPSF sends a Multimedia Authentication Response (MAA) message to the S-CSCF, and returns the user's authentication method and authentication parameters, that is, location information. the

步骤114,S-CSCF比较从P-CSCF传来的位置信息与从UPSF查询得到的位置信息,如果一致,则说明鉴权成功,执行步骤115及其后续流程,即向UE发送鉴权成功的消息;如果不一致,则说明鉴权失败,执行步骤115及其后续步骤,即向UE发送鉴权失败的消息。 In step 114, the S-CSCF compares the location information sent from the P-CSCF with the location information obtained from the UPSF query. If they are consistent, it means that the authentication is successful. Step 115 and its subsequent procedures are executed, that is, sending a successful authentication message to the UE. message; if inconsistent, it means that the authentication fails, and step 115 and its subsequent steps are executed, that is, a message of authentication failure is sent to the UE. the

步骤115,S-CSCF向I-CSCF发送2xx Auth_OK消息,表示鉴权成功。 In step 115, the S-CSCF sends a 2xx Auth_OK message to the I-CSCF, indicating that the authentication is successful. the

步骤116,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。 Step 116, I-CSCF sends the above 2xx Auth_OK message to P-CSCF. the

步骤117,P-CSCF将上述2xx Auth_OK消息发送给UE。 Step 117, P-CSCF sends the above 2xx Auth_OK message to UE. the

如果鉴权失败,在步骤115至步骤117中发送表示鉴权失败的消息。 If the authentication fails, a message indicating the authentication failure is sent in step 115 to step 117 . the

参考图2,HTTP DIGEST鉴权机制的流程大致如下: Referring to Figure 2, the process of the HTTP DIGEST authentication mechanism is roughly as follows:

步骤201,UE向P-CSCF发送注册报文REGISTER。 Step 201, UE sends a registration message REGISTER to P-CSCF. the

步骤202,P-CSCF通过检查REGISTER消息中是否包含安全协商参数(例如Security-Client)来判断是否需要建立和UE之间的安全联盟。如果有此参数,则需要建立,如果没有此参数,则不需要建立。一般来说,密钥协商(HTTP DIGEST AKA)的情况肯定有此参数,而NASS-Bundled和超文本传输协议摘要(HTTP DIGEST)的情况肯定没有此参数。 In step 202, the P-CSCF judges whether it needs to establish a security association with the UE by checking whether the REGISTER message contains security negotiation parameters (such as Security-Client). If there is this parameter, it needs to be established; if there is no such parameter, it does not need to be established. In general, the case of Key Agreement (HTTP DIGEST AKA) definitely has this parameter, while the case of NASS-Bundled and Hypertext Transfer Protocol Digest (HTTP DIGEST) definitely does not. the

步骤203,P-CSCF将UE的注册报文REGISTER转发给I-CSCF。该报文中还携带了P-CSCF从CLF查询得到的UE的位置信息。 In step 203, the P-CSCF forwards the REGISTER message of the UE to the I-CSCF. The message also carries the location information of the UE obtained by the P-CSCF from the CLF. the

步骤204,I-CSCF跟UPSF之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向UPSF发出请求,查找UPSF中的用户属性来确定由哪个S-CSCF处理该注册报文。 Step 204, the I-CSCF and the UPSF select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the UPSF to search the user attributes in the UPSF to determine which S-CSCF handles the registration report arts. the

步骤205,I-CSCF将UE的注册报文REGISTER转发给步骤204中所确定S-CSCF。 In step 205, the I-CSCF forwards the UE's REGISTER message to the S-CSCF determined in step 204. the

步骤206,S-CSCF通过REGISTER消息中是否包含Integrity-Protected参数来判断是哪种认证方式。如果有此参数,则肯定是HTTP DIGEST AKA方式,S-CSCF发给UPSF的鉴权请求只是为了请求鉴权参数;如果没有此参数,则需要向UPSF查询配置的鉴权方式,S-CSCF发给UPSF的请求是为了请求鉴权方式和相应的鉴权参数。由于这里采用HTTP DIGEST鉴权方式,所以REGISTER消息中不包含Integrity-Protected参数。S-CSCF与UPSF之间通过Cx-Put消息,更新UPSF上的S-CSCF指示信息,告知UPSF该用户后续的处理在本S-CSCF进行。 In step 206, the S-CSCF judges which authentication method it is based on whether the REGISTER message contains the Integrity-Protected parameter. If there is this parameter, it must be the HTTP DIGEST AKA method. The authentication request sent by S-CSCF to UPSF is only to request authentication parameters; The request to UPSF is to request authentication mode and corresponding authentication parameters. Since the HTTP DIGEST authentication method is used here, the Integrity-Protected parameter is not included in the REGISTER message. The S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through the Cx-Put message, and inform the UPSF that the subsequent processing of the user will be performed in this S-CSCF. the

步骤207,S-CSCF向UPSF发送MAR消息,请求该用户的鉴权方式和鉴权数据。 In step 207, the S-CSCF sends a MAR message to the UPSF, requesting the user's authentication method and authentication data. the

步骤208,UPSF检查用户的鉴权签约数据,根据鉴权签约数据得到该用户的鉴权方式是HTTP DIGEST鉴权方式,并产生例如nonce等鉴权向量以及期望结果(XRES)等等。 Step 208, UPSF checks the user's authentication subscription data, obtains the authentication method of the user according to the authentication subscription data is the HTTP DIGEST authentication method, and generates authentication vectors such as nonce and expected results (XRES) and the like. the

步骤209,UPSF向S-CSCF发送MAR消息,将该用户的鉴权方式信息HTTP DIGEST以及鉴权参数nonce、期望结果(XRES)等发送给S-CSCF。 In step 209, the UPSF sends a MAR message to the S-CSCF, and sends the user's authentication method information HTTP DIGEST, authentication parameter nonce, expected result (XRES), etc. to the S-CSCF. the

步骤210,S-CSCF计算期望结果XRES。 Step 210, the S-CSCF calculates the expected result XRES. the

步骤211,S-CSCF得到鉴权方式信息并保存XRES,然后向I-CSCF发送“4xx Auth_Challenge”消息,该消息的WWW-Authenticate头中Algorithm参数表示采用HTTP DIGEST鉴权方式。 In step 211, the S-CSCF obtains the authentication method information and saves the XRES, and then sends a "4xx Auth_Challenge" message to the I-CSCF. The Algorithm parameter in the WWW-Authenticate header of the message indicates that the HTTP DIGEST authentication method is adopted. the

步骤212,I-CSCF将“4xx Auth_Challenge”消息发送给P-CSCF,该消息的WWW-Authenticate头中Algorithm参数表示采用HTTP DIGEST鉴权方式。 In step 212, the I-CSCF sends a "4xx Auth_Challenge" message to the P-CSCF, and the Algorithm parameter in the WWW-Authenticate header of the message indicates that the HTTP DIGEST authentication method is adopted. the

步骤213,P-CSCF将“4xx Auth_Challenge”消息发送给UE。 In step 213, the P-CSCF sends a "4xx Auth_Challenge" message to the UE. the

步骤214,UE接收到“4xx Auth_Challenge”消息后,发现Algorithm参数表示HTTP DIGEST鉴权方式,重新向P-CSCF发送注册报文REGISTER,并携带用于鉴权的响应(RES)。 Step 214: After receiving the "4xx Auth_Challenge" message, the UE finds that the Algorithm parameter indicates the HTTP DIGEST authentication method, and re-sends the registration message REGISTER to the P-CSCF, and carries a response (RES) for authentication. the

步骤215,P-CSCF将携带RES的注册报文REGISTER发送给I-CSCF。 Step 215, P-CSCF sends the registration message REGISTER carrying RES to I-CSCF. the

步骤216,I-CSCF与UPSF之间通过Cx-Query确定该UE注册报文给哪个S-CSCF处理,即I-CSCF向UPSF查询该注册报文给哪个S-CSCF处理,UPSF根据保存的S-CSCF指示信息告知I-CSCF处理该注册报文的S-CSCF。在以下步骤中,S-CSCF将鉴权成功或鉴权失败的消息发送给UE。 Step 216, the I-CSCF and the UPSF determine which S-CSCF to process the UE registration message through Cx-Query, that is, the I-CSCF inquires from the UPSF which S-CSCF the registration message is to process, and the UPSF uses the saved S-CSCF to process the registration message. - The CSCF indication information informs the I-CSCF to process the S-CSCF of the registration message. In the following steps, the S-CSCF sends the authentication success or authentication failure message to the UE. the

