WO2008034377A1 - Method and system of authentication consultation - Google Patents

Method and system of authentication consultation Download PDF

Info

Publication number
WO2008034377A1
WO2008034377A1 PCT/CN2007/070572 CN2007070572W WO2008034377A1 WO 2008034377 A1 WO2008034377 A1 WO 2008034377A1 CN 2007070572 W CN2007070572 W CN 2007070572W WO 2008034377 A1 WO2008034377 A1 WO 2008034377A1
Authority
WO
WIPO (PCT)
Prior art keywords
authentication
cscf
type
user
hss
Prior art date
Application number
PCT/CN2007/070572
Other languages
French (fr)
Chinese (zh)
Inventor
Bin Yu
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2008034377A1 publication Critical patent/WO2008034377A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication

Definitions

  • the invention relates to a Chinese patent application filed on August 29, 2006, the Chinese Patent Office, the application number is 200610127603.3, and the invention name is "an authentication negotiation method and a communication system.” Priority, the entire contents of which are incorporated herein by reference.
  • the present invention relates to the field of communication security technologies, and in particular, to an authentication negotiation method and system. Background technique
  • the terminal In the Internet Protocol Multimedia Subsystem (IMS), the terminal has various modes, the capabilities of the terminal are different, and the authentication types are different. Therefore, the IMS core network is required to support multiple authentication types. .
  • the authentication types supported by the IMS core network include IMS AKA authentication, Early IMS authentication, and HTTP Digest authentication.
  • FIG. 1 A flow chart of an authentication method in the prior art is shown in Figure 1:
  • the user terminal sends a registration message to the Interrogating Call Session Control Function (I-CSCF) through a proxy call session control unit (P-CSCF, Proxy Call Session Control Function);
  • I-CSCF Interrogating Call Session Control Function
  • P-CSCF Proxy Call Session Control Function
  • the I-CSCF sends a user status query request message to a User Subscriber Server (HSS).
  • HSS User Subscriber Server
  • the HSS feeds back the user status query response information to the I-CSCF.
  • I - CSCF selects a corresponding service call session control unit according to the response information (S -
  • CSCF Serving Call Session Control Function
  • the I-CSCF After selecting the corresponding S-CSCF, the I-CSCF sends a registration message to the S-CSCF;
  • the S-CSCF initiates an authentication vector request to the HSS after receiving the registration message.
  • the HSS selects an corresponding authentication vector
  • the HSS feeds back the selected authentication vector to the S-CSCF.
  • the S-CSCF sends an Unauthorized message to the user terminal through the I-CSCF and the P-CSCF, requesting the user to perform authentication; 113-114, the user terminal sends a registration message carrying the RES parameter to the I-CSCF through the P-CSCF;
  • I - CSCF requests the user status from the HSS and gets feedback from the HSS;
  • I - CSCF sends a registration message carrying the RES parameter to the S-CSCF;
  • the S-CSCF authenticates the user according to the RES parameter in the registration message and the locally stored RES parameter.
  • the S-CSCF After the authentication is passed, the S-CSCF sends a user registration/logout request message to the HSS.
  • the HSS feeds back a user registration/logout response message to the S-CSCF;
  • the S-CSCF feeds back the success confirmation message to the user terminal through the I-CSCF and the P-CSCF.
  • 3GPP TS 24.229 v6.9.0 specifies that the first registration message of the ISIM card user using AKA authentication (such as the registration message sent in step 101 of Figure 1) must have an Authorization header field, which will carry the user. Private identity and algorithm name.
  • 3GPP TS33.978v630 specifies that the registration message of the user using Early IMS authentication must not carry the Authorization header field, and the IMS network supporting IMS AKA authentication and Early IMS authentication determines whether the registration message carries Authorization.
  • the header field is used to determine what authentication the user expects to use.
  • the user's first registration message does not normally have an Authorization header field.
  • the user's second registration message will always have Authorization, which will carry the user's username and algorithm name.
  • TISPAN Release 1 does not specify whether the registration message of the fixed network user carries Authorization. Therefore, the user equipment that follows TISPAN Release 1 may not carry the Authorization header field when performing NASS-Bundled authentication.
  • the invention provides an authentication negotiation method and a communication system using the same, which is used for improving the identification The accuracy of the weight type determination.
  • the present invention provides an authentication negotiation method, including:
  • the home subscriber server HSS receives the extended authentication vector request MAR message sent by the S-CSCF;
  • the HSS determines, according to the received MAR message, that the S-CSCF needs to obtain an authentication type
  • the HSS reads the authentication type of the user subscription, and selects an authentication type from the authentication type subscribed by the user according to the authentication type that the S-CSCF needs to obtain and provides the authentication type to the S-CSCF.
  • a home subscriber server provided by the present invention includes:
  • Receiving unit receiving an extended authentication vector request MAR message sent by the serving call session control unit S-CSCF;
  • the determining unit determines, according to the received MAR message, that the S-CSCF needs to obtain an authentication type
  • the obtaining unit reads the authentication type signed by the user and the corresponding authentication data
  • a selecting unit selecting an authentication type from the authentication types subscribed by the user according to the authentication type that the S-CSCF needs to acquire;
  • a sending unit sending the selected authentication type and its corresponding authentication data to the S
  • the present invention provides a system with an authentication negotiation function, including: a home subscriber server HSS and a service call session control unit S-CSCF;
  • a serving call session control unit S-CSCF transmitting an extended authentication vector request MAR message
  • the home subscriber server HSS is configured to read an authentication type of the user subscription, and select an authentication type in the authentication type of the user subscription;
  • the home subscriber server HSS receives the extended authentication vector request MAR message sent by the S-CSCF, and selects an authentication type that is subscribed by the user according to the authentication type information carried by the extended MAR message.
  • Type of authentication
  • the home subscriber server HSS sends the selected authentication type and its corresponding authentication data Send to the service call session control unit S - CSCF;
  • the service call session control unit authenticates the user according to the received authentication data.
  • the service call session control unit S-CSCF cannot determine the authentication type
  • the home subscriber server stores the subscriber's subscription data and the authentication data, and the S-CSCF negotiates with the home subscriber server.
  • the home subscriber server selects an authentication type from the authentication type subscribed by the user according to the authentication type that the S-CSCF needs to acquire, and provides the authentication type to the S-CSCF, and the home subscriber server sends the authentication type to the S-CSCF, so Determining the authentication type by the home subscriber server can improve the accuracy of the authentication type determination.
  • FIG. 3 is a detailed flowchart of an authentication negotiation method in an embodiment of the present invention.
  • FIG. 4 is a schematic diagram of a system in an embodiment of the present invention. detailed description
  • the embodiment of the invention provides an authentication negotiation method and a communication system using the method, which are used for improving the accuracy of the authentication type determination.
  • the overall process of the authentication negotiation method provided by the embodiment of the present invention is as follows: 201. Read an authentication type;
  • the HSS reads the authentication type when the user signs the contract from the local data.
  • the HSS queries the authentication type with the highest priority among the authentication types read. If the MAR message carries multiple authentication types, the HSS needs to query the authentication type with the highest priority from the intersection of the set and the authentication type set that the user subscribes to.
  • the authentication data includes an authentication type.
  • the S-CSCF performs authentication according to the received authentication data.
  • the detailed process of the authentication negotiation method provided by the embodiment of the present invention is as follows:
  • the user terminal sends a registration message to the P-CSCF, and the P-CSCF forwards the received registration message to the I-CSCF, and the I-CSCF sends a user registration status query request message to the HSS, and the HSS feeds the user registration status query to the I-CSCF.
  • the I-CSCF selects the S-CSCF based on the obtained User Registration Status Query Response message and sends a registration message to the S-CSCF.
  • step 302 determine whether the S-CSCF can determine the authentication type, if yes, then go to step 307, if not, then go to step 303;
  • the first registration message due to the IMS AKA authentication, the first registration message must be carried
  • the registration message of the user in the Early IMS authentication must not carry the Authorization header field, and the registration message of the user in the HTTP Digest authentication and NASS Bundled authentication may have the Authorization header field, or may not Therefore, S-CSCF may not be able to determine the type of authentication the user needs to perform.
  • the S-CSCF when the S-CSCF cannot determine the authentication type, it is required to obtain the authentication type from the HSS.
  • the extended authentication vector request message (MAR, Multimedia Auth Request) is sent to the HSS through the S-CSCF to implement the request.
  • MAR Multimedia Auth Request
  • the attribute of the AVP SIP-Authentication- Scheme in the MAR message is changed to an optional attribute. If the parameter is carried, it indicates that the S-CSCF can determine the authentication type, and the HSS is not required to perform the authentication type selection. If the parameter is carried, it indicates that the S-CSCF cannot determine the authentication type, and the HSS needs to select the authentication data corresponding to the authentication type and deliver it.
  • Extended AVP The value of SIP-Authentication-Scheme, one possible value is "Unknown” (ie "unknown"), and the attribute of AVP: SIP-Authentication-Scheme is still mandatory. This requires both HSS and S-CSCF to understand the meaning of "Unknown”, that is, if the value is "Unknown", it means that S-CSCF cannot determine the authentication type.
  • the S-CSCF After the MAR message is extended according to any of the above two extension manners, the S-CSCF sends the MAR message to the HSS, and the HSS determines, according to the received MAR message, that the S-CSCF needs to obtain the authentication type.
  • the S-CSCF can confirm the scope of the user authentication according to the registration message of the user, for example, the S-CSCF can determine that the user can only use the Early IMS authentication or the HTTP Digest authentication, and it is impossible to use the IMS AKA.
  • the S-CSCF may carry a set of possible authentication types in the MAR message, indicating that the HSS may select in the intersection of the set of authentication types and the set of authentication types supported by the user, further improving the authentication selection. The accuracy.
  • the specific MAR message extension can be implemented in the following three ways:
  • the SIP-Authentication- Scheme appears multiple times. If multiple parameters are carried, it indicates that the S-CSCF determines that the authentication type that the user may use is multiple.
  • the HSS needs to be supported according to the user.
  • the authentication type is selected within the range, and the authentication data corresponding to the selected authentication type is delivered.
  • the number of authentication types that the user may adopt is multiple, the number of authentication types that the user may adopt by the HSS is indicated by carrying a plurality of the elements.
  • a new AVP may be extended for the MAR message, and the 'M' position of the AVP is set to 0, and multiple new AVPs are carried to achieve multiple authentication types. purpose. This way, the original MAR message can be omitted, and the HSS that is not compatible with the new AVP can ignore the AVP.
  • the extension method is to add an AVP with the same structure as AVP: SIP-Auth-Data-Item, for example, named Extended-SIP-Auth-Data-Item, and the AVP can appear multiple times.
  • This element can appear multiple times when the S-CSCF is able to determine the data protocol authentication data item
  • the number of authentication types that the user may adopt is multiple, the number of authentication types that the user may adopt by the HSS is indicated by carrying a plurality of the elements.
  • the HSS since the authentication type and authentication data supported by the user are all stored in the HSS by signing, the HSS knows which authentication mode the user supports. When the S-CSCF is unable to obtain the user's authentication type by registering the message, the HSS obtains all the authentication types supported by the locally stored user.
  • the HSS queries the authentication type with the highest priority among all the authentication types supported by the user. If the user supports only one type of authentication, the authentication type has the highest priority.
  • the HSS needs to select from the set and the intersection of all sets of authentication types supported by the user.
  • the priority can be specified by the user when signing up, or by the HSS, and is valid for all users. If this priority is specified by the HSS, one possible priority is ranked according to the strength of the authentication algorithm, from high to low, IMS AKA authentication, Early IMS authentication, and HTTP Digest authentication.
  • the HSS sends the queried authentication type with the highest priority to the S_CSCF.
  • the S-CSCF performs authentication according to the received authentication type.
  • the communication system used in the embodiment of the present invention includes: a home subscriber server 404 and a service call session control unit 405; the home subscriber server 404 is configured to read the subscription authentication type, and the read authentication Querying the highest priority authentication type in the right type, and sending the highest priority authentication type to the service call session control unit 405; the service call session control unit 405 performs the user according to the received authentication type. Authentication.
  • the system further includes: a proxy call session control unit 402, an inquiry call session control unit 403, and a user terminal 401; the user terminal 401 sends a registration message to the proxy call session control unit 402; the proxy call session control unit 402 Receiving the registration message sent by the user terminal 401 and forwarding the registration message to the inquiry call session control unit 403; the inquiry call session control unit 403 sends a user registration status inquiry request message to the home user server 404 according to the received registration message.
  • the embodiment of the invention further provides a home subscriber server, including:
  • Receiving unit receiving an extended authentication vector request MAR message sent by the serving call session control unit S-CSCF;
  • the determining unit determines, according to the received MAR message, that the S-CSCF needs to obtain an authentication type
  • the obtaining unit reads the authentication type signed by the user and the corresponding authentication data
  • a selecting unit selecting an authentication type from the authentication types subscribed by the user according to the authentication type that the S-CSCF needs to acquire;
  • a sending unit sending the selected authentication type and its corresponding authentication data to the S
  • the home subscriber server stores the subscriber's subscription data and the authentication data, and the S-CSCF negotiates with the home subscriber server, and the home subscriber server obtains the authentication type according to the S-CSCF.
  • the authentication type selected by the user is selected and provided to the S-CSCF, and the home subscriber server sends the authentication type to the S-CSCF, so determining the authentication type by the home subscriber server can improve the accuracy of the authentication type determination.
  • the home subscriber server sends the highest priority authentication type to the serving call session control unit according to the preset priority level, so the accuracy of the authentication can be improved.
  • the priority can be set by the home user server, or can be set by the user according to actual needs, so the flexibility of obtaining the authentication type is improved.
  • the serving call session control unit can request the home subscriber server to obtain the authentication type in a variety of ways, thereby improving the flexibility of adaptation of the present invention.
  • the program can be implemented by instructing related hardware, and the program can be stored in a computer readable storage medium, such as a ROM/RAM, a magnetic disk, a compact disk, or the like. Alternatively, they may be fabricated into individual integrated circuit modules, or a plurality of units or steps thereof may be fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Method of the authentication consultation, said method includes: the service call session control (S-CSCF) requests the authentication kind to the HSS when it can't determine the authentication kind, the home user server(HSS) receives the extended Multimedia Authentication Request(MAR) from S-CSCF; the HSS judges the authentication kind required by the S-CSCF according to the MAR; the HSS reads the authentication kind signed by a user, the HSS provides the authentication kind which selects from the authentication kind signed by the user according to the authentication kind required by the S-CSCF. The invention also provides the system of authentication consultation and the home user server. The invention can improve the veracity and agility of authentication kind judgement.

Description

一种鉴权协商方法及系统 本申请要求于 2006 年 08 月 29 日提交中国专利局、 申请号为 200610127603.3、 发明名称为 "一种鉴权协商方法及一种通讯系统,,的中国 专利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  The invention relates to a Chinese patent application filed on August 29, 2006, the Chinese Patent Office, the application number is 200610127603.3, and the invention name is "an authentication negotiation method and a communication system." Priority, the entire contents of which are incorporated herein by reference.
本发明涉及通信安全技术领域, 尤其涉及一种鉴权协商方法及系统。 背景技术  The present invention relates to the field of communication security technologies, and in particular, to an authentication negotiation method and system. Background technique
在互联网协议多媒体子系统 ( IMS , Internet protocol Multimedia Subsystem ) 网络中, 终端的方式是多种多样的, 终端的能力不同, 鉴权类 型也不相同,所以要求 IMS核心网能够支持多种鉴权类型。 目前 IMS核心 网所能支持的鉴权类型有 IMS AKA鉴权、 Early IMS鉴权和 HTTP Digest 鉴权。  In the Internet Protocol Multimedia Subsystem (IMS), the terminal has various modes, the capabilities of the terminal are different, and the authentication types are different. Therefore, the IMS core network is required to support multiple authentication types. . Currently, the authentication types supported by the IMS core network include IMS AKA authentication, Early IMS authentication, and HTTP Digest authentication.
现有技术中一种鉴权方法流程图如图 1所示:  A flow chart of an authentication method in the prior art is shown in Figure 1:
101 ~ 102、用户终端通过代理呼叫会话控制单元( P - CSCF, Proxy Call Session Control Function )向查询呼叫会话控制单元( I - CSCF , Interrogating Call Session Control Function )发送注册消息;  101-102, the user terminal sends a registration message to the Interrogating Call Session Control Function (I-CSCF) through a proxy call session control unit (P-CSCF, Proxy Call Session Control Function);
103、 I - CSCF向用户属性服务器 ( HSS, Home Subscriber Server )发 送用户状态查询请求信息;  103. The I-CSCF sends a user status query request message to a User Subscriber Server (HSS).
104、 HSS向 I - CSCF反馈用户状态查询响应信息;  104. The HSS feeds back the user status query response information to the I-CSCF.
105、 I - CSCF根据响应信息选择对应的服务呼叫会话控制单元(S - 105, I - CSCF selects a corresponding service call session control unit according to the response information (S -
CSCF, Serving Call Session Control Function ); CSCF, Serving Call Session Control Function );
106、 选择到对应的 S - CSCF之后, I - CSCF将注册消息给所述 S - CSCF;  106. After selecting the corresponding S-CSCF, the I-CSCF sends a registration message to the S-CSCF;
107、 S - CSCF收到注册消息后向 HSS发起鉴权向量请求;  107. The S-CSCF initiates an authentication vector request to the HSS after receiving the registration message.
108、 HSS选择对应的鉴权向量;  108. The HSS selects an corresponding authentication vector;
109、 HSS将选择到的鉴权向量反馈给 S - CSCF;  109. The HSS feeds back the selected authentication vector to the S-CSCF.
110 ~ 112、 S - CSCF通过 I - CSCF以及 P - CSCF向用户终端发送 Unauthorized消息, 要求用户进行鉴权; 113 ~ 114、用户终端通过 P - CSCF向 I - CSCF发送携带 RES参数的注册 消息; 110 ~ 112, the S-CSCF sends an Unauthorized message to the user terminal through the I-CSCF and the P-CSCF, requesting the user to perform authentication; 113-114, the user terminal sends a registration message carrying the RES parameter to the I-CSCF through the P-CSCF;
115 ~ 116、 I - CSCF向 HSS请求用户状态并得到 HSS的反馈;  115 ~ 116, I - CSCF requests the user status from the HSS and gets feedback from the HSS;
117、 I - CSCF将携带 RES参数的注册消息发送给 S - CSCF;  117, I - CSCF sends a registration message carrying the RES parameter to the S-CSCF;
118、 S - CSCF根据注册消息中的 RES参数与本地存储的 RES参数对用 户进行鉴权;  118. The S-CSCF authenticates the user according to the RES parameter in the registration message and the locally stored RES parameter.
119、 鉴权通过后, S - CSCF向 HSS发送用户注册 /注销请求消息; 119. After the authentication is passed, the S-CSCF sends a user registration/logout request message to the HSS.
120、 HSS向 S - CSCF反馈用户注册 /注销响应消息; 120. The HSS feeds back a user registration/logout response message to the S-CSCF;
121 ~ 123、用户注册 /注销成功后, S - CSCF通过 I - CSCF以及 P - CSCF 向用户终端反馈成功确认消息。  121 ~ 123. After the user registration/deregistration is successful, the S-CSCF feeds back the success confirmation message to the user terminal through the I-CSCF and the P-CSCF.
3GPP TS24.229v6.9.0规定了釆用 AKA鉴权的 ISIM卡用户的第一次注 册消息 (如图 1步骤 101中所发送的注册消息) 中一定会带有 Authorization 头域, 其中会带有用户的私有标识和算法名称。  3GPP TS 24.229 v6.9.0 specifies that the first registration message of the ISIM card user using AKA authentication (such as the registration message sent in step 101 of Figure 1) must have an Authorization header field, which will carry the user. Private identity and algorithm name.
3GPP TS33.978v630中规定了釆用 Early IMS鉴权的用户的注册消息一 定不会带有 Authorization头域,同时支持 IMS AKA鉴权和 Early IMS鉴权 的 IMS网络通过判断注册消息中是否带有 Authorization头域来确定用户期 望釆用何种鉴权。  3GPP TS33.978v630 specifies that the registration message of the user using Early IMS authentication must not carry the Authorization header field, and the IMS network supporting IMS AKA authentication and Early IMS authentication determines whether the registration message carries Authorization. The header field is used to determine what authentication the user expects to use.
RFC2617和 RFC3261中描述的 HTTP Digest鉴权流程中,用户的第一 次注册消息一般不会带有 Authorization头域。 用户的第二次注册消息中一 定会带有 Authorization, 其中会带有用户的 username和算法名称。  In the HTTP Digest authentication process described in RFC2617 and RFC3261, the user's first registration message does not normally have an Authorization header field. The user's second registration message will always have Authorization, which will carry the user's username and algorithm name.
TISPAN Release 1对于固网用户的注册消息是否携带 Authorization没 有做出明确规定, 所以遵循 TISPAN Release 1 的用户设备在进行 NASS-Bundled鉴权时有可能不携带 Authorization头域。  TISPAN Release 1 does not specify whether the registration message of the fixed network user carries Authorization. Therefore, the user equipment that follows TISPAN Release 1 may not carry the Authorization header field when performing NASS-Bundled authentication.
但是由于现有技术不能区分 Early IMS 鉴权、 HTTP Digest鉴权和 NASS-Bundled鉴权的注册消息。如果用户发送的 SIP注册消息中没有带有 Authorization头域, 那么 IMS核心网无法确切的知道用户期望釆取哪种鉴 权方式, 所以也就无法向 HSS请求相应的鉴权数据。 发明内容  However, the prior art cannot distinguish between the registration messages of Early IMS authentication, HTTP Digest authentication, and NASS-Bundled authentication. If the SIP registration message sent by the user does not carry the Authorization header field, the IMS core network cannot know exactly which authentication mode the user expects to retrieve, and therefore cannot request the corresponding authentication data from the HSS. Summary of the invention
本发明提供一种鉴权协商方法及釆用该方法的通讯系统, 用于提高鉴 权类型判定的精确性。 The invention provides an authentication negotiation method and a communication system using the same, which is used for improving the identification The accuracy of the weight type determination.
本发明提供一种鉴权协商方法, 包括:  The present invention provides an authentication negotiation method, including:
当服务呼叫会话控制单元 S - CSCF不能确定鉴权类型向 HSS请求获 取鉴权类型时,  When the serving call session control unit S-CSCF cannot determine that the authentication type requests the HSS to obtain the authentication type,
归属用户服务器 HSS接收所述 S - CSCF发送的经扩展的鉴权向量请 求 MAR消息;  The home subscriber server HSS receives the extended authentication vector request MAR message sent by the S-CSCF;
HSS根据所接收到的 MAR消息判断出 S - CSCF需要获取鉴权类型; The HSS determines, according to the received MAR message, that the S-CSCF needs to obtain an authentication type;
HSS读取用户签约的鉴权类型, 并根据所述 S - CSCF需要获取的鉴 权类型从所述用户签约的鉴权类型中选择鉴权类型并提供给 S - CSCF。 The HSS reads the authentication type of the user subscription, and selects an authentication type from the authentication type subscribed by the user according to the authentication type that the S-CSCF needs to obtain and provides the authentication type to the S-CSCF.
本发明提供的一种归属用户服务器, 包括:  A home subscriber server provided by the present invention includes:
接收单元,接收服务呼叫会话控制单元 S - CSCF发送的经扩展的鉴权 向量请求 MAR消息;  Receiving unit, receiving an extended authentication vector request MAR message sent by the serving call session control unit S-CSCF;
判断单元,根据所接收到的 MAR消息判断出 S - CSCF需要获取鉴权 类型;  The determining unit determines, according to the received MAR message, that the S-CSCF needs to obtain an authentication type;
获取单元, 读取用户签约的鉴权类型及其对应的鉴权数据;  The obtaining unit reads the authentication type signed by the user and the corresponding authentication data;
选择单元,根据所述 S - CSCF需要获取的鉴权类型从所述用户签约的 鉴权类型中选择鉴权类型;  a selecting unit, selecting an authentication type from the authentication types subscribed by the user according to the authentication type that the S-CSCF needs to acquire;
发送单元, 将所选择的鉴权类型及其对应的鉴权数据发送给所述 S - a sending unit, sending the selected authentication type and its corresponding authentication data to the S
CSCF。 CSCF.
本发明提供一种具有鉴权协商功能的系统,包括:归属用户服务器 HSS 以及服务呼叫会话控制单元 S - CSCF;  The present invention provides a system with an authentication negotiation function, including: a home subscriber server HSS and a service call session control unit S-CSCF;
服务呼叫会话控制单元 S - CSCF, 发送经扩展的鉴权向量请求 MAR 消息;  a serving call session control unit S-CSCF, transmitting an extended authentication vector request MAR message;
所述归属用户服务器 HSS, 用于读取用户签约的鉴权类型, 在用户签 约的鉴权类型中选择鉴权类型;  The home subscriber server HSS is configured to read an authentication type of the user subscription, and select an authentication type in the authentication type of the user subscription;
所述归属用户服务器 HSS接收所述 S - CSCF发送的经扩展的鉴权向 量请求 MAR消息,并根据所述经扩展的 MAR消息携带的鉴权类型信息从 所述用户签约的鉴权类型中选择鉴权类型;  The home subscriber server HSS receives the extended authentication vector request MAR message sent by the S-CSCF, and selects an authentication type that is subscribed by the user according to the authentication type information carried by the extended MAR message. Type of authentication;
所述归属用户服务器 HSS将所选择的鉴权类型及其对应的鉴权数据发 送给服务呼叫会话控制单元 S - CSCF; The home subscriber server HSS sends the selected authentication type and its corresponding authentication data Send to the service call session control unit S - CSCF;
所述服务呼叫会话控制单元根据接收到的鉴权数据对用户进行鉴权。 本发明提供的技术方案中,当服务呼叫会话控制单元 S - CSCF不能确 定鉴权类型时, 归属用户服务器中存有用户的签约数据以及鉴权数据, S - CSCF 通过与归属用户服务器进行协商, 归属用户服务器根据所述 S - CSCF 需要获取的鉴权类型从所述用户签约的鉴权类型中选择鉴权类型并 提供给 S - CSCF, 归属用户服务器向 S - CSCF发送鉴权类型, 所以由归 属用户服务器确定鉴权类型可以提高鉴权类型判定的精确度。 附图说明  The service call session control unit authenticates the user according to the received authentication data. In the technical solution provided by the present invention, when the service call session control unit S-CSCF cannot determine the authentication type, the home subscriber server stores the subscriber's subscription data and the authentication data, and the S-CSCF negotiates with the home subscriber server. The home subscriber server selects an authentication type from the authentication type subscribed by the user according to the authentication type that the S-CSCF needs to acquire, and provides the authentication type to the S-CSCF, and the home subscriber server sends the authentication type to the S-CSCF, so Determining the authentication type by the home subscriber server can improve the accuracy of the authentication type determination. DRAWINGS
图 1为现有技术信令流程图;  1 is a prior art signaling flow chart;
图 2为本发明实施例中的鉴权协商方法总体流程图;  2 is a general flowchart of an authentication negotiation method in an embodiment of the present invention;
图 3为本发明实施例中的鉴权协商方法详细流程图;  3 is a detailed flowchart of an authentication negotiation method in an embodiment of the present invention;
图 4为本发明实施例中的系统示意图。 具体实施方式  4 is a schematic diagram of a system in an embodiment of the present invention. detailed description
本发明实施例提供了一种鉴权协商方法及釆用该方法的通讯系统, 用 于提高鉴权类型判定的精确性。  The embodiment of the invention provides an authentication negotiation method and a communication system using the method, which are used for improving the accuracy of the authentication type determination.
请参阅图 2, 本发明实施例提供的鉴权协商方法总体流程如下: 201、 读取鉴权类型;  Referring to FIG. 2, the overall process of the authentication negotiation method provided by the embodiment of the present invention is as follows: 201. Read an authentication type;
其中, HSS从本地数据中读取用户签约时的鉴权类型。  The HSS reads the authentication type when the user signs the contract from the local data.
202、 查询优先级最高的鉴权类型;  202. Query the authentication type with the highest priority;
其中, HSS 查询读取到的鉴权类型中优先级最高的鉴权类型。 如果 MAR消息携带了多个鉴权类型, 则 HSS需要从该集合和用户签约的鉴权 类型集合的交集中, 查询优先级最高的鉴权类型。  The HSS queries the authentication type with the highest priority among the authentication types read. If the MAR message carries multiple authentication types, the HSS needs to query the authentication type with the highest priority from the intersection of the set and the authentication type set that the user subscribes to.
203、 发送鉴权数据;  203. Send authentication data.
其中, HSS将查询到的优先级最高的鉴权类型对应的鉴权数据发送给 The HSS sends the authentication data corresponding to the highest priority authentication type to the queried
S - CSCF。 S - CSCF.
其中, 鉴权数据中包含有鉴权类型。  The authentication data includes an authentication type.
204、 进行鉴权。  204. Perform authentication.
其中, S - CSCF根据接收到的鉴权数据进行鉴权。 请参阅图 3 , 本发明实施例提供的鉴权协商方法详细流程如下:The S-CSCF performs authentication according to the received authentication data. Referring to FIG. 3, the detailed process of the authentication negotiation method provided by the embodiment of the present invention is as follows:
301、 获取注册消息; 301. Obtain a registration message;
其中, 用户终端向 P - CSCF发送注册消息, P-CSCF将接收到的注册 消息转发给 I - CSCF, I - CSCF向 HSS发送用户注册状态查询请求消息, HSS向 I - CSCF反馈用户注册状态查询响应消息, 之后 I - CSCF根据得 到的用户注册状态查询响应消息选择 S - CSCF并将注册消息发送至该 S - CSCF。  The user terminal sends a registration message to the P-CSCF, and the P-CSCF forwards the received registration message to the I-CSCF, and the I-CSCF sends a user registration status query request message to the HSS, and the HSS feeds the user registration status query to the I-CSCF. In response to the message, the I-CSCF then selects the S-CSCF based on the obtained User Registration Status Query Response message and sends a registration message to the S-CSCF.
302、 判断 S - CSCF是否能够确定鉴权类型, 若能, 则转向步骤 307 , 若不能, 则转向步骤 303;  302, determine whether the S-CSCF can determine the authentication type, if yes, then go to step 307, if not, then go to step 303;
其中, 由于 IMS AKA 鉴权中, 第一次注册消息中一定会带有 Among them, due to the IMS AKA authentication, the first registration message must be carried
Authorization 头域, Early IMS 鉴权中的用户的注册消息中一定不带有 Authorization头域, 而 HTTP Digest鉴权、 NASS Bundled鉴权中的用户的 注册消息可能带有 Authorization头域,也可能不带,所以 S - CSCF不一定 能够判断出用户所需要进行的鉴权类型。 In the Authorization header field, the registration message of the user in the Early IMS authentication must not carry the Authorization header field, and the registration message of the user in the HTTP Digest authentication and NASS Bundled authentication may have the Authorization header field, or may not Therefore, S-CSCF may not be able to determine the type of authentication the user needs to perform.
303、 请求获取鉴权类型;  303. Request to obtain an authentication type.
其中, 当 S - CSCF不能确定鉴权类型时需要向 HSS请求获取鉴权类 型, 本实施例是通过 S - CSCF向 HSS发送经过扩展的鉴权向量请求消息 ( MAR, Multimedia Auth Request ) 来实现请求鉴权类型的。  Wherein, when the S-CSCF cannot determine the authentication type, it is required to obtain the authentication type from the HSS. In this embodiment, the extended authentication vector request message (MAR, Multimedia Auth Request) is sent to the HSS through the S-CSCF to implement the request. Type of authentication.
具体的扩展可以通过以下两种方式实现:  The specific extension can be achieved in the following two ways:
一、 将 MAR消息中的 AVP: SIP- Authentication- Scheme的属性改变为 可选属性, 若携带该参数, 则表明 S - CSCF 可以确定鉴权类型, 不需要 HSS进行鉴权类型的选择, 若未携带该参数, 则表明 S - CSCF无法确定 鉴权类型, 需要 HSS选择鉴权类型对应的鉴权数据并下发。  1. The attribute of the AVP: SIP-Authentication- Scheme in the MAR message is changed to an optional attribute. If the parameter is carried, it indicates that the S-CSCF can determine the authentication type, and the HSS is not required to perform the authentication type selection. If the parameter is carried, it indicates that the S-CSCF cannot determine the authentication type, and the HSS needs to select the authentication data corresponding to the authentication type and deliver it.
将 MAR消息更改为如下表所示的格式:  Change the MAR message to the format shown in the following table:
表 1  Table 1
元素名称 AVP映射 可选 /必选 描 述  Element Name AVP Mapping Optional / Required Description
鉴权规则 会话发起协议鉴 可选 当 S— CSCF需要 HSS选  Authentication Rule Session Initiation Protocol Optional When S-CSCF requires HSS selection
权规则 择鉴权类型时,则该参数应  When the right rule is selected, the parameter should be
该不被携带,否则应该被选 中, 且鉴权类型为 MS
Figure imgf000008_0001
This should not be carried, otherwise it should be selected, and the authentication type is MS.
Figure imgf000008_0001
二、 扩展 AVP: SIP- Authentication-Scheme的取值, 一种可能的取值是 "Unknown" (即"未知"), 而 AVP:SIP-Authentication-Scheme的属性仍然为 必选。 这需要 HSS与 S - CSCF都能够明白" Unknown"所表示的含义, 即 若取值为" Unknown", 则表明 S - CSCF无法确定鉴权类型。  2. Extended AVP: The value of SIP-Authentication-Scheme, one possible value is "Unknown" (ie "unknown"), and the attribute of AVP: SIP-Authentication-Scheme is still mandatory. This requires both HSS and S-CSCF to understand the meaning of "Unknown", that is, if the value is "Unknown", it means that S-CSCF cannot determine the authentication type.
将 MAR消息更改为如下表所示的格式:  Change the MAR message to the format shown in the following table:
表 2  Table 2
Figure imgf000008_0002
Figure imgf000008_0002
在根据上述两种扩展方式中任一种对 MAR 消息进行扩展之后, S - CSCF将 MAR消息发送给 HSS, HSS根据接收到的 MAR消息判断出 S - CSCF需要获取鉴权类型。  After the MAR message is extended according to any of the above two extension manners, the S-CSCF sends the MAR message to the HSS, and the HSS determines, according to the received MAR message, that the S-CSCF needs to obtain the authentication type.
特别地, 如果 S-CSCF能够根据用户的注册消息确认用户鉴权的范围 时,比如 S-CSCF可以确定该用户只可能釆用 Early IMS鉴权或 HTTP Digest 鉴权, 而不可能釆用 IMS AKA鉴权, 则 S-CSCF可以在 MAR消息中携带 可能的鉴权类型的集合,指示 HSS可以在这个鉴权类型集合与该用户所支 持的鉴权类型集合的交集中选择, 进一步提高鉴权选择的准确性。  In particular, if the S-CSCF can confirm the scope of the user authentication according to the registration message of the user, for example, the S-CSCF can determine that the user can only use the Early IMS authentication or the HTTP Digest authentication, and it is impossible to use the IMS AKA. For authentication, the S-CSCF may carry a set of possible authentication types in the MAR message, indicating that the HSS may select in the intersection of the set of authentication types and the set of authentication types supported by the user, further improving the authentication selection. The accuracy.
具体的 MAR消息扩展可以通过以下三种方式实现:  The specific MAR message extension can be implemented in the following three ways:
一、 允许 MAR消息中的 AVP: SIP- Authentication- Scheme出现多次, 若携带多个该参数,则表明 S - CSCF确定该用户可能釆用的鉴权类型为多 个, 需要 HSS根据该用户支持的鉴权类型在该范围内进行选择, 并下发所 选择到的鉴权类型对应的鉴权数据。  I. Allowing AVP in the MAR message: The SIP-Authentication- Scheme appears multiple times. If multiple parameters are carried, it indicates that the S-CSCF determines that the authentication type that the user may use is multiple. The HSS needs to be supported according to the user. The authentication type is selected within the range, and the authentication data corresponding to the selected authentication type is delivered.
将 MAR消息更改为如下表 3所示的格式:  Change the MAR message to the format shown in Table 3 below:
表 3  table 3
元素名称 AVP映射 可选 /必选 描 述 鉴权规则 会话发起协议鉴 必选 ……该元素可以出现多次, 当 S— CSCF 能够确定该用 权规则 Element Name AVP Mapping Optional/Required Description Authentication rule session initiation protocol must be selected... This element can appear multiple times, when S-CSCF can determine the usage rule
户可能采用的鉴权类型为 多个时,则通过携带多个该 元素指示 HSS 该用户可能 采用的鉴权类型集合……  If the number of authentication types that the user may adopt is multiple, the number of authentication types that the user may adopt by the HSS is indicated by carrying a plurality of the elements.
二、 允许 MAR消息中的 AVP: SIP-Auth-Data-Item属性出现多次, 每 个 AVP: SIP-Auth-Data-Item中的 AVP: SIP- Authentication- Scheme为必选, 这样当 S - CSCF确定该用户可能釆用的鉴权类型为多个,则通过携带多个 AVP: SIP-Auth-Data-Item来达到携带多个 AVP: SIP- Authentication- Scheme 到 HSS, 达到与上述第一种扩展相同的目的。 2. Allow AVP in MAR message: SIP-Auth-Data-Item attribute appears multiple times, each AVP: AVP in SIP-Auth-Data-Item: SIP-Authorization- Scheme is mandatory, so when S-CSCF To determine that the user may use multiple authentication types, carry multiple AVPs by carrying multiple AVPs: SIP-Auth-Data-Item: SIP-Authorization- Scheme to HSS, and achieve the first extension The same purpose.
将 MAR消息更改为如下表 4所示的格式:  Change the MAR message to the format shown in Table 4 below:
表 4  Table 4
Figure imgf000009_0001
Figure imgf000009_0001
三、 为 MAR消息扩展新的 AVP。 为了与完全遵从 3GPP TS29.228规 范的 HSS兼容, 可以为 MAR消息扩展新的 AVP, 并把该 AVP的 'M'位置 为 0, 通过携带多个该新 AVP来达到携带多种鉴权类型的目的。 这样可以 不修改原有 MAR消息, 而不兼容该新 AVP的 HSS可以忽略该 AVP。 扩 展的方法为新增与 AVP: SIP-Auth-Data-Item的结构完全相同的 AVP, 比如 命名为 Extended- SIP-Auth-Data-Item , 并且该 AVP可以出现多次。  Third, expand the new AVP for MAR messages. In order to be compatible with the HSS that is fully compliant with the 3GPP TS 29.228 specification, a new AVP may be extended for the MAR message, and the 'M' position of the AVP is set to 0, and multiple new AVPs are carried to achieve multiple authentication types. purpose. This way, the original MAR message can be omitted, and the HSS that is not compatible with the new AVP can ignore the AVP. The extension method is to add an AVP with the same structure as AVP: SIP-Auth-Data-Item, for example, named Extended-SIP-Auth-Data-Item, and the AVP can appear multiple times.
将 MAR消息扩展为如下表 5所示的格式:  Extend the MAR message to the format shown in Table 5 below:
表 5 元素名称 AVP映射 可选 /必选 描 述 table 5 Element Name AVP Mapping Optional/Required Description
扩展的鉴权 扩展的会话发起 必选 ……该元素可以出现多次, 当 S— CSCF 能够确定该用 数据 协议鉴权数据项  Extended authentication Extended session initiation Required... This element can appear multiple times when the S-CSCF is able to determine the data protocol authentication data item
户可能采用的鉴权类型为 多个时,则通过携带多个该 元素指示 HSS 该用户可能 采用的鉴权类型集合……  If the number of authentication types that the user may adopt is multiple, the number of authentication types that the user may adopt by the HSS is indicated by carrying a plurality of the elements.
304、 读取鉴权类型; 304, reading the authentication type;
其中, 由于用户所支持的鉴权类型和鉴权数据都通过签约保存在 HSS 中, 所以 HSS知道用户支持哪种鉴权方式。 当 S - CSCF无法通过注册消 息得到用户的鉴权类型时, HSS获取本地存储的用户支持的所有鉴权类型。  Wherein, since the authentication type and authentication data supported by the user are all stored in the HSS by signing, the HSS knows which authentication mode the user supports. When the S-CSCF is unable to obtain the user's authentication type by registering the message, the HSS obtains all the authentication types supported by the locally stored user.
305、 查询优先级最高的鉴权类型;  305. Query the authentication type with the highest priority;
其中, HSS在获取到的用户支持的所有鉴权类型中查询优先级最高的 鉴权类型,若用户只支持一种鉴权类型,则默认为该鉴权类型优先级最高。  The HSS queries the authentication type with the highest priority among all the authentication types supported by the user. If the user supports only one type of authentication, the authentication type has the highest priority.
如果 S-CSCF通过上述扩展的 MAR消息指定了该用户可能釆用的鉴 权类型集合,则 HSS需要从该集合和用户所支持的所有鉴权类型集合的交 集中进行选择。  If the S-CSCF specifies the set of authentication types that the user may use through the extended MAR message described above, the HSS needs to select from the set and the intersection of all sets of authentication types supported by the user.
优先级可以由用户签约时指定,也可以由 HSS指定,对所有用户生效。 如果由 HSS 指定此优先级, 一种可能的优先级是按照鉴权算法的强度排 列, 从高到低依次为 IMS AKA鉴权、 Early IMS鉴权、 HTTP Digest鉴权。  The priority can be specified by the user when signing up, or by the HSS, and is valid for all users. If this priority is specified by the HSS, one possible priority is ranked according to the strength of the authentication algorithm, from high to low, IMS AKA authentication, Early IMS authentication, and HTTP Digest authentication.
306、 发送鉴权类型;  306. Send an authentication type.
其中, HSS将查询到的优先级最高的鉴权类型发送给 S _ CSCF。  The HSS sends the queried authentication type with the highest priority to the S_CSCF.
307、 进行鉴权。  307. Perform authentication.
其中, S - CSCF根据接收到的鉴权类型进行鉴权。  The S-CSCF performs authentication according to the received authentication type.
请参阅图 4 ,本发明实施例釆用的通讯系统包括: 归属用户服务器 404 以及服务呼叫会话控制单元 405; 所述归属用户服务器 404用于读取签约 的鉴权类型, 在读取到的鉴权类型中查询优先级最高的鉴权类型, 并将所 述优先级最高的鉴权类型发送给服务呼叫会话控制单元 405; 所述服务呼 叫会话控制单元 405根据接收到的鉴权类型对用户进行鉴权。 其中, 所述系统还包括: 代理呼叫会话控制单元 402、 查询呼叫会话 控制单元 403以及用户终端 401 ; 所述用户终端 401向代理呼叫会话控制 单元 402发送注册消息;所述代理呼叫会话控制单元 402接收用户终端 401 发送的注册消息并将所述注册消息转发至查询呼叫会话控制单元 403; 所 述查询呼叫会话控制单元 403 根据接收到的注册消息向归属用户服务器 404发送用户注册状态查询请求消息。 Referring to FIG. 4, the communication system used in the embodiment of the present invention includes: a home subscriber server 404 and a service call session control unit 405; the home subscriber server 404 is configured to read the subscription authentication type, and the read authentication Querying the highest priority authentication type in the right type, and sending the highest priority authentication type to the service call session control unit 405; the service call session control unit 405 performs the user according to the received authentication type. Authentication. The system further includes: a proxy call session control unit 402, an inquiry call session control unit 403, and a user terminal 401; the user terminal 401 sends a registration message to the proxy call session control unit 402; the proxy call session control unit 402 Receiving the registration message sent by the user terminal 401 and forwarding the registration message to the inquiry call session control unit 403; the inquiry call session control unit 403 sends a user registration status inquiry request message to the home user server 404 according to the received registration message.
本发明实施例还提供一种归属用户服务器, 包括:  The embodiment of the invention further provides a home subscriber server, including:
接收单元,接收服务呼叫会话控制单元 S - CSCF发送的经扩展的鉴权 向量请求 MAR消息;  Receiving unit, receiving an extended authentication vector request MAR message sent by the serving call session control unit S-CSCF;
判断单元,根据所接收到的 MAR消息判断出 S - CSCF需要获取鉴权 类型;  The determining unit determines, according to the received MAR message, that the S-CSCF needs to obtain an authentication type;
获取单元, 读取用户签约的鉴权类型及其对应的鉴权数据;  The obtaining unit reads the authentication type signed by the user and the corresponding authentication data;
选择单元,根据所述 S - CSCF需要获取的鉴权类型从所述用户签约的 鉴权类型中选择鉴权类型;  a selecting unit, selecting an authentication type from the authentication types subscribed by the user according to the authentication type that the S-CSCF needs to acquire;
发送单元, 将所选择的鉴权类型及其对应的鉴权数据发送给所述 S - a sending unit, sending the selected authentication type and its corresponding authentication data to the S
CSCF。 CSCF.
由上述实施例提供的技术方案可知, 当服务呼叫会话控制单元 s - It can be seen from the technical solution provided by the above embodiment that when the service call session control unit s -
CSCF 不能确定鉴权类型时, 归属用户服务器中存有用户的签约数据以及 鉴权数据, S - CSCF通过与归属用户服务器进行协商, 归属用户服务器根 据所述 S - CSCF 需要获取的鉴权类型从所述用户签约的鉴权类型中选择 鉴权类型并提供给 S - CSCF, 归属用户服务器向 S - CSCF发送鉴权类型, 所以由归属用户服务器确定鉴权类型可以提高鉴权类型判定的精确度。 而 且, 当用户支持多种鉴权类型时, 归属用户服务器根据预置的优先级别向 服务呼叫会话控制单元发送优先级最高的鉴权类型, 所以可以提高鉴权的 精确度。 优先级可以由归属用户服务器设置, 也可以由用户根据实际需要 进行设置, 所以提高了鉴权类型获取的灵活性。 When the CSCF cannot determine the authentication type, the home subscriber server stores the subscriber's subscription data and the authentication data, and the S-CSCF negotiates with the home subscriber server, and the home subscriber server obtains the authentication type according to the S-CSCF. The authentication type selected by the user is selected and provided to the S-CSCF, and the home subscriber server sends the authentication type to the S-CSCF, so determining the authentication type by the home subscriber server can improve the accuracy of the authentication type determination. . Moreover, when the user supports multiple authentication types, the home subscriber server sends the highest priority authentication type to the serving call session control unit according to the preset priority level, so the accuracy of the authentication can be improved. The priority can be set by the home user server, or can be set by the user according to actual needs, so the flexibility of obtaining the authentication type is improved.
另外, 服务呼叫会话控制单元可以通过多种方式向归属用户服务器请 求获取鉴权类型, 所以提高了本发明的适应灵活性。  In addition, the serving call session control unit can request the home subscriber server to obtain the authentication type in a variety of ways, thereby improving the flexibility of adaptation of the present invention.
本领域技术人员可以理解, 上述实施例中的全部或部分单元或各步骤 是可以通过程序来指令相关硬件来实现, 所述程序可存储于计算机可读取 存储介质中, 所述存储介质, 如 ROM/RAM、 磁盘、 光碟等。 或者将它 们分别制作成各个集成电路模块, 或者将它们中的多个单元或步骤制作成 单个集成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软件 结合。 Those skilled in the art can understand all or part of the units or steps in the above embodiments. The program can be implemented by instructing related hardware, and the program can be stored in a computer readable storage medium, such as a ROM/RAM, a magnetic disk, a compact disk, or the like. Alternatively, they may be fabricated into individual integrated circuit modules, or a plurality of units or steps thereof may be fabricated as a single integrated circuit module. Thus, the invention is not limited to any specific combination of hardware and software.
以上对本发明所提供的一种鉴权协商方法及一种通讯系统进行了详细 上实施例的说明只是用于帮助理解本发明的方法及其核心思想; 而且, 对 于本领域的一般技术人员, 依据本发明的思想, 在具体实施方式及应用范 围上均会有改变之处, 综上所述, 本说明书内容不应理解为对本发明的限 制。  The foregoing detailed description of the method for authenticating an authentication negotiation method and a communication system provided by the present invention is only for helping to understand the method and core idea of the present invention; and, for those skilled in the art, The present invention is not limited by the scope of the present invention.

Claims

权 利 要 求 Rights request
1、 一种鉴权协商方法, 其特征在于, 包括: An authentication negotiation method, which is characterized in that:
当服务呼叫会话控制单元 S - CSCF不能确定鉴权类型向 HSS请求获 取鉴权类型时,  When the serving call session control unit S-CSCF cannot determine that the authentication type requests the HSS to obtain the authentication type,
归属用户服务器 HSS接收所述 S - CSCF发送的经扩展的鉴权向量请 求 MAR消息;  The home subscriber server HSS receives the extended authentication vector request MAR message sent by the S-CSCF;
所述 HSS根据所接收到的 MAR消息判断出所述 S - CSCF需要获取 鉴权类型;  Determining, by the HSS, that the S-CSCF needs to acquire an authentication type according to the received MAR message;
所述 HSS读取用户签约的鉴权类型, 并根据所述 S - CSCF需要获取 的鉴权类型从所述用户签约的鉴权类型中选择鉴权类型并提供给所述 S - CSCF。  The HSS reads the authentication type of the user subscription, and selects an authentication type from the authentication type subscribed by the user according to the authentication type that the S-CSCF needs to obtain and provides the authentication type to the S-CSCF.
2、根据权利要求 1所述的鉴权协商方法, 其特征在于, 所述根据所述 S - CSCF需要获取的鉴权类型选择鉴权类型, 包括:  The authentication negotiation method according to claim 1, wherein the selecting an authentication type according to the authentication type that the S-CSCF needs to obtain includes:
HSS从所述 MAR消息携带的多个鉴权类型和用户签约的鉴权类型集 合的交集中选择鉴权类型, 并将该类型提供给 S - CSCF。  The HSS selects an authentication type from the intersection of a plurality of authentication types carried by the MAR message and a set of authentication types subscribed by the user, and provides the type to the S-CSCF.
3、根据权利要求 1或 2所述的鉴权协商方法, 其特征在于, 进一步包 括:  The authentication negotiation method according to claim 1 or 2, further comprising:
将所选择的鉴权类型对应的鉴权数据发送给服务呼叫会话控制单元 S - CSCF;  Sending the authentication data corresponding to the selected authentication type to the serving call session control unit S - CSCF;
服务呼叫会话控制单元根据接收到的鉴权数据对用户进行鉴权。  The service call session control unit authenticates the user based on the received authentication data.
4、根据权利要求 1或 2所述的鉴权协商方法, 其特征在于, 所选择的 鉴权类型为优先级最高的鉴权类型。  The authentication negotiation method according to claim 1 or 2, wherein the selected authentication type is the authentication type with the highest priority.
5、 根据权利要求 1所述的鉴权协商方法, 其特征在于, 还包括: 所述 HSS接收到所述经扩展的 MAR消息后, 根据所述 MAR消息携 带的属性参数情况判断所述 S - CSCF能否确定鉴权类型;  The authentication negotiation method according to claim 1, further comprising: after receiving the extended MAR message, the HSS determines the S according to an attribute parameter carried by the MAR message. Can CSCF determine the type of authentication;
若所述 S - CSCF无法确定鉴权类型, 则所述 HSS获取本地存储的用 户支持的所有鉴权类型, 并从中选择鉴权类型及其对应的鉴权数据并发送 给所述 S _ CSCF。  If the S-CSCF cannot determine the authentication type, the HSS obtains all the authentication types supported by the user stored locally, and selects the authentication type and its corresponding authentication data from the authentication data and sends the authentication data to the S_CSCF.
6、根据权利要求 5所述的鉴权协商方法, 其特征在于, 所选择的鉴权 类型为优先级最高的鉴权类型。 6. The authentication negotiation method according to claim 5, wherein the selected authentication is performed Type is the authentication type with the highest priority.
7、根据权利要求 1所述的鉴权协商方法, 其特征在于, 所述扩展鉴权 向量请求 MAR消息的步骤包括:  The authentication negotiation method according to claim 1, wherein the step of requesting the MAR message by the extended authentication vector comprises:
将 MAR消息中的鉴权规则元素 AVP: SIP- Authentication-Scheme属性 设为必选并允许出现多次; 或 /和  Set the authentication rule element AVP: SIP-Authentication-Scheme attribute in the MAR message to mandatory and allow multiple occurrences; or / and
MAR消息中的鉴权数据 AVP: SIP-Auth-Data-Item属性设为必选并允 许出现多次; 或 /和  Authentication data in the MAR message AVP: The SIP-Auth-Data-Item attribute is set to mandatory and allowed to appear multiple times; or / and
为 MAR消息扩展新的鉴权参数 AVP; 或 /和  Extend new authentication parameters AVP; or / and for MAR messages
扩展鉴权参数 AVP: SIP-Authentication-Scheme的取值范围。  Extended authentication parameter AVP: The range of values for SIP-Authentication-Scheme.
8、 一种具有鉴权协商功能的系统, 包括: 归属用户服务器 HSS 以及 服务呼叫会话控制单元 S - CSCF; 其特征在于,  8. A system having an authentication negotiation function, comprising: a home subscriber server HSS and a service call session control unit S-CSCF;
服务呼叫会话控制单元 S - CSCF, 发送经扩展的鉴权向量请求 MAR 消息;  a serving call session control unit S-CSCF, transmitting an extended authentication vector request MAR message;
所述归属用户服务器 HSS, 用于读取用户签约的鉴权类型, 在用户签 约的鉴权类型中选择鉴权类型;  The home subscriber server HSS is configured to read an authentication type of the user subscription, and select an authentication type in the authentication type of the user subscription;
所述归属用户服务器 HSS接收所述 S - CSCF发送的经扩展的鉴权向 量请求 MAR消息,并根据所述经扩展的 MAR消息携带的鉴权类型信息从 所述用户签约的鉴权类型中选择鉴权类型;  The home subscriber server HSS receives the extended authentication vector request MAR message sent by the S-CSCF, and selects an authentication type that is subscribed by the user according to the authentication type information carried by the extended MAR message. Type of authentication;
所述归属用户服务器 HSS将所选择的鉴权类型及其对应的鉴权数据发 送给服务呼叫会话控制单元 S - CSCF;  The home subscriber server HSS sends the selected authentication type and its corresponding authentication data to the serving call session control unit S - CSCF;
所述服务呼叫会话控制单元根据接收到的鉴权数据对用户进行鉴权。 The service call session control unit authenticates the user according to the received authentication data.
9、 根据权利要求 8所述的系统, 其特征在于, 还包括: 代理呼叫会话 控制单元、 查询呼叫会话控制单元以及用户终端; 9. The system according to claim 8, further comprising: a proxy call session control unit, an inquiry call session control unit, and a user terminal;
所述用户终端向代理呼叫会话控制单元发送注册消息;  The user terminal sends a registration message to the proxy call session control unit;
所述代理呼叫会话控制单元接收用户终端发送的注册消息并将所述注 册消息转发至查询呼叫会话控制单元;  The proxy call session control unit receives a registration message sent by the user terminal and forwards the registration message to the query call session control unit;
所述查询呼叫会话控制单元根据接收到的注册消息向归属用户服务器 发送用户注册状态查询请求消息。  The inquiry call session control unit sends a user registration status query request message to the home subscriber server according to the received registration message.
10、 一种归属用户服务器, 其特征在于, 包括: 接收单元,接收服务呼叫会话控制单元 S - CSCF发送的经扩展的鉴权 向量请求 MAR消息; 10. A home subscriber server, comprising: Receiving unit, receiving an extended authentication vector request MAR message sent by the serving call session control unit S-CSCF;
判断单元,根据所接收到的 MAR消息判断出 S - CSCF需要获取鉴权 类型;  The determining unit determines, according to the received MAR message, that the S-CSCF needs to obtain an authentication type;
获取单元, 读取用户签约的鉴权类型及其对应的鉴权数据;  The obtaining unit reads the authentication type signed by the user and the corresponding authentication data;
选择单元,根据所述 S - CSCF需要获取的鉴权类型从所述用户签约的 鉴权类型中选择鉴权类型;  a selecting unit, selecting an authentication type from the authentication types subscribed by the user according to the authentication type that the S-CSCF needs to acquire;
发送单元, 将所选择的鉴权类型及其对应的鉴权数据发送给所述 S - a sending unit, sending the selected authentication type and its corresponding authentication data to the S
CSCF。 CSCF.
PCT/CN2007/070572 2006-08-29 2007-08-28 Method and system of authentication consultation WO2008034377A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610127603A CN100591012C (en) 2006-08-29 2006-08-29 Authentication consultation method and communication system
CN200610127603.3 2006-08-29

Publications (1)

Publication Number Publication Date
WO2008034377A1 true WO2008034377A1 (en) 2008-03-27

Family

ID=37722223

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/070572 WO2008034377A1 (en) 2006-08-29 2007-08-28 Method and system of authentication consultation

Country Status (2)

Country Link
CN (1) CN100591012C (en)
WO (1) WO2008034377A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100591012C (en) * 2006-08-29 2010-02-17 华为技术有限公司 Authentication consultation method and communication system
CN112953718A (en) * 2019-11-26 2021-06-11 中国移动通信集团安徽有限公司 Authentication method and device for IMS network user and call session control function entity

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003075596A1 (en) * 2002-03-07 2003-09-12 Nokia Corporation Allocation of an s-cscf to a subscriber
US20060030320A1 (en) * 2004-08-03 2006-02-09 Nokia Corporation User registration in a communication system
CN1753363A (en) * 2004-09-23 2006-03-29 华为技术有限公司 Method of selecting right identification mode at network side
CN1801815A (en) * 2005-08-08 2006-07-12 华为技术有限公司 Method for realizing initial Internet protocol multimedia subsystem registration
CN1913438A (en) * 2006-08-29 2007-02-14 华为技术有限公司 Authentication consultation method and communication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003075596A1 (en) * 2002-03-07 2003-09-12 Nokia Corporation Allocation of an s-cscf to a subscriber
US20060030320A1 (en) * 2004-08-03 2006-02-09 Nokia Corporation User registration in a communication system
CN1753363A (en) * 2004-09-23 2006-03-29 华为技术有限公司 Method of selecting right identification mode at network side
CN1801815A (en) * 2005-08-08 2006-07-12 华为技术有限公司 Method for realizing initial Internet protocol multimedia subsystem registration
CN1913438A (en) * 2006-08-29 2007-02-14 华为技术有限公司 Authentication consultation method and communication system

Also Published As

Publication number Publication date
CN100591012C (en) 2010-02-17
CN1913438A (en) 2007-02-14

Similar Documents

Publication Publication Date Title
USRE47773E1 (en) Method for implementing IP multimedia subsystem registration
EP1895803B1 (en) A method for processing the register abnormality during the user register procedure
US9860737B2 (en) Communication system and method
EP2452485B1 (en) Methods and apparatus for initiating provisioning of subscriber data in a hss of an ip multimedia subsystem network
EP1414212B1 (en) Method and system for authenticating users in a telecommunication system
WO2007003140A1 (en) An authentication method of internet protocol multimedia subsystem
JP6330916B2 (en) System and method for webRTC
US20110093933A1 (en) Authentication in a communications network
US8270418B2 (en) Access control in a communication network
WO2006047925A1 (en) A method for selecting the authentication manner at the network side
WO2008025280A1 (en) A method and system of authentication
JP5470464B2 (en) Emergency signaling of IP multimedia subsystem network
EP2790426B1 (en) Method and system for enabling an Aggregation/Authentication Proxy to route XCAP messages to IMS Application Server
US20220408251A1 (en) Method for supporting authentication of a user equipment
WO2006072219A1 (en) An ip multimedia subsystem network authentication system and the method thereof
WO2008034377A1 (en) Method and system of authentication consultation
WO2008089699A1 (en) A method and a system for authenticating a user terminal in ims network
CN101001145B (en) Authentication method for supporting terminal roaming of non-IP multