CN101483860A - Negotiation control method based on SIP security policy grade in IMS network - Google Patents

Abstract

The negotiation control method based on the SIP security policy level in the IMS network provides a negotiation control mechanism based on the session initiation protocol SIP security policy level in the IP multimedia subsystem IMS network, which belongs to the technical field of network security protection and access control. That is, it includes the following two aspects: 1) According to the IMS technical specification, through the combination of different security mechanisms to select a security protection strategy from weak to strong, a complete and unified IMS security policy combination is provided, which is for IMS and user equipment UE Conduct security negotiations to provide policy options. 2) By defining a new SIP message domain and negotiation process, the negotiation process and SIP message field format are provided for end users and IMS operators, so as to realize the method for IMS operators and end users to negotiate and determine business security policies, and finally realize the operation Providers can provide security policies with different security levels for different business types and different user types, which not only meet the personalized user service quality assurance, but also reduce the resource overhead brought by network security, so as to realize the combination of network security protection and service quality assurance Optimal selection strategy.

Description

Negotiation Control Method Based on SIP Security Policy Level in IMS Network

technical field

The invention relates to a SIP signaling-based user security policy division method and negotiation control method in an IP multimedia subsystem IMS, and belongs to the technical field of network security and access control.

Background technique

SIP signaling

Session Initiation Protocol (SIP is a standard published by the Internet Engineering Task Force IETF in 1999 to solve signaling control on the IP network. The Third Generation Partnership Project 3GPP selects SIP as the session control protocol, which is an IMS architecture Core. SIP can establish audio, video, multi-party calls and other sessions, and can also be used to transmit instant messages and files, so that operators can provide comprehensive services through a unified service platform to achieve network integration. Established between users and IMS core network In the process of IP connection and acquisition of IMS services, there are mainly two communication processes related to SIP signaling, IMS registration process and multimedia session establishment process.

IMS Security Requirements

According to 3GPP technical specification 33.102, IMS security requirements can be divided into three types of security: (1) authentication and key agreement AKA, including mutual authentication between user equipment UE and home user server HSS and establishment of encryption and transmission key pairs, this part is in It is defined in version 5 of the IMS technical specification released by 3GPP. (2) IMS access security AccessSecurity, including network access security features and mechanism definitions, such as how UE and IMS core network are authenticated, how to negotiate security mechanisms, algorithms and keys. Access security provides security association for UE and proxy-call session control function P-CSCF server, and is also responsible for confidentiality protection of SIP signaling. This part defines the standard in 3GPP Technical Specification 33.203. (3) Network Domain Security, which provides the confidentiality, data integrity, authentication, and anti-replay attack protection of the entire core network based on IP message flow, and uses encryption security mechanisms and protocols such as the Internet security protocol IPSec. This part The standard is defined in 3GPP Technical Specification 33.210.

IMS security mechanism

According to the relevant standards of the IMS security mechanism defined by 3GPP, the security mechanism mainly includes five categories, namely authentication, confidentiality, integrity, availability and privacy. (1) Authentication: The AKA authentication mechanism is required in the IMS security standard to realize mutual authentication between the authenticated user equipment and the home network, and provide data source authentication for information transmitted between network devices. (2) Confidentiality: The IMS security standard does not mandate the confidentiality protection of SIP messages between UE and P-CSCF, and it is recommended to provide encryption protection at the link layer of the access network. In addition, the confidentiality protection of SIP signaling between SIP servers in a domain is optional; the confidentiality protection between network devices in different domains is mandatory. (3) Integrity: In network traffic, data integrity protection is realized by including a message authentication code MAC in each data packet. The IMS security standard requires the use of IPSec in transport mode to encapsulate security loads between UE and P-CSCF. IPsec ESP in tunnel mode is used between IMS core network devices, and information digest algorithm MD5 or secure hash algorithm SHA-1 can be used to provide data integrity protection for SIP signaling between them. (4) Availability: The IMS security standard does not eliminate denial of service attack DoS explicitly, but defines security domains, which are protected by security gateways, and operators can directly implement their own DoS protection mechanisms. Therefore, unless the operator takes corresponding measures, each network device in the IMS architecture and the server in the operation support system may be attacked by DoS. (5) Privacy: Operators usually regard details of the network such as the quantity and performance of network equipment, and the capacity of the network as sensitive business information. P-CSCF hides such information from end users through its proxy function. Inquiry-call session control function The I-CSCF server is used to hide network topology information from other operators, such as encrypting SIP information sent to the P-CSCF in the external network. From the perspective of the IMS security framework, the concealment mechanism is optional. Table 1 summarizes the various layers of security mechanisms related to each security attribute in the IMS network.

Policy Control Based on SIP in IMS

The most urgent requirement for an operator to use the IMS network to provide services is to be able to control all behaviors in the IMS network, so that entities in the IMS network operate according to the operator's regulations. This means that the IMS network needs to operate according to the strategy deployed by the operator, that is to say, the IMS network needs to implement corresponding policy control. Simple policy control such as controlling media type, controlling encoding method, etc., complex business-specific policies are more diverse and specialized, such as requesting a service from a certain IMS service provider for a user, according to the following content Depending on the parameter, the strategy may be different: (1) Different business types may have different strategies. For example, the operator may give different strategies according to the same user's multi-party conference service and wireless mobile network conversation service, such as different permissions. , different control processes, etc.; (2) the type of user, whether the user is a limited user, a general user or an advanced user, etc., according to different classification methods and user levels, operators formulate different strategies; (3) different Operators (or the same operator in different situations such as different time periods) may also provide different policy controls on the basis of the same service, for example, different control methods may be adopted for video services or multi-party conferences.

Security Classification and Security Policy Control in IMS

In the existing SIP specification, the SIP security mechanism protocol Sip-Sec-Agree is mainly used to ensure that the UE and the P-CSCF can negotiate and adopt a common security mechanism. There are two problems in this way: (1) It is not enough to only negotiate the security mechanism between UE and P-CSCF. According to the IMS specification and the security mechanism summarized above, some mechanisms in access security and network domain security are optional , this openness often leads to backward compatibility issues, such as incompatibility between different versions of UEs, security mechanisms between different network domains, and security configurations of different operators. Therefore, when IMS provides various multimedia services, it not only needs to provide The security mechanism negotiation protocol between UE and P-CSCF also needs to provide an internal network domain security mechanism negotiation mechanism, and finally form a complete and unified security policy composed of various security mechanisms to ensure IMS security compatibility. (2) The IMS network provides users with a variety of multimedia services. Users have diverse service quality QoS requirements and security requirements. Different service types and different user applications have different security requirements, and the QoS negotiation mechanism does not fully consider Network security requirements and negotiation mechanisms do not provide security-related service levels to meet users' security needs. Therefore, IMS should consider the impact of different security policies on network performance and the end-to-end QoS indicators provided to users on the premise of ensuring QoS resource reservation, and provide security policies with different security levels for different service types and different user types. It not only meets the guarantee of personalized user service quality, but also reduces the resource overhead brought by network security, so as to realize the best selection strategy of network security and QoS guarantee.

However, in the existing SIP specification, there is no formal standard to regulate the policy control and interaction process based on the SIP protocol. In particular, there is a lack of security policy definition specifications for different security levels, as well as a negotiation control mechanism for user service types and security policies that comprehensively consider service quality and security requirements. These two points are crucial to solving the above-mentioned IMS network security problems. A must for future IMS network safety and security and services. In addition to meeting the conditions of the above analysis, such as a clear framework, simple and practical, strong scalability, and transparent security policies to users, the new solution must also consider the security and credibility of the entire solution.

Contents of the invention

This scheme designs and implements the SIP-based extended control scheme in the IMS network. Its purpose is to realize the negotiation and control method of unified security policy before the IMS core network provides multimedia services for end users, and finally determine the optimal network security and QoS guarantee. best configuration.

The present invention mainly solves two technical problems: (1) A division scheme of IMS security protection levels is designed, and according to IMS technical specifications, security protection strategies from weak to strong are selected through a combination of different security mechanisms, providing a complete set of The unified IMS security policy combination provides policy options for IMS and users to conduct security negotiations, and can be further expanded according to technical specifications in the future, with good compatibility. (2) A new SIP-based security policy negotiation and control method is designed, enabling operators to provide security policies with different security levels for different business types and different user types, which not only meets the personalized user service quality assurance, but also reduces The resource overhead brought by network security, so as to realize the optimal selection strategy of network security and QoS guarantee. The specific solution provides the interactive negotiation process and SIP message fields between the terminal user and the IMS core network, and the negotiation control mechanism designed in the present invention can provide a technical basis for future IMS network security guarantee and management.

The present invention is characterized in that

It is characterized in that it is based on the IP multimedia subsystem IMS technical specification TS 33.102, TS 33.203 and TS 33.210 defined by the third generation partnership project 3GPP, in the user equipment UE as the client and the IMS call session control function CSCF server as the server Follow the steps below to achieve:

Step (1), when the client UE registers with the IMS home network, the client UE and the CSCF server at the server end follow the steps below to execute in sequence:

Step (1.1), based on the security mechanism protocol Sip-Sec-Agree of the existing Session Initiation Protocol SIP, the client UE sends to its home network the agent-call session control function server P-CSCF in its home network domain The service-call session control function server S-CSCF in the domain provides the first-hop access security mechanism supported by the client,

Step (1.2), the client UE declares to support the security policy negotiation service Security-policy-service message header extension, and the user equipment information is marked in the local database by the S-CSCF,

In step (1.3), the S-CSCF combines optional or mandatory security mechanisms within and between domains defined in the IMS technical specification, and the security mechanisms supported by the client described in step (1.2) as follows A total of seven security policies with different levels of security protection strength from weak to strong, the protection strength is calculated by calculating the sum of utility values of the policy on the five security attributes of authentication, confidentiality, integrity, availability, and privacy Obtained, the overall security policy for the service initiated by the IMS home network domain for the client UE is available for selection, and the security policies of the seven levels are P1-P7 as follows:

Security policy P1, including mutual authentication + registration using authentication and key agreement AKA, has a utility value of 2 for security protection in authentication, 1 for availability, and 3 for overall protection strength.

Security policy P2 includes mutual authentication using authentication and key agreement AKA + registration + first-hop security protection using message digest algorithm MD5. The utility value of authenticity is 3, the utility value of integrity is 1, and the utility value of availability is 3. The value is 3, and the overall protection strength utility value is 7,

Security policy P3, including mutual authentication using authentication and key agreement AKA + registration + first-hop security protection using information digest algorithm MD5 + inter-domain security protection using both information digest algorithm MD5 and enhanced data encryption standard 3DES, authentication The utility values of the four security attributes of security, confidentiality, integrity, and availability are 3, 2, 2, and 4 respectively, and the utility value of the overall protection strength is 11,

Security policy P4, including mutual authentication using authentication and key agreement AKA + registration + first-hop security protection using information digest algorithm MD5 + inter-domain security protection using both information digest algorithm MD5 and enhanced data encryption standard 3DES + adopting In the domain security protection of the information digest algorithm MD5, the utility values of the four security attributes of authentication, confidentiality, integrity, and availability are 3, 2, 3, and 4 respectively, and the utility value of the overall protection strength is 12,

Security policy P5, including mutual authentication using authentication and key agreement AKA + registration + first-hop security protection using secure hash algorithm SHA-1 + using both secure hash algorithm SHA-1 and enhanced data encryption standard 3DES Inter-domain security protection + intra-domain security protection using the secure hash algorithm SHA-1, the utility values of the four security attributes of authentication, confidentiality, integrity, and availability are 3, 2, 6, and 4 respectively. The overall protection Strength utility value is 15,

Security policy P6, including mutual authentication + registration using authentication and key agreement AKA + first-hop security protection using both information digest algorithm MD5 and enhanced data encryption standard 3DES + simultaneously using information digest algorithm MD5 and enhanced data encryption standard The inter-domain security protection of 3DES + the intra-domain security protection of MD5 and the enhanced data encryption standard 3DES at the same time + the hidden protection of network topology, the utility of the five security attributes of authentication, confidentiality, integrity, availability, and privacy Values are 4, 4, 3, 6, 1 respectively, and the overall protection strength utility value is 18,

Security policy P7, including mutual authentication + registration using authentication and key agreement AKA + first-hop security protection using both secure hash algorithm SHA-1 and enhanced data encryption standard 3DES + simultaneously using secure hash algorithm SHA-1 Inter-domain security protection with the enhanced data encryption standard 3DES + both the secure hash algorithm SHA-1 and the enhanced data encryption standard 3DES intra-domain security protection + network topology hidden protection, in terms of authentication, confidentiality, integrity, and availability The utility values of the five security attributes of privacy and privacy are 4, 4, 6, 6, and 1 respectively, and the utility value of the overall protection strength is 21. In the security policies of the seven levels, "+" indicates the combination;

Step (2), the client UE and the CSCF server at the server end execute in turn according to the following steps to complete the service request process:

Step (2.1), the client UE includes the service message Supported: Security-policy-service in the service request message, and includes the security policy label sec-policy in the proxy request Proxy-Require message header, indicating that the service It is necessary to negotiate a unified security policy with the S-CSCF server,

Step (2.2), after the S-CSCF server receives the service request message described in step (2.1) through the P-CSCF in the home network domain, it executes the following steps sequentially to perform security policy selection based on user service type method:

Step (2.2.1), the S-CSCF recommends the security mechanism suitable for the client UE based on the user type, service type and operator type according to the registration record and the security mechanisms supported in steps (1.1) and (1.3). strategy level,

Step (2.2.2), the S-CSCF checks whether there is a mismatch or an unrecognized situation in the optional security mechanism, and if it exists, it sends a security mechanism unrecognizable message 411 SecurityMechanism Undecipherable to the client UE, otherwise step (2.2 .3),

Step (2.2.3), the S-CSCF checks whether there is an alternative security policy, if not, sends a security policy negotiation failure message 422Security Policy AgreementFailed to the client UE, otherwise executes step (2.2.4),

Step (2.2.4), the S-CSCF writes all security mechanisms included in the recommended security policy into the security policy Security-policy message header of the session response message 183 Session Progress, which contains the security policy level policyid, access Enter security mechanism access-sec, intra-domain security mechanism intra-domain-sec, and inter-domain security mechanism inter-domain-sec tags, write the specific algorithm adopted by the security mechanism into the corresponding message header in the message domain, and send it to the Client UE;

Step (2.3), after the client UE receives the session response message sent by the S-CSCF according to step (2.2) through the P-CSCF, the following steps are executed in sequence:

Step (2.3.1), the client UE checks the session response message, if it is a security mechanism unrecognizable message 411 Security Mechanism Undecipherable, indicating that the security mechanism is unrecognizable, re-execute step (2.1) to carry out the negotiation process of the security policy,

Step (2.3.2), the client UE checks the session response message, if it is a security policy negotiation failure message 422Security Policy Agreement Failed, it means that the negotiation failed, and the negotiation process is stopped,

Step (2.3.3), the client UE receives the security policy message header recommended by the S-CSCF in the session response message in the step (2.2.4), and after confirming the acceptance, all the information included in the message header The content is copied to the security policy confirmation Security-policy-verify message header in the request response message INVITE, and sent to the S-CSCF;

In step (2.4), the S-CSCF compares and confirms whether the UE accepts the security policy recommended in step (2.2.4) after receiving the security policy confirmation Security-policy-verify message header sent by the client UE, If they are inconsistent, repeat step (2.2). If they are completely consistent, the S-CSCF will delete the field related to the security policy negotiation service extension in the service request instruction, and forward it to the corresponding application server, and at the same time, the UE requested According to the previously negotiated overall security policy, security mechanisms for access protection, intra-domain protection, and inter-domain protection are provided.

Effect of the present invention is as follows:

(1) The present invention defines a division scheme of security protection levels in the IMS network, provides a complete and unified combination of IMS security policies, and provides policy options for IMS operators and terminal users to conduct security negotiations. Specifications are extended.

(2) The SIP-based security policy negotiation and control method designed by the present invention will be used for network operators to provide corresponding security policies for different business types and different user types, so as to meet the guarantee of personalized user service quality and reduce network security. The optimal strategy selection for network security protection and service quality assurance.

Description of drawings

FIG. 1 is a flow chart of terminal UE security policy negotiation control in the present invention.

Fig. 2 is a flowchart of S-CSCF security policy negotiation control in the present invention.

Fig. 3 is an algorithm of the S-CSCF for dividing security policy levels when the IMS is initialized in the present invention.

Fig. 4 is a flow chart of S-CSCF selecting a security policy in the present invention.

Fig. 5 is a flow chart of security policy negotiation control in the process of requesting business in the present invention.

Detailed ways

The present invention is a security policy negotiation and control method in an IMS network. The interactive entity involved in the present invention is mainly based on the SIP message format between the user equipment UE as the client and the service-call session control function S-CSCF in the IMS network. security policy negotiation control.

The present invention defines a new SIP extended message domain: security policy negotiation service Security-policy-service, which is used for the security policy negotiation process between the S-CSCF and the UE. During the registration process, the S-CSCF provides a default security policy for the UE. And check whether the UE supports the extension of the present invention; in the service request signaling, negotiate a security policy that meets the security requirements of the service requested by the user through the Security policy service.

Refer to Figure 1 for the UE’s security policy negotiation flow chart. The UE must first declare that it supports the Security-policy-service extension during the process of registering with the IMS network, and pass the security mechanisms and algorithms supported by the UE through the existing security mechanism protocol Sip- The Sec-Agree is provided to the S-CSCF so that the S-CSCF can provide appropriate security policies. Then the UE obtains the security policy recommended by the S-CSCF during the service request process, and checks whether it meets the security requirements of its own service and whether it supports the relevant security mechanism. If it is confirmed to accept, it needs to confirm the message field Security-policy- In verify, replicate and confirm the security policies and mechanisms, and return them to the S-CSCF.

Refer to Figure 2 for the security policy negotiation flowchart of the S-CSCF. After the UE registers with the IMS home network, the S-CSCF will mark the UE users that support the extension of the Security-policy-service message field in the local database. At the same time, the S-CSCF will The optional or mandatory security mechanisms within and between domains defined in the specification, as well as the access security mechanisms supported by the UE, combine security policies with different levels of security protection strength from weak to strong, which are suitable for IMS networks for this Overall security policy selection for UE users. Then during the UE service request process, the S-CSCF recommends the corresponding security policy and specific mechanism for the UE service, sends it to the UE through the Security-policy message field in the 183 Session Progress message, and obtains the Security-policy-verify confirmation that the UE accepts After implementing the security policy, the S-CSCF will delete the field related to the Security-policy-service extension in the service request command and forward it to the corresponding application server. At the same time, according to the previously negotiated overall security Policies provide security mechanisms for access protection, intra-domain protection, and inter-domain protection.

There are two possible negotiation failure situations in this solution, which correspond to two responses: 421 Security Policy Undecipherable and 422 Security Policy Agreement Failed.

421 Security Policy Undecipherable: The definition standard and format of the security policy do not conform to the specifications or cannot recognize the corresponding fields, and the S-CSCF cannot recognize the security policy sent by the terminal UE to confirm acceptance. At this time, the S-CSCF will return "421 Security Policy Undecipherable ".

422 Security Policy Agreement Failed: If the UE does not support the security policy recommended by the S-CSCF, and the security policy S-CSCF sent by the UE cannot satisfy the S-CSCF, the S-CSCF will return the "422 Security Policy Agreement Failed" message to indicate that it cannot negotiate with the terminal Develop a consistent overall security policy.

In the present invention, the security of the control signaling of UE and S-CSCF negotiating a security policy is mainly protected by the default security policy of the UE in the registration process. The 3GPP AKA mechanism obtains the integrity key and encryption key, refer to 3GPP TS 33.210 and 3GPP 33.203 for details.

In the above-mentioned implementation process, the present invention involves two parts of technical solutions as follows:

(1) Division scheme of security protection level

Before the security policy is negotiated, it needs to be divided into levels. The present invention defines an evaluation method for the protection strength of the IMS security mechanism and a division scheme of protection levels. The security evaluation standards such as the international general standards ISO17799 and ISO15408 only divide the protection strength of encryption and decryption algorithms according to the key length or information sensitivity. Weak, but lack of classification standards for non-encryption and decryption algorithms. The division scheme adopted in the present invention is to calculate the utility value according to the degree of influence of the security mechanism on the security attribute, and comprehensively determine the strength and level of the security strategy. The specific algorithm is shown in Figure 3.

First, calculate the utility values of the five security attributes corresponding to authentication, confidentiality, integrity, availability, and privacy for different security mechanisms in the IMS network, as shown in Table 2 (the specific values are for reference only). According to relevant security standards, the secure hash algorithm SHA-1 is more protective than the information digest algorithm MD5. In terms of integrity protection, the utility of SHA-1 is 2, while that of MD5 is 1. When both MD5 and enhanced data encryption are adopted The standard algorithm 3DES will be more effective for confidentiality than just using the encryption algorithm. Note that the weights assigned to a certain security property in a security mechanism only indicate its relative utility compared with other security mechanisms, and these weights do not imply the absolute amount of security utility associated with a certain security property. Therefore, the utility table above is just an indication of the value and is for reference only, but it must reflect the difference in the strength of the protection of the security mechanism.

Secondly, according to the relevant specifications of IMS network access security and network domain security, as well as the optional situation of security mechanisms, by selecting the optional security mechanisms of each layer, different security strategies (can be extended) with security protection strength from weak to strong are combined. . The combination selection of security mechanisms must comply with the security standards defined by the IMS technical specifications formulated by 3GPP, covering security protection of five attributes such as authentication, confidentiality, integrity, availability, and privacy. According to the cumulative utility sum of each security mechanism To determine the protection strength of the security policy. Finally, the present invention provides a complete and unified set of IMS security policy combinations according to the above-mentioned division scheme, and provides strategy selection for IMS and users to conduct security negotiations. Of course, there is no unique standard for IMS security policy combinations, and the present invention only provides an evaluation scheme. It has strong scalability.

In the reference division scheme given by the present invention, the specific security policy utility value calculation is shown in Table 3, there are seven security policies {P1, P2, ..., P7}, if a P6 policy is adopted for a certain user, it means that the IMS will A mutual authentication and registration mechanism protected by AKA is provided for this user, the first hop security (between UE and P-CSCF) adopts MD5+3DES protection mechanism at the same time, and both IMS inter-domain and intra-domain security adopt MD5+3DES encryption protection at the same time , and network topology hiding mechanism to protect availability. It should be noted that the IMS network can adopt different security policy standards for different service types, different user types, and different operators, but the security policies themselves must be compatible, and the same encryption and decryption algorithm must be adopted, and contradictory security mechanism combinations cannot be adopted.

(2) Security policy negotiation and recommendation scheme

The terminal UE user negotiates security policies and control methods with the S-CSCF, involving two processes of registration and service application. The present invention defines a new SIP label: Security-policy-service, which is used for the security policy negotiation process between the S-CSCF and the UE. During the registration process, the S-CSCF provides the terminal user with a default security policy and checks whether the UE supports In the extension of the present invention, in the service request signaling, a security policy meeting the security requirements of the service requested by the user is negotiated through the Security policy service.

After the security policy level is divided, the method of how S-CSCF negotiates with UE and recommends an appropriate security policy must be provided. See Figure 4 for the specific process. The input information obtained includes: the security mechanism supported by the UE, the service type applied by the UE, and the user type of the UE. According to the security mechanism supported by the UE, if the security mechanism of the UE cannot be identified by the S-CSCF, output 421 Security Mechanism Undecipherable; if it can be identified, according to the type of user and the type of business applied for, select the minimum policy that meets the requirements among the security policies selected above, if there is no optional policy, still output 422 Security Policy Agreement Failed; if there is, then The security policy recommended by the S-CSCF for the UE user to apply for a service.

All SIP messages in the present invention only provide header fields related to the extension scheme, and other irrelevant message fields will be omitted. At the same time, in IMS, SIP needs to use compressed form of message header fields to save bandwidth. For the convenience of reading, all message fields in the present invention do not use compressed forms. The following is an example message of the security policy negotiation control process:

registration process

Assuming that the terminal equipment user (UE) supports the extension defined in this solution, and initiates a registration request to its home network, the request must indicate that the client supports security policy formulation and related protocols, and can understand the header field corresponding to the extension. The registration request message of the client UE is as follows:

After the S-CSCF authenticates the user UE, the Supported:Security-policy-service knows that the client supports the extension defined in the present invention, marks the user in the local database, and negotiates with the terminal user in the subsequent session establishment process. security policy. After the registration is completed, the security policy adopted by the IMS for the UE, the access security is based on the security mechanism between the P-CSCF and the UE determined by the SIP security mechanism agreement (see Figure 1), and the network domain security adopts the default of the IMS core network security strategy.

The IMS service provider can require the user to support the extension of Security-policy-service when using the service of the network, if not supported, the registration request of the user will be rejected, which can be determined by judging whether the registration request contains Supported:Security-policy-service Implementation; IMS service providers can also allow users who do not support the extension of Security-policy-service to register, identify these users, and restrict the user's access to services through certain policies, such as providing only individual basic services; service providers can also Download the new extension to the user terminal through the air interface, redirect the user request that does not support the Security-policy-service extension to the update server through a 301 response, and allow the user to normally access the IMS network after installing the extension.

business request process

Fig. 5 describes the signaling related to the present invention in the process of UE initiating a call request to a SIP application server. Where UE is a SIP client, P-CSCF and S-CSCF are SIP session control servers in the IMS network, and ApplicationServer is an application server in the IMS network.

Each step in the call flow and the relevant fields of the SIP message are described in detail below:

(1) The UE requests the service of the application server AS. Supported: Security-policy-service is included in the SIP message to indicate support for the extension of this patent, and the Proxy-Require message header includes the option label "sec-policy" to indicate the request The business needs to negotiate a unified security policy with the S-CSCF, and the SIP message is as follows (all messages in this patent only contain necessary fields):

(2) The P-CSCF sends the INVITE request to the S-CSCF, and the S-CSCF verifies the extension supported by the user according to the registration record. Since the user supports the Security-policy-service extension, it means that Alice needs to negotiate a security policy with the S-CSCF before requesting to establish a session. According to the method in Figure 5, after querying the HSS server, the S-CSCF determines the corresponding security policy according to the type of service requested by the user and the type of the user terminal, and returns a 183 Session Progress message, and adds a Security-policy message header to the message , the message header includes the policyid, access-sec, intra-domain-sec, and inter-domain-sec tags, respectively formulating the security policy ID, access security mechanism, intra-domain security mechanism, and inter-domain security mechanism. In the Security-policy message header, policyid is the ID number of the security policy. The security policy shown in Figure 5 is P5 (mutual authentication + registration + protection of the first hop security (SA SHA-1) + inter-domain security (SHA-1 3DES) + intra-domain security (SHA-1)). The SIP message is as follows:

(3) After receiving the 183 Session Progress response, Alice checks whether the security policy suggested by the S-CSCF in the Security-policy message header is supported and meets the user's security requirements. If so, return the Security-policy-verify message header, copy and send the security policy recommended by the S-CSCF again, and confirm the acceptance of the security policy; if the security policy is considered unacceptable, send "Require:sec-policy" again ; Proxy-Require: sec-policy" message requests the S-CSCF to recommend an appropriate security policy again.

(4) After receiving the confirmation security policy sent by Alice, the S-CSCF checks whether it is consistent with the policy recommended by itself. If yes, it means that the overall security policy negotiation has been completed. :Security-policy-service" field is deleted and forwarded to the corresponding application server, and for the terminal UE where Alice is located and the service type requested by him, access protection and intra-domain protection are provided according to the previously negotiated overall security policy , The security mechanism of inter-domain protection ensures the security of Alice's service control signaling and provides a good quality of service guarantee.

The following table 1 ~ table 3

Table 1. Security mechanisms of various layers of IMS under the existing technology

Table 2. Utility table of corresponding security properties for different security mechanisms

Table 3. Utility values of different levels of security policies for security attributes

Claims (1)

1. The negotiation control method based on the SIP security policy level in the IMS network is characterized in that it is based on the IP multimedia subsystem IMS technical specification TS 33.102 defined by the third generation partnership project 3GPP, TS 33.203 and TS33.210, as The user equipment UE at the client end and the IMS call session control function CSCF server as the server end are implemented in sequence according to the following steps: Step (1), when the client UE registers with the IMS home network, the client UE and the CSCF server at the server end follow the steps below to execute in sequence: Step (1.1), based on the security mechanism protocol Sip-Sec-Agree of the existing Session Initiation Protocol SIP, the client UE sends to its home network the agent-call session control function server P-CSCF in its home network domain The service-call session control function server S-CSCF in the domain provides the first-hop access security mechanism supported by the client, Step (1.2), the client UE declares to support the security policy negotiation service Security-policy-service message header extension, and the user equipment information is marked in the local database by the S-CSCF, In step (1.3), the S-CSCF combines optional or mandatory security mechanisms within and between domains defined in the IMS technical specification, and the security mechanisms supported by the client described in step (1.2) as follows A total of seven security policies with different levels of security protection strength from weak to strong, the protection strength is calculated by calculating the sum of utility values of the policy on the five security attributes of authentication, confidentiality, integrity, availability, and privacy Obtained, the overall security policy for the service initiated by the IMS home network domain for the client UE is available for selection, and the security policies of the seven levels are P1-P7 as follows: Security policy P1, including mutual authentication + registration using authentication and key agreement AKA, has a utility value of 2 for security protection in authentication, 1 for availability, and 3 for overall protection strength. Security policy P2 includes mutual authentication using authentication and key agreement AKA + registration + first-hop security protection using message digest algorithm MD5. The utility value of authenticity is 3, the utility value of integrity is 1, and the utility value of availability is 3. The value is 3, and the overall protection strength utility value is 7, Security policy P3, including mutual authentication using authentication and key agreement AKA + registration + first-hop security protection using information digest algorithm MD5 + inter-domain security protection using both information digest algorithm MD5 and enhanced data encryption standard 3DES, authentication The utility values of the four security attributes of security, confidentiality, integrity, and availability are 3, 2, 2, and 4 respectively, and the utility value of the overall protection strength is 11, Security policy P4, including mutual authentication using authentication and key agreement AKA + registration + first-hop security protection using information digest algorithm MD5 + inter-domain security protection using both information digest algorithm MD5 and enhanced data encryption standard 3DES + adopting In the domain security protection of the information digest algorithm MD5, the utility values of the four security attributes of authentication, confidentiality, integrity, and availability are 3, 2, 3, and 4 respectively, and the utility value of the overall protection strength is 12, Security policy P5, including mutual authentication using authentication and key agreement AKA + registration + first-hop security protection using secure hash algorithm SHA-1 + using both secure hash algorithm SHA-1 and enhanced data encryption standard 3DES Inter-domain security protection + intra-domain security protection using the secure hash algorithm SHA-1, the utility values of the four security attributes of authentication, confidentiality, integrity, and availability are 3, 2, 6, and 4 respectively. The overall protection Strength utility value is 15, Security policy P6, including mutual authentication + registration using authentication and key agreement AKA + first-hop security protection using both information digest algorithm MD5 and enhanced data encryption standard 3DES + simultaneously using information digest algorithm MD5 and enhanced data encryption standard The inter-domain security protection of 3DES + the intra-domain security protection of MD5 and the enhanced data encryption standard 3DES at the same time + the hidden protection of network topology, the utility of the five security attributes of authentication, confidentiality, integrity, availability, and privacy Values are 4, 4, 3, 6, 1 respectively, and the overall protection strength utility value is 18, Security policy P7, including mutual authentication + registration using authentication and key agreement AKA + first-hop security protection using both secure hash algorithm SHA-1 and enhanced data encryption standard 3DES + simultaneously using secure hash algorithm SHA-1 Inter-domain security protection with the enhanced data encryption standard 3DES + both the secure hash algorithm SHA-1 and the enhanced data encryption standard 3DES intra-domain security protection + network topology hidden protection, in terms of authentication, confidentiality, integrity, and availability The utility values of the five security attributes of privacy and privacy are 4, 4, 6, 6, and 1 respectively, and the utility value of the overall protection strength is 21, Among the seven levels of security policies, "+" represents a combination of different mechanisms; Step (2), the client UE and the CSCF server at the server end execute in turn according to the following steps to complete the service request process: Step (2.1), the client UE includes the service message Supported: Security-policy-service in the service request message, and includes the security policy label sec-policy in the proxy request Proxy-Require message header, indicating that the service It is necessary to negotiate a unified security policy with the S-CSCF server, Step (2.2), after the S-CSCF server receives the service request message described in step (2.1) through the P-CSCF in the home network domain, it executes the following steps sequentially to perform security policy selection based on user service type method: Step (2.2.1), the S-CSCF recommends the security mechanism suitable for the client UE based on the user type, service type and operator type according to the registration record and the security mechanisms supported in steps (1.1) and (1.3). strategy level, Step (2.2.2), the S-CSCF checks whether the optional security mechanism does not match, does not identify the situation, if it exists, then sends a security mechanism unrecognizable message 411 SecurityMechanism Undecipherable to the client UE, otherwise execute the step ( 2.2.3), Step (2.2.3), the S-CSCF checks whether there is an alternative security policy, if not, sends a security policy negotiation failure message 422Security Policy AgreementFailed to the client UE, otherwise executes step (2.2.4), Step (2.2.4), the S-CSCF writes all security mechanisms included in the recommended security policy into the security policy Security-policy message header of the session response message 183Session Progress, which contains the security policy level policyid, access Security mechanism access-sec, intra-domain security mechanism intra-domain-sec, and inter-domain security mechanism inter-domain-sec tags, write the specific algorithm adopted by the security mechanism into the corresponding message header in the message domain, and send it to the client Terminal UE; Step (2.3), after the client UE receives the session response message sent by the S-CSCF according to step (2.2) through the P-CSCF, the following steps are executed in sequence: Step (2.3.1), the client UE checks the session response message, if it is a security mechanism unrecognizable message 411 Security Mechanism Undecipherable, indicating that the security mechanism is unrecognizable, re-execute step (2.1) to carry out the negotiation process of the security policy, Step (2.3.2), the client UE checks the session response message, if it is a security policy negotiation failure message 422Security Policy Agreement Failed, it means that the negotiation failed, and the negotiation process is stopped, Step (2.3.3), the client UE receives the security policy message header recommended by the S-CSCF in the session response message in the step (2.2.4), and after confirming the acceptance, all the information included in the message header The content is copied to the security policy confirmation Security-policy-verify message header in the request response message INVITE, and sent to the S-CSCF; In step (2.4), the S-CSCF compares and confirms whether the UE accepts the security policy recommended in step (2.2.4) after receiving the security policy confirmation Security-policy-verify message header sent by the client UE, If they are inconsistent, repeat step (2.2). If they are completely consistent, the S-CSCF will delete the field related to the security policy negotiation service extension in the service request instruction, and forward it to the corresponding application server, and at the same time, the UE requested According to the previously negotiated overall security policy, security mechanisms for access protection, intra-domain protection, and inter-domain protection are provided.

Images