步骤217,I-CSCF将注册报文REGISTER转发给步骤216确定的S-CSCF。 In step 217, the I-CSCF forwards the registration message REGISTER to the S-CSCF determined in step 216. the

步骤218,S-CSCF比较从UPSF获得的XRES和UE发送过来的RES,当两者一致时,说明鉴权成功,当两者不一致时,说明鉴权失败。 In step 218, the S-CSCF compares the XRES obtained from the UPSF with the RES sent from the UE. If the two are consistent, it means that the authentication is successful, and when the two are inconsistent, it means that the authentication fails. the

步骤219,S-CSCF与UPSF之间通过Cx-Put消息,更新UPSF上的S-CSCF指示信息,告知UPSF该用户后续的处理在本S-CSCF进行。 In step 219, the S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through a Cx-Put message, and inform the UPSF that the subsequent processing of the user will be performed in this S-CSCF. the

步骤220,S-CSCF与UPSF通过Cx-Pull消息获取用户的签约数据信息。 In step 220, the S-CSCF and the UPSF obtain the subscription data information of the user through the Cx-Pull message. the

步骤221,S-CSCF向I-CSCF发送表示鉴权成功的200消息,或者表示鉴权失败的403 Forbidden消息。在图中仅以鉴权成功时的200消息表示。 In step 221, the S-CSCF sends a 200 message indicating that the authentication is successful, or a 403 Forbidden message indicating that the authentication fails to the I-CSCF. In the figure, it is only represented by a 200 message when the authentication is successful. the

步骤222,I-CSCF将上述消息发送给P-CSCF。 Step 222, the I-CSCF sends the above message to the P-CSCF. the

步骤223,P-CSCF将上述消息发送给UE。 Step 223, the P-CSCF sends the above message to the UE. the

因此对于任何一个用户,目前一次注册过程中只能使用其中一种鉴权方式。但是可能有这样一种应用场景:对于使用NASS-Bundled鉴权方式的非IMS终端,用户可能希望游牧到外地时也能够通过相同的终端来访问网络,就像使用手机一样使用固定终端。但由于游牧时用户的位置信息发生了变化,如果仍然采用NASS-Bundled鉴权方式,则用户鉴权必然会失败,从而影响用户对网络的使用。如果此时可以考虑再采用HTTP DIGEST鉴权方式来鉴权用户,则可以为用户提供灵活的鉴权支持和网络服务。 Therefore, for any user, only one of the authentication methods can be used in a current registration process. However, there may be such an application scenario: for a non-IMS terminal using NASS-Bundled authentication, the user may wish to access the network through the same terminal when nomadic in other places, using a fixed terminal just like using a mobile phone. However, since the user's location information changes when nomadic, if the NASS-Bundled authentication method is still used, the user authentication will inevitably fail, which will affect the user's use of the network. If you can consider using the HTTP DIGEST authentication method to authenticate users at this time, you can provide users with flexible authentication support and network services. the

我司在申请号为200510109162.X的专利申请中提出了在UPSF中预先配置用户的鉴权方式为“缺省采用NASS-Bundled方式,失败的话再采用HTTP DIGEST AKA或者HTTP DIGEST方式”的技术方案。在该方案中,S-CSCF查询到该用户使用上述鉴权方式后,优先采用NASS-Bundled鉴权方式,如果失败,再转HTTP DIGEST AKA或者HTTP DIGEST鉴权方式对用户进行认证。 In the patent application with the application number 200510109162.X, our company proposed the technical solution of pre-configuring the user authentication method in UPSF as "NASS-Bundled by default, and HTTP DIGEST AKA or HTTP DIGEST if it fails". . In this scheme, after the S-CSCF finds out that the user uses the above authentication methods, the NASS-Bundled authentication method is used first, and if it fails, the HTTP DIGEST AKA or HTTP DIGEST authentication method is used to authenticate the user. the

下面以NASS-Bundled鉴权失败后采用再采用HTTP DIGEST鉴权方式进行鉴权为例说明。图3是该方法的流程示意图,其中311步骤中的子步骤B请参考图2中209以后的步骤。该方法包括以下步骤: The following uses the HTTP DIGEST authentication method for authentication after NASS-Bundled authentication fails as an example. FIG. 3 is a schematic flowchart of the method, wherein for sub-step B in step 311, please refer to the steps after 209 in FIG. 2 . The method includes the following steps:

步骤301,UE向P-CSCF发送注册报文REGISTER,该报文携带有接入运营商标识及接入用户标识。 In step 301, the UE sends a registration message REGISTER to the P-CSCF, and the message carries an access operator ID and an access user ID. the

步骤302,P-CSCF根据注册报文中的接入运营商标识以及预先设置的接入运营商标识与CLF之间的对应关系确定CLF。 In step 302, the P-CSCF determines the CLF according to the access operator ID in the registration message and the preset correspondence between the access operator ID and the CLF. the

步骤303,P-CSCF根据注册报文中的接入用户标识,在上面确定的CLF中查询用户在接入层的附着信息。CLF中预先保存了与私有用户标识对应的附着信息的数据记录,所述附着信息包括IP地址信息、位置信息等。 In step 303, the P-CSCF searches the CLF determined above for the attachment information of the user at the access layer according to the access user identifier in the registration message. The data record of attachment information corresponding to the private user identifier is pre-stored in the CLF, and the attachment information includes IP address information, location information, and the like. the

步骤304,P-CSCF将携带上一步骤中查询的到的接入层附着信息的注册报文REGISTER以及P-CSCF所接收的该注册报文源IP地址发送给I-CSCF。 In step 304, the P-CSCF sends the registration message REGISTER carrying the access layer attachment information queried in the previous step and the source IP address of the registration message received by the P-CSCF to the I-CSCF. the

步骤305,I-CSCF跟UPSF之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向UPSF发出请求,查找UPSF中的用户属性来确定由哪个S-CSCF处理该注册报文。 Step 305: The I-CSCF and the UPSF select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the UPSF to search the user attributes in the UPSF to determine which S-CSCF will handle the registration report arts. the

步骤306,I-CSCF将包括上述查询结果的注册报文REGISTER以及P-CSCF所接收的注册报文源IP地址转发给步骤305确定的S-CSCF。 Step 306 , the I-CSCF forwards the registration message REGISTER including the above query result and the source IP address of the registration message received by the P-CSCF to the S-CSCF determined in step 305 . the

步骤307,S-CSCF与UPSF之间通过Cx-Put消息,更新UPSF上的S-CSCF指示信息,告知UPSF该用户后续的处理在本S-CSCF进行。 In step 307, the S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through a Cx-Put message, and inform the UPSF that the subsequent processing of the user will be performed in this S-CSCF. the

步骤308,S-CSCF向UPSF发送MAR消息,请求该用户的鉴权向量。 In step 308, the S-CSCF sends a MAR message to the UPSF to request the user's authentication vector. the

步骤309,UPSF检查用户的鉴权签约数据,根据鉴权签约数据得到该用户的鉴权方式缺省为IMS业务层鉴权与接入层鉴权绑定,失败之后再采用HTTP DIGEST鉴权方式或HTTP DIGEST AKA鉴权方式。这里以失败之后再采用HTTP DIGEST鉴权方式为例。 Step 309, UPSF checks the user's authentication subscription data, and obtains the user's authentication method according to the authentication subscription data. The default is the binding of IMS service layer authentication and access layer authentication, and then adopts HTTP DIGEST authentication method after failure Or HTTP DIGEST AKA authentication method. Here, the HTTP DIGEST authentication method is used as an example after failure. the

步骤310,UPSF向S-CSCF发送MAA消息,将该用户的鉴权方式信息发送给S-CSCF,即:IMS业务层鉴权和接入层鉴权绑定鉴权方式及鉴权参数位置信息(缺省);HTTP DIGEST鉴权方式及鉴权参数XRES或者HTTPDIGEST AKA鉴权方式及鉴权参数。 Step 310, UPSF sends MAA message to S-CSCF, and sends the user's authentication mode information to S-CSCF, namely: IMS service layer authentication and access layer authentication binding authentication mode and authentication parameter location information (default); HTTP DIGEST authentication method and authentication parameters XRES or HTTPDIGEST AKA authentication method and authentication parameters. the

步骤311,S-CSCF保存所有的鉴权方式以及相应的鉴权向量。S-CSCF判断REGISTER的源IP地址与所述从CLF查询得到的附着信息中的IP地址信息是否一致,或者比较从CLF查询得到的接入层用户标识于UPSF下发的接入层用户标识是否一致,如果一致,则说明鉴权成功,执行步骤312及其后续流程,即向UE发送鉴权成功的消息;如果不一致,则说明鉴权失败,执行图2中步骤209之后的步骤,即再采用HTTP DIGEST鉴权方式或HTTPDIGEST AKA鉴权方式进行鉴权,这里以HTTP DIGEST鉴权方式为例。 In step 311, the S-CSCF saves all authentication modes and corresponding authentication vectors. The S-CSCF judges whether the source IP address of the REGISTER is consistent with the IP address information in the attachment information obtained from the CLF query, or compares whether the access layer user ID obtained from the CLF query is the same as the access layer user ID issued by the UPSF Consistent, if they are consistent, then the authentication is successful, and step 312 and its subsequent processes are executed, that is, a message of successful authentication is sent to the UE; Use the HTTP DIGEST authentication method or the HTTP DIGEST AKA authentication method for authentication. Here, the HTTP DIGEST authentication method is used as an example. the

步骤312,S-CSCF与UPSF之间通过Cx-Put消息,更新UPSF上的S-CSCF指示信息,告知UPSF该用户后续的处理在本S-CSCF进行。 In step 312, the S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through a Cx-Put message, and inform the UPSF that the subsequent processing of the user will be performed in this S-CSCF. the

步骤313,S-CSCF与UPSF通过Cx-Pull消息获取用户的签约数据信息。 In step 313, the S-CSCF and the UPSF obtain the subscription data information of the user through the Cx-Pull message. the

步骤314,S-CSCF向I-CSCF发送2xx Auth_OK消息,表示鉴权成功。 In step 314, the S-CSCF sends a 2xx Auth_OK message to the I-CSCF, indicating that the authentication is successful. the

步骤315,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。 Step 315, I-CSCF sends the above 2xx Auth_OK message to P-CSCF. the

步骤316,P-CSCF将上述2xx Auth_OK消息发送给UE。 Step 316, the P-CSCF sends the above 2xx Auth_OK message to the UE. the

虽然上述现有技术提供了混合的多种鉴权方式,但是在UPSF中需要配置NASS-Bundled/HTTP DIGEST AKA两种鉴权方式混合的方式或者是NASS-Bundled/HTTP DIGEST两种鉴权方式混合的方式,配置比较复杂,对TISPAN的最新规定的规范影响比较大。另外,按照TISPAN的最新规定,NASS-Bundled/HTTP DIGEST这两种认证方式只能在用户终端没有ISIM/USIM的情况下使用。如果用户终端有ISIM/USIM的话,只能采用HTTP DIGEST AKA认证方式,以提高安全性。这样的话,上述“缺省NAS S-Bundled,失败转HTTP DIGEST AKA或者HTTP DIGEST”的认证方式就有问题,NASS-Bundled失败只能转HTTP DIGEST认证,而不能再转HTTP DIGEST AKA方式。 Although the above existing technologies provide a variety of mixed authentication methods, UPSF needs to configure the mixed authentication methods of NASS-Bundled/HTTP DIGEST AKA or the mixed authentication methods of NASS-Bundled/HTTP DIGEST The configuration is relatively complicated, and has a great impact on the latest TISPAN specification. In addition, according to the latest regulations of TISPAN, the two authentication methods of NASS-Bundled/HTTP DIGEST can only be used when the user terminal does not have ISIM/USIM. If the user terminal has ISIM/USIM, only HTTP DIGEST AKA authentication can be used to improve security. In this case, the above-mentioned "default NAS S-Bundled, fail to transfer to HTTP DIGEST AKA or HTTP DIGEST" authentication method has a problem. If NASS-Bundled fails, it can only transfer to HTTP DIGEST authentication, but not to HTTP DIGEST AKA. the

发明内容Contents of the invention

有鉴于此,本发明的目的在于提出与现有规范兼容性较好的混合的鉴权方式。 In view of this, the purpose of the present invention is to propose a hybrid authentication method with better compatibility with existing specifications. the

根据上述目的,本发明提供了一种下一代网络中支持非IMS终端漫游的认证方法,其特征在于,该方法包括以下步骤:S-CSCF收到P-CSCF通过I-CSCF转发的包含位置信息的注册报文,并向UPSF查询鉴权方式和鉴权数据后,根据从UPSF返回的混合鉴权信息,对UE进行鉴权处理得到鉴权结果,并将所述鉴权结果发送给UE; According to the above purpose, the present invention provides an authentication method supporting non-IMS terminal roaming in the next generation network, which is characterized in that the method includes the following steps: S-CSCF receives the location information forwarded by P-CSCF through I-CSCF registration message, and query the authentication mode and authentication data from the UPSF, perform authentication processing on the UE to obtain the authentication result according to the mixed authentication information returned from the UPSF, and send the authentication result to the UE;

所述混合鉴权信息为:鉴权方式为第二鉴权方式,鉴权参数为第二鉴权方式的鉴权参数以及IMS业务层鉴权和接入层鉴权绑定鉴权方式的鉴权参数位置信息;或者鉴权方式为IMS业务层鉴权和接入层鉴权绑定鉴权方式,鉴权参数为IMS业务层鉴权和接入层鉴权绑定鉴权方式的鉴权数据即位置信息以及第二鉴权方式的鉴权参数;或鉴权方式为IMS业务层鉴权和接入层鉴权绑定鉴权方式、鉴权参数为IMS业务层鉴权和接入层鉴权绑定鉴权方式鉴权参数位置信息及IMS业务层鉴权和接入层鉴权绑定鉴权方式的优先级,以及鉴权方式为第二鉴权方式,鉴权参数为第二鉴权方式鉴权参数及第二鉴权方式的优先级; The mixed authentication information is: the authentication method is the second authentication method, the authentication parameter is the authentication parameter of the second authentication method and the authentication method of the IMS service layer authentication and the access layer authentication binding authentication method The location information of the authorization parameter; or the authentication mode is the binding authentication mode of the IMS service layer authentication and the access layer authentication, and the authentication parameter is the authentication of the binding authentication mode of the IMS service layer authentication and the access layer authentication The data is location information and authentication parameters of the second authentication mode; or the authentication mode is IMS service layer authentication and access layer authentication binding authentication mode, and the authentication parameters are IMS service layer authentication and access layer authentication Authentication binding authentication method authentication parameter position information and IMS service layer authentication and access layer authentication binding authentication method priority, and the authentication method is the second authentication method, and the authentication parameter is the second Authentication method authentication parameters and the priority of the second authentication method;

所述第二鉴权方式为超文本传输协议摘要HTTP DIGEST鉴权方式。 The second authentication method is the Hypertext Transfer Protocol Digest HTTP DIGEST authentication method. the

在上述技术方案中,所述混合鉴权信息为:鉴权方式为第二鉴权方式,鉴权参数为第二鉴权方式的鉴权参数以及IMS业务层鉴权和接入层鉴权绑定鉴权方式的鉴权参数位置信息;所述对UE进行鉴权处理得到鉴权结果并将所述鉴权结果发送给UE的步骤包括:S-CSCF判断收到的鉴权参数中是否包括有效的位置信息,如果是,则先采用IMS业务层鉴权和接入层鉴权绑定鉴权方式对UE进行鉴权得到鉴权结果,在鉴权结果为成功时将该鉴权结果发送给UE,在鉴权结果为失败时再采用第二鉴权方式对UE进行鉴权得到鉴权结果并将该鉴权结果发送给UE;否则直接采用第二鉴权方式对UE进行鉴权得到鉴权结果,并将该鉴权结果发送给UE。 In the above technical solution, the mixed authentication information is: the authentication method is the second authentication method, the authentication parameter is the authentication parameter of the second authentication method and the binding of IMS service layer authentication and access layer authentication The authentication parameter position information of the authentication method; the step of performing authentication processing on the UE to obtain the authentication result and sending the authentication result to the UE includes: S-CSCF judges whether the received authentication parameter includes Valid location information, if it is, first use the IMS service layer authentication and access layer authentication binding authentication method to authenticate the UE to obtain the authentication result, and send the authentication result when the authentication result is successful For the UE, if the authentication result is a failure, then use the second authentication method to authenticate the UE to obtain the authentication result and send the authentication result to the UE; otherwise, directly use the second authentication method to authenticate the UE to obtain the The authentication result is sent to the UE. the

在上述技术方案中,所述混合鉴权信息为:鉴权方式为IMS业务层鉴权和接入层鉴权绑定鉴权方式,鉴权参数为IMS业务层鉴权和接入层鉴权绑定鉴权方式的位置信息鉴权参数以及第二鉴权方式的鉴权参数;所述对UE进行鉴权处理得到鉴权结果并将所述鉴权结果发送给UE的步骤包括:S-CSCF先采用IMS业务层鉴权和接入层鉴权绑定鉴权方式对UE进行鉴权得到鉴权结果,在鉴权结果为成功时将该鉴权结果发送给UE,在鉴权结果为失败时再采用第二鉴权方式对UE进行鉴权得到鉴权结果并将该鉴权结果 发送给UE。 In the above technical solution, the mixed authentication information is: the authentication mode is the binding authentication mode of IMS service layer authentication and access layer authentication, and the authentication parameter is IMS service layer authentication and access layer authentication Binding the location information authentication parameters of the authentication mode and the authentication parameters of the second authentication mode; the step of performing authentication processing on the UE to obtain an authentication result and sending the authentication result to the UE includes: S- The CSCF first uses the IMS service layer authentication and access layer authentication binding authentication method to authenticate the UE to obtain the authentication result. If the authentication result is successful, the authentication result is sent to the UE. If the authentication result is When it fails, use the second authentication method to authenticate the UE to obtain the authentication result and send the authentication result to the UE. the

在上述技术方案中,所述混合鉴权信息为:带有优先级的IMS业务层鉴权和接入层鉴权绑定鉴权方式及位置信息和带有优先级的第二鉴权方式及其鉴权参数。所述对UE进行鉴权处理得到鉴权结果并将所述鉴权结果发送给UE的步骤包括:S-CSCF收到UPSF发送来的该混合鉴权信息;当IMS业务层鉴权和接入层鉴权绑定鉴权方式的优先级较高时,S-CSCF先采用IMS业务层鉴权和接入层鉴权绑定鉴权方式对UE进行鉴权得到鉴权结果,在鉴权结果为成功时将该鉴权结果发送给UE,在鉴权结果为失败时再采用第二鉴权方式对UE进行鉴权得到鉴权结果并将该鉴权结果发送给UE;当第二鉴权方式优先级较高时,直接采用第二鉴权方式对UE进行鉴权得到鉴权结果,并将该鉴权结果发送给UE。 In the above technical solution, the hybrid authentication information is: IMS service layer authentication with priority and access layer authentication binding authentication mode and location information and the second authentication mode with priority and its authentication parameters. The step of performing authentication processing on the UE to obtain the authentication result and sending the authentication result to the UE includes: the S-CSCF receives the hybrid authentication information sent by the UPSF; when the IMS service layer authentication and access When the priority of layer authentication binding authentication mode is high, S-CSCF first uses IMS service layer authentication and access layer authentication binding authentication mode to authenticate UE to obtain the authentication result. If the authentication result is successful, send the authentication result to the UE, and then use the second authentication method to authenticate the UE to obtain the authentication result and send the authentication result to the UE when the authentication result is a failure; when the second authentication When the mode priority is higher, the second authentication mode is directly used to authenticate the UE to obtain an authentication result, and the authentication result is sent to the UE. the

上述技术方案中,所述采用IMS业务层鉴权和接入层鉴权绑定鉴权方式对UE进行鉴权得到鉴权结果的步骤包括:S-CSCF比较P-CSCF上报的位置信息和UPSF下发的位置信息,当两者一致时,得到鉴权成功的结果;当两者不一致时,得到鉴权失败的结果。 In the above technical solution, the step of authenticating the UE by using the IMS service layer authentication and access layer authentication binding authentication method to obtain the authentication result includes: S-CSCF compares the location information reported by P-CSCF with the UPSF When the delivered location information is consistent, the result of authentication is successful; when the two are inconsistent, the result of authentication failure is obtained. the

上述技术方案中,所述采用HTTP DIGEST鉴权方式对UE进行鉴权得到鉴权结果并将该鉴权结果发送给UE的步骤包括:C1.S-CSCF向UE发送包括所述HTTP DIGEST鉴权方式的挑战消息;C2.UE接收到所述包括HTTP DIGEST鉴权方式的挑战消息后,向S-CSCF发送包含鉴权参数的注册报文;C3.S-CSCF比较从UPSF获得的鉴权参数和从UE获得的鉴权参 数,当两者一致时,得到鉴权成功的结果,向UE发送表示鉴权成功的消息;当两者不一致时,得到鉴权失败的结果,向UE发送表示鉴权失败的消息。 In the above technical solution, the step of using the HTTP DIGEST authentication method to authenticate the UE to obtain the authentication result and send the authentication result to the UE includes: C1. The S-CSCF sends the HTTP DIGEST authentication message to the UE. C2. UE sends a registration message containing authentication parameters to S-CSCF after receiving the challenge message including HTTP DIGEST authentication mode; C3. S-CSCF compares the authentication parameters obtained from UPSF When the two are consistent with the authentication parameters obtained from the UE, the result of successful authentication is obtained, and a message indicating successful authentication is sent to the UE; when the two are inconsistent, the result of authentication failure is obtained, and a message indicating successful authentication is sent to the UE Authentication failed message. the

上述技术方案中,在所述S-CSCF收到P-CSCF通过I-CSCF转发的包含位置信息的注册报文之前进一步包括:P-CSCF根据注册报文中的接入运营商标识确定与该接入运营商标识对应的连接位置功能实体CLF;P-CSCF根据注册报文的源IP地址向CLF查询得到与该源IP地址对应的位置信息。 In the above technical solution, before the S-CSCF receives the registration message containing the location information forwarded by the P-CSCF through the I-CSCF, it further includes: the P-CSCF determines according to the access operator identifier in the registration message that it is related to the registration message. The connection location function entity CLF corresponding to the access operator identifier; the P-CSCF queries the CLF according to the source IP address of the registration message to obtain the location information corresponding to the source IP address. the

通过本发明技术方案,一方面可以保证用户在固定的位置访问网络时,缺省采用原来的NASS-Bundled方式或者HTTP DIGEST方式来鉴权用户。另一方面可以解决用户游牧场景下访问网络时如果采用NASS-Bundled认证失败,则采用HTTP DIGEST方式继续对用户进行鉴权。这几种方案配置简单,后向兼容性好,对现有规范影响小,方案的扩展也很自然,容易实现,从而可以为用户提供灵活的鉴权方式的支持。 Through the technical solution of the present invention, on the one hand, it can be ensured that when the user accesses the network at a fixed location, the original NASS-Bundled mode or the HTTP DIGEST mode is adopted by default to authenticate the user. On the other hand, it can solve the problem that if the NASS-Bundled authentication fails when the user accesses the network in a nomadic scenario, the HTTP DIGEST method will be used to continue to authenticate the user. These schemes are simple to configure, have good backward compatibility, have little impact on existing specifications, and the expansion of the scheme is natural and easy to implement, thus providing support for flexible authentication methods for users. the

附图说明Description of drawings

图1为NASS-Bundled鉴权方式的流程示意图; Figure 1 is a schematic flow diagram of the NASS-Bundled authentication method;

图2为HTTP DIGEST鉴权方式的流程示意图; Figure 2 is a schematic flow diagram of the HTTP DIGEST authentication method;

图3为现有技术的流程示意图; Fig. 3 is the schematic flow chart of prior art;

图4为本发明第一实施例的流程示意图; Fig. 4 is the schematic flow sheet of the first embodiment of the present invention;

图5为本发明第二实施例的流程示意图; Fig. 5 is the schematic flow sheet of the second embodiment of the present invention;

图6为本发明第三实施例的流程示意图。 FIG. 6 is a schematic flowchart of a third embodiment of the present invention. the

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,以下举实施例对本发明进一步详细说明。 In order to make the purpose, technical solution and advantages of the present invention clearer, the following examples are given to further describe the present invention in detail. the

在如图4所示的第一实施例中,采用在HTTP DIGEST鉴权参数中增加NASS-Bundled的鉴权参数的鉴权方式。亦即,鉴权方式为HTTP DIGEST,而鉴权参数为HTTP DIGEST鉴权参数以及NASS-Bundled鉴权参数位置信息。 In the first embodiment as shown in FIG. 4 , the authentication mode of adding the authentication parameter of NASS-Bundled to the authentication parameter of HTTP DIGEST is adopted. That is, the authentication method is HTTP DIGEST, and the authentication parameter is the HTTP DIGEST authentication parameter and the location information of the NASS-Bundled authentication parameter. the

参考图4,本发明的第一实施例包括以下步骤: With reference to Fig. 4, the first embodiment of the present invention comprises the following steps:

步骤1101,NASS接入层附着认证,在CLF上记录了UE的位置信息。 Step 1101, NASS access layer attach authentication, record UE location information on CLF. the

步骤1102,UE向P-CSCF发送注册报文REGISTER,该报文携带有接入运营商标识及接入用户标识。 Step 1102, the UE sends a registration message REGISTER to the P-CSCF, and the message carries an access operator ID and an access user ID. the

步骤1103,P-CSCF通过检查发现REGISTER消息中没有安全协商参数(例如Security-Client),因此不需要建立和UE之间的安全联盟。 In step 1103, the P-CSCF finds that there is no security negotiation parameter (such as Security-Client) in the REGISTER message through inspection, so there is no need to establish a security association with the UE. the

步骤1104,P-CSCF根据注册报文中的接入运营商标识以及预先设置的接入运营商标识与CLF之间的对应关系确定CLF。然后,P-CSCF根据注册报文的源IP地址,在上面确定的CLF中查询用户的位置信息。CLF中预先保存了与注册报文源IP地址对应的位置信息的数据记录。 In step 1104, the P-CSCF determines the CLF according to the access operator ID in the registration message and the preset correspondence between the access operator ID and the CLF. Then, the P-CSCF queries the location information of the user in the CLF determined above according to the source IP address of the registration message. The data record of the location information corresponding to the source IP address of the registration message is stored in the CLF in advance. the

步骤1105,P-CSCF将携带上一步骤中查询得到的位置信息的注册报文REGISTER发送给I-CSCF。 Step 1105, the P-CSCF sends the registration message REGISTER carrying the location information obtained in the previous step to the I-CSCF. the

步骤1106,I-CSCF跟UPSF之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向UPSF发出请求,查找UPSF中的用户属性来确定由哪个S-CSCF处理该注册报文。 Step 1106, the I-CSCF and the UPSF select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the UPSF, and searches the user attributes in the UPSF to determine which S-CSCF handles the registration report arts. the

步骤1107,I-CSCF将包括上述位置信息的注册报文REGISTER转发给步骤1105确定的S-CSCF。 In step 1107, the I-CSCF forwards the registration message REGISTER including the above location information to the S-CSCF determined in step 1105. the

步骤1108,S-CSCF与UPSF之间通过Cx-Put消息,更新UPSF上的S-CSCF指示信息,告知UPSF该用户后续的处理在本S-CSCF进行。 In step 1108, the S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through a Cx-Put message, and inform the UPSF that the subsequent processing of the user will be performed in this S-CSCF. the

步骤1109,S-CSCF发现REGISTER消息中不包含Integrity-Protected参数,所以需要向UPSF发送MAR消息,以查询该用户的鉴权方式以及相应的鉴权参数。 In step 1109, the S-CSCF finds that the REGISTER message does not contain the Integrity-Protected parameter, so it needs to send a MAR message to the UPSF to query the user's authentication method and corresponding authentication parameters. the

步骤1110,UPSF检查用户的鉴权签约数据,发现该用户的鉴权方式是HTTP DIGEST鉴权方式。 Step 1110, UPSF checks the user's authentication subscription data, and finds that the user's authentication method is the HTTP DIGEST authentication method. the

步骤1111,UPSF向S-CSCF发送MAA消息,将该用户的鉴权方式信息发送给S-CSCF,即:鉴权方式为HTTP DIGEST鉴权方式,鉴权参数为HTTP DIGEST原有参数以及NASS-Bundled鉴权参数位置信息。 Step 1111, UPSF sends MAA message to S-CSCF, and sends the user's authentication method information to S-CSCF, that is: the authentication method is HTTP DIGEST authentication method, and the authentication parameters are the original parameters of HTTP DIGEST and NASS- Bundled authentication parameter location information. the

步骤1112,S-CSCF保存鉴权方式以及相应的鉴权参数,并检查鉴权参数中是否包含有效的位置信息,如果有,则执行步骤1113,否则执行图2中步骤209之后的步骤,即直接进行HTTP DIGEST鉴权方式进行鉴权。 Step 1112, the S-CSCF saves the authentication method and the corresponding authentication parameters, and checks whether the authentication parameters contain valid location information, if yes, executes step 1113, otherwise executes the steps after step 209 in Figure 2, namely Directly perform HTTP DIGEST authentication mode for authentication. the

步骤1113,S-CSCF比较P-CSCF上报的位置信息与UPSF下发的位置信息两者是否一致,如果一致,则说明鉴权成功,执行步骤1114及其后续流程,即向UE发送鉴权成功的消息;如果不一致,则说明鉴权失败,执行图2中步骤209之后的步骤,即再采用HTTP DIGEST鉴权方式进行鉴权。 In step 1113, the S-CSCF compares whether the location information reported by the P-CSCF is consistent with the location information sent by the UPSF. If they are consistent, it means that the authentication is successful, and the step 1114 and its subsequent procedures are executed, that is, the authentication success is sent to the UE. If inconsistent, then the authentication fails, and the steps after step 209 in Figure 2 are executed, that is, the HTTP DIGEST authentication method is used for authentication. the

步骤1114,S-CSCF与UPSF之间通过Cx-Put消息,更新UPSF上的S-CSCF指示信息,告知UPSF该用户后续的处理在本S-CSCF进行。 Step 1114: The S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through a Cx-Put message, and inform the UPSF that the follow-up processing of the user will be performed in this S-CSCF. the

步骤1115,S-CSCF与UPSF通过Cx-Pull消息获取用户的签约数据信息。 Step 1115, the S-CSCF and the UPSF obtain the subscription data information of the user through the Cx-Pull message. the

步骤1116,S-CSCF向I-CSCF发送2xx Auth_OK消息,表示鉴权成功。 In step 1116, the S-CSCF sends a 2xx Auth_OK message to the I-CSCF, indicating that the authentication is successful. the

步骤1117,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。 Step 1117, I-CSCF sends the above 2xx Auth_OK message to P-CSCF. the

步骤1118,P-CSCF接收到上述2xx Auth_OK消息后,将上述2xxAuth_OK消息发送给UE。 Step 1118: After receiving the above 2xx Auth_OK message, the P-CSCF sends the above 2xxAuth_OK message to the UE. the

在如图5所示的第二实施例中,采用在NASS-Bundled鉴权参数中增加HTTP DIGEST的鉴权参数的鉴权方式。亦即,鉴权方式为NASS-Bundled,而鉴权参数为NASS-Bundled鉴权数据即位置信息以及HTTP DIGEST鉴权参数。 In the second embodiment as shown in FIG. 5 , an authentication mode in which an authentication parameter of HTTP DIGEST is added to NASS-Bundled authentication parameters is adopted. That is, the authentication method is NASS-Bundled, and the authentication parameters are NASS-Bundled authentication data, namely location information, and HTTP DIGEST authentication parameters. the

参考图5,本发明的第二实施例包括以下步骤: With reference to Fig. 5, the second embodiment of the present invention comprises the following steps:

步骤1201,NASS接入层附着认证,在CLF上记录了UE的位置信息。 Step 1201, NASS access layer attach authentication, record UE location information on CLF. the

步骤1202,UE向P-CSCF发送注册报文REGISTER,该报文携带有接入运营商标识及接入用户标识。 Step 1202, the UE sends a registration message REGISTER to the P-CSCF, and the message carries an access operator ID and an access user ID. the

步骤1203,P-CSCF通过检查发现REGISTER消息中没有安全协商参数(例如Security-Client),因此不需要建立和UE之间的安全联盟。 In step 1203, the P-CSCF finds that there is no security negotiation parameter (such as Security-Client) in the REGISTER message through inspection, so there is no need to establish a security association with the UE. the

步骤1204,P-CSCF根据注册报文中的接入运营商标识以及预先设置的接入运营商标识与CLF之间的对应关系确定CLF。然后,P-CSCF根据注册报文的源IP地址,在上面确定的CLF中查询用户的位置信息。CLF中预先保存了与注册报文源IP地址对应的位置信息的数据记录。 In step 1204, the P-CSCF determines the CLF according to the access operator ID in the registration message and the preset correspondence between the access operator ID and the CLF. Then, the P-CSCF queries the location information of the user in the CLF determined above according to the source IP address of the registration message. The data record of the location information corresponding to the source IP address of the registration message is stored in the CLF in advance. the

步骤1205,P-CSCF将携带上一步骤中查询得到的位置信息的注册报文REGISTER发送给I-CSCF。 Step 1205, the P-CSCF sends the registration message REGISTER carrying the location information obtained in the previous step to the I-CSCF. the

步骤1206,I-CSCF跟UPSF之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向UPSF发出请求,查找UPSF中的用户属性来确定由哪个S-CSCF处理该注册报文。 Step 1206, the I-CSCF and the UPSF select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the UPSF, and searches the user attributes in the UPSF to determine which S-CSCF handles the registration report arts. the

步骤1207,I-CSCF将包括上述位置信息的注册报文REGISTER转发给步骤1205确定的S-CSCF。 In step 1207, the I-CSCF forwards the registration message REGISTER including the above location information to the S-CSCF determined in step 1205. the

步骤1208,S-CSCF与UPSF之间通过Cx-Put消息,更新UPSF上的S-CSCF指示信息,告知UPSF该用户后续的处理在本S-CSCF进行。 In step 1208, the S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through a Cx-Put message, and inform the UPSF that the subsequent processing of the user will be performed in this S-CSCF. the

步骤1209,S-CSCF发现REGISTER消息中不包含Integrity-Protected参数,所以需要向UPSF发送MAR消息,以查询该用户的鉴权方式以及相应的鉴权参数。 In step 1209, the S-CSCF finds that the REGISTER message does not contain the Integrity-Protected parameter, so it needs to send a MAR message to the UPSF to query the user's authentication mode and corresponding authentication parameters. the

步骤1210,UPSF检查用户的鉴权签约数据,发现该用户的鉴权方式是“NASS-Bundled”鉴权方式。 In step 1210, the UPSF checks the user's authentication subscription data, and finds that the user's authentication mode is "NASS-Bundled". the

步骤1211,UPSF向S-CSCF发送MAA消息,将该用户的鉴权方式信息发送给S-CSCF,即鉴权方式为NASS-Bundled鉴权方式,鉴权参数为NASS-Bundled鉴权参数即位置信息以及HTTP DIGEST鉴权参数。 Step 1211, UPSF sends a MAA message to S-CSCF, and sends the user's authentication method information to S-CSCF, that is, the authentication method is NASS-Bundled authentication method, and the authentication parameter is NASS-Bundled authentication parameter, which is the location information and HTTP DIGEST authentication parameters. the

步骤1212,S-CSCF保存鉴权方式以及相应的鉴权参数,并比较P-CSCF上报的位置信息与UPSF下发的位置信息两者是否一致,如果一致,则说明 鉴权成功,执行步骤1213及其后续流程,即向UE发送鉴权成功的消息;如果不一致,则说明鉴权失败,执行图2中步骤209之后的步骤,即再采用HTTP DIGEST鉴权方式进行鉴权。 Step 1212, the S-CSCF saves the authentication method and the corresponding authentication parameters, and compares whether the location information reported by the P-CSCF is consistent with the location information sent by the UPSF. If they are consistent, the authentication is successful, and step 1213 is executed. And its subsequent process, that is, send a message of successful authentication to the UE; if inconsistent, it means that the authentication fails, and the steps after step 209 in Figure 2 are executed, that is, the HTTP DIGEST authentication method is used for authentication. the

步骤1213,S-CSCF与UPSF之间通过Cx-Put消息,更新UPSF上的S-CSCF指示信息,告知UPSF该用户后续的处理在本S-CSCF进行。 In step 1213, the S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through a Cx-Put message, and inform the UPSF that the follow-up processing of the user will be performed in this S-CSCF. the

步骤1214,S-CSCF与UPSF通过Cx-Pull消息获取用户的签约数据信息。 Step 1214, the S-CSCF and the UPSF obtain the subscription data information of the user through the Cx-Pull message. the

步骤1215,S-CSCF向I-CSCF发送2xx Auth_OK消息,表示鉴权成功。 In step 1215, the S-CSCF sends a 2xx Auth_OK message to the I-CSCF, indicating that the authentication is successful. the

步骤1216,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。 Step 1216, I-CSCF sends the above 2xx Auth_OK message to P-CSCF. the

步骤1217,P-CSCF接收到上述2xx Auth_OK消息后,将上述2xxAuth_OK消息发送给UE。 Step 1217: After receiving the above 2xx Auth_OK message, the P-CSCF sends the above 2xxAuth_OK message to the UE. the

在如图6所示的第三实施例中,采用两种鉴权方式同时存在的方式,鉴权参数不混合,但是增加一个优先级参数。亦即,鉴权方式为NASS-Bundled,而鉴权参数为NASS-Bundled鉴权参数位置信息,以及NASS-Bundled的优先级;以及鉴权方式为HTTP DIGEST,鉴权参数为HTTP DIGEST鉴权参数,以及HTTP DIGEST的优先级。当然也可以将HTTP DIGEST鉴权方式替换成其他鉴权方式,或者预先设置多种鉴权方式,这里不再赘述。 In the third embodiment shown in FIG. 6 , two authentication methods exist simultaneously, and the authentication parameters are not mixed, but a priority parameter is added. That is, the authentication method is NASS-Bundled, and the authentication parameter is the location information of the NASS-Bundled authentication parameter, and the priority of the NASS-Bundled; and the authentication method is HTTP DIGEST, and the authentication parameter is the HTTP DIGEST authentication parameter , and the priority of HTTP DIGEST. Of course, you can also replace the HTTP DIGEST authentication method with other authentication methods, or set multiple authentication methods in advance, so I won’t go into details here. the

参考图6,本发明的第三实施例包括以下步骤: With reference to Fig. 6, the third embodiment of the present invention comprises the following steps:

步骤1301,NASS接入层附着认证,在CLF上记录了UE的位置信息。 Step 1301, NASS access layer attach authentication, record UE location information on CLF. the

步骤1302,UE向P-CSCF发送注册报文REGISTER,该报文携带有接入运营商标识及接入用户标识。 Step 1302, the UE sends a registration message REGISTER to the P-CSCF, and the message carries an access operator ID and an access user ID. the

步骤1303,P-CSCF通过检查发现REGISTER消息中没有安全协商参数(例如Security-Client),因此不需要建立和UE之间的安全联盟。 In step 1303, the P-CSCF finds that there is no security negotiation parameter (such as Security-Client) in the REGISTER message through inspection, so there is no need to establish a security association with the UE. the

步骤1304,P-CSCF根据注册报文中的接入运营商标识以及预先设置的接入运营商标识与CLF之间的对应关系确定CLF。然后,P-CSCF根据注册报文的源IP地址,在上面确定的CLF中查询用户的位置信息。CLF中预先 保存了与注册报文源IP地址对应的位置信息的数据记录。 In step 1304, the P-CSCF determines the CLF according to the access operator ID in the registration message and the preset correspondence between the access operator ID and the CLF. Then, the P-CSCF queries the location information of the user in the CLF determined above according to the source IP address of the registration message. The data record of the location information corresponding to the source IP address of the registration message is pre-saved in the CLF. the

步骤1305,P-CSCF将携带上一步骤中得到的位置信息的注册报文REGISTER发送给I-CSCF。 Step 1305, the P-CSCF sends the registration message REGISTER carrying the location information obtained in the previous step to the I-CSCF. the

步骤1306,I-CSCF跟UPSF之间通过Cx-Selection-Info消息选择相应的S-CSCF,即I-CSCF向UPSF发出请求,查找UPSF中的用户属性来确定由哪个S-CSCF处理该注册报文。 Step 1306, the I-CSCF and the UPSF select the corresponding S-CSCF through the Cx-Selection-Info message, that is, the I-CSCF sends a request to the UPSF, and searches the user attributes in the UPSF to determine which S-CSCF handles the registration report arts. the

步骤1307,I-CSCF将包括上述位置信息的注册报文REGISTER转发给步骤1305确定的S-CSCF。 In step 1307, the I-CSCF forwards the registration message REGISTER including the above location information to the S-CSCF determined in step 1305. the

步骤1308,S-CSCF与UPSF之间通过Cx-Put消息,更新UPSF上的S-CSCF指示信息,告知UPSF该用户后续的处理在本S-CSCF进行。 In step 1308, the S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through a Cx-Put message, and inform the UPSF that the subsequent processing of the user will be performed in this S-CSCF. the

步骤1309,S-CSCF发现REGISTER消息中不包含Integrity-Protected参数,所以需要向UPSF发送MAR消息,以查询该用户的鉴权方式以及相应的鉴权参数。 In step 1309, the S-CSCF finds that the REGISTER message does not contain the Integrity-Protected parameter, so it needs to send a MAR message to the UPSF to inquire about the user's authentication method and corresponding authentication parameters. the

步骤1310,UPSF检查用户的鉴权签约数据,发现该用户的鉴权方式多种,并且每种鉴权方式都带有优先级。例如该用户的鉴权方式有两种:一种是NASS-Bundled鉴权方式,其优先级较高,例如为0.7;另一种是HTTPDIGEST鉴权方式,其优先级为较低,例如为0.3。 Step 1310, UPSF checks the user's authentication subscription data, and finds that the user has multiple authentication methods, and each authentication method has a priority. For example, there are two authentication methods for this user: one is the NASS-Bundled authentication method, which has a higher priority, such as 0.7; the other is the HTTPDIGEST authentication method, which has a lower priority, such as 0.3 . the

步骤1311,UPSF向S-CSCF发送MAA消息,将该用户的鉴权方式信息发送给S-CSCF,包括鉴权方式、鉴权参数以及优先级,即:鉴权方式1:NASS-Bundled,鉴权参数:位置信息,优先级:0.7;鉴权方式2:HTTPDIGEST,鉴权参数:HTTP DIGEST鉴权参数,优先级:0.3。 Step 1311, UPSF sends MAA message to S-CSCF, and sends the user's authentication method information to S-CSCF, including authentication method, authentication parameters and priority, namely: authentication method 1: NASS-Bundled, authentication Authorization parameter: location information, priority: 0.7; authentication method 2: HTTPDIGEST, authentication parameter: HTTP DIGEST authentication parameter, priority: 0.3. the

步骤1312,S-CSCF保存鉴权方式以及相应的鉴权参数。发现有两种鉴权方式,并且NASS-Bundled优先级较高,因此首先执行NASS-Bundled鉴权,即比较P-CSCF上报的位置信息与UPSF下发的位置信息是否一致。如果一致,则说明鉴权成功,执行步骤1313及其后续流程,即向UE发送鉴权成功的消息;如果不一致,则说明鉴权失败,执行图2中步骤209之后的步骤,即再采用HTTP DIGEST鉴权方式进行鉴权。 Step 1312, the S-CSCF stores the authentication mode and corresponding authentication parameters. It is found that there are two authentication methods, and NASS-Bundled has a higher priority, so NASS-Bundled authentication is performed first, that is, the location information reported by the P-CSCF is compared with the location information delivered by the UPSF. If they are consistent, then the authentication is successful, and step 1313 and its subsequent processes are executed, that is, a message of successful authentication is sent to the UE; if not, then the authentication fails, and the steps after step 209 in Fig. DIGEST authentication mode for authentication. the

如果HTTP DIGEST鉴权方式的优先级高,则直接执行图2中步骤209之后的步骤,即直接采用HTTP DIGEST鉴权方式进行鉴权。 If the priority of the HTTP DIGEST authentication method is high, then directly execute the steps after step 209 in Figure 2, that is, directly adopt the HTTP DIGEST authentication method for authentication. the

其它的多种鉴权方式的情形与此类似,这里不再举例说明。 Situations of other multiple authentication methods are similar, and no examples are given here. the

步骤1313,S-CSCF与UPSF之间通过Cx-Put消息,更新UPSF上的S-CSCF指示信息,告知UPSF该用户后续的处理在本S-CSCF进行。 Step 1313, the S-CSCF and the UPSF update the S-CSCF indication information on the UPSF through the Cx-Put message, and inform the UPSF that the follow-up processing of the user will be performed in this S-CSCF. the

步骤1314,S-CSCF与UPSF通过Cx-Pull消息获取用户的签约数据信息。 Step 1314, the S-CSCF and the UPSF obtain the subscription data information of the user through the Cx-Pull message. the

步骤1315,S-CSCF向I-CSCF发送2xx Auth_OK消息,表示鉴权成功。 Step 1315, the S-CSCF sends a 2xx Auth_OK message to the I-CSCF, indicating that the authentication is successful. the

步骤1316,I-CSCF将上述2xx Auth_OK消息发送给P-CSCF。 Step 1316, I-CSCF sends the above 2xx Auth_OK message to P-CSCF. the

步骤1317,P-CSCF接收到上述2xx Auth_OK消息后,将上述2xxAuth_OK消息发送给UE。 Step 1317: After receiving the 2xx Auth_OK message, the P-CSCF sends the 2xxAuth_OK message to the UE. the

以上所述仅为本发明的较佳实施例而已,并不用以限制本发明,凡在本发明的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本发明的保护范围之内。 The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the present invention. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the present invention shall be included in the scope of the present invention. within the scope of protection. the

Claims (7)

1. support the authentication method of non-IP multi-medium subsystem, IMS terminal roaming in the next generation network, it is characterized in that this method may further comprise the steps:
Service call session control function entity S-CSCF receives the logon message that comprises positional information that proxy call conversation control function entity P-CSCF transmits by enquiry call conversation control function entity I-CSCF, and behind customer data base service entities UPSF inquiry authentication mode and authorization data, according to the mixing authentication information that returns from UPSF, user terminal UE is carried out authentication process obtain authenticating result, and described authenticating result is sent to UE;
Described mixing authentication information is: authentication mode is second authentication mode, and authentication parameter is the authentication parameter positional information of authentication parameter and the IMS operation layer authentication and the acess-in layer authentication binding authentication mode of second authentication mode; Perhaps authentication mode is IMS operation layer authentication and acess-in layer authentication binding authentication mode, and authentication parameter is that the authorization data of IMS operation layer authentication and acess-in layer authentication binding authentication mode is the authentication parameter of the position information and second authentication mode; Or authentication mode is that IMS operation layer authentication and acess-in layer authentication binding authentication mode, authentication parameter are the priority of IMS operation layer authentication and acess-in layer authentication binding authentication mode authentication parameter positional information and IMS operation layer authentication and acess-in layer authentication binding authentication mode, and authentication mode is second authentication mode, and authentication parameter is the priority of the second authentication mode authentication parameter and second authentication mode;
Described second authentication mode is a HTML (Hypertext Markup Language) summary HTTP DIGEST authentication mode.
2. method according to claim 1, it is characterized in that, described mixing authentication information is: authentication mode is second authentication mode, and authentication parameter is the authentication parameter positional information of authentication parameter and the IMS operation layer authentication and the acess-in layer authentication binding authentication mode of second authentication mode;
Describedly UE is carried out authentication process obtain authenticating result and the step that described authenticating result sends to UE is comprised: S-CSCF judges in the authentication parameter of receiving whether comprise effective positional information, if, then adopt IMS operation layer authentication and acess-in layer authentication binding authentication mode that UE is carried out authentication earlier and obtain authenticating result, in authenticating result is this authenticating result to be sent to UE successfully the time, adopts second authentication mode that UE is carried out authentication in authenticating result again during for failure and obtains authenticating result and this authenticating result is sent to UE; Otherwise directly adopt second authentication mode that UE is carried out authentication and obtain authenticating result, and this authenticating result is sent to UE.
3. method according to claim 1, it is characterized in that, described mixing authentication information is: authentication mode is IMS operation layer authentication and acess-in layer authentication binding authentication mode, and authentication parameter is IMS operation layer authentication and the positional information authentication parameter of acess-in layer authentication binding authentication mode and the authentication parameter of second authentication mode;
Describedly UE is carried out authentication process obtain authenticating result and the step that described authenticating result sends to UE is comprised: S-CSCF adopts IMS operation layer authentication and acess-in layer authentication binding authentication mode that UE is carried out authentication earlier and obtains authenticating result, in authenticating result is this authenticating result to be sent to UE successfully the time, adopts second authentication mode that UE is carried out authentication in authenticating result again during for failure and obtains authenticating result and this authenticating result is sent to UE.
4. method according to claim 1 is characterized in that, described mixing authentication information is: the IMS operation layer authentication and acess-in layer authentication binding authentication mode and the positional information and second authentication mode and the authentication parameter thereof that have priority that have priority;
Describedly UE is carried out authentication process obtain authenticating result and the step that described authenticating result sends to UE is comprised: S-CSCF receives this mixing authentication information that UPSF sends; When the priority of IMS operation layer authentication and acess-in layer authentication binding authentication mode is higher, S-CSCF adopts IMS operation layer authentication and acess-in layer authentication binding authentication mode that UE is carried out authentication earlier and obtains authenticating result, in authenticating result is this authenticating result to be sent to UE successfully the time, adopts second authentication mode that UE is carried out authentication in authenticating result again during for failure and obtains authenticating result and this authenticating result is sent to UE; When the second authentication mode priority is higher, directly adopts second authentication mode that UE is carried out authentication and obtain authenticating result, and this authenticating result is sent to UE.
5. according to the described method of one of claim 2~4, it is characterized in that described employing IMS operation layer authentication and acess-in layer authentication binding authentication mode carry out the step that authentication obtains authenticating result to UE and comprise:
The positional information that positional information that S-CSCF comparison P-CSCF reports and UPSF issue when both are consistent, obtains the result of authentication success; When both are inconsistent, obtain the result of failed authentication.
6. according to claim 2,3 or 4 described methods, it is characterized in that described employing HTTPDIGEST authentication mode carries out authentication to UE and obtains authenticating result and the step that this authenticating result sends to UE is comprised:
C1.S-CSCF sends the challenge message that comprises described HTTP DIGEST authentication mode to UE;
After C2.UE receives the challenge message of the described HTTP of comprising DIGEST authentication mode, send the logon message that comprises authentication parameter to S-CSCF;
C3.S-CSCF when both are consistent, obtains the result of authentication success relatively from the authentication parameter of UPSF acquisition and the authentication parameter that obtains from UE, sends the message of expression authentication success to UE; When both are inconsistent, obtain the result of failed authentication, send the message of expression failed authentication to UE.
7. method according to claim 1 is characterized in that, further comprises before described S-CSCF receives the logon message that comprises positional information of P-CSCF by the I-CSCF forwarding:
P-CSCF determines and the corresponding link position functional entity CLF of this access carrier sign according to the sign of the access carrier in the logon message;
P-CSCF obtains and this source IP address corresponding position information to the CLF inquiry according to the source IP address of logon message.
CN2006100055419A 2006-01-11 2006-01-11 Authentication method for supporting terminal roaming of non-IP multimedia service subsystem Expired - Fee Related CN101001145B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2006100055419A CN101001145B (en) 2006-01-11 2006-01-11 Authentication method for supporting terminal roaming of non-IP multimedia service subsystem

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2006100055419A CN101001145B (en) 2006-01-11 2006-01-11 Authentication method for supporting terminal roaming of non-IP multimedia service subsystem

Publications (2)

Publication Number Publication Date
CN101001145A CN101001145A (en) 2007-07-18
CN101001145B true CN101001145B (en) 2011-04-20

Family

ID=38692971

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2006100055419A Expired - Fee Related CN101001145B (en) 2006-01-11 2006-01-11 Authentication method for supporting terminal roaming of non-IP multimedia service subsystem

Country Status (1)

Country Link
CN (1) CN101001145B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101448258A (en) * 2007-11-26 2009-06-03 华为技术有限公司 Judgment method of authentication mode for UE to access IMS and device thereof
CN102917304B (en) * 2011-08-04 2017-06-16 南京中兴软件有限责任公司 The report method and its terminal of a kind of location information
CN105450621A (en) * 2014-09-30 2016-03-30 中兴通讯股份有限公司 Terminating processing method, device and system
CN111148102B (en) * 2019-12-31 2024-01-30 京信网络系统股份有限公司 Network authentication method, device, computer equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1642083A (en) * 2004-09-23 2005-07-20 华为技术有限公司 Network side anthority-discrimination-mode selecting method
EP1414212B1 (en) * 2002-10-22 2005-10-12 Telefonaktiebolaget LM Ericsson (publ) Method and system for authenticating users in a telecommunication system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1414212B1 (en) * 2002-10-22 2005-10-12 Telefonaktiebolaget LM Ericsson (publ) Method and system for authenticating users in a telecommunication system
CN1642083A (en) * 2004-09-23 2005-07-20 华为技术有限公司 Network side anthority-discrimination-mode selecting method

Also Published As

Publication number Publication date
CN101001145A (en) 2007-07-18

Similar Documents

Publication Publication Date Title
CN101151869B (en) Internet protocol multimedia subsystem authorization method
CN101043744B (en) Method for user terminal accessing authentication in IMS network
EP1879324B1 (en) A method for authenticating user terminal in ip multimedia sub-system
US9882943B2 (en) Method of access provision
US20070055874A1 (en) Bundled subscriber authentication in next generation communication networks
CN100499662C (en) Service realizing system and method for IP multimedia subsystem
WO2006125359A1 (en) A method for implementing the access domain security of an ip multimedia subsystem
CN105307144B (en) A kind of register method, method of calling, application server and network domain arrangement
CN100384120C (en) Method for Authenticating Terminal User Identity Module in IP Multimedia Subsystem
CN101997828A (en) Method, device and network for network re-registration of Internet protocol multimedia subsystem (IMS)
WO2006072219A1 (en) An ip multimedia subsystem network authentication system and the method thereof
CN101106457B (en) Method for Determining User Terminal Authentication Mode in IP Multimedia Subsystem Network
CN101001145B (en) Authentication method for supporting terminal roaming of non-IP multimedia service subsystem
CN101232707B (en) Method for distinguishing subscriber terminal authority identifying type in IMS network and I-CSCF
CN100395976C (en) An Authentication Method for Internet Protocol Multimedia Subsystem
WO2011035579A1 (en) Authentication method, system and terminal for wireless local area network authentication and privacy infrastructure (wapi) terminal accessing ip multimedia subsystem (ims) network
US20210022000A1 (en) Rcs authentication
CN100442926C (en) A method for binding IP multimedia subsystem authentication and access layer authentication
WO2006133624A1 (en) A method for registering at the internet protocol multimedia subsystem
CN101540679A (en) Method for acquiring WLAN authentication and privacy infrastructure certificate and system thereof
CN101083838B (en) HTTP abstract authentication method in IP multimedia subsystem
CN100591012C (en) An authentication negotiation method and a communication system
CN101132358B (en) A user terminal UE access authentication method in an IMS network
CN101072230A (en) Authentication method for Internet protocol multimedia service sub-system
CN101155186A (en) An Authentication Method for Internet Protocol Multimedia Service Subsystem

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110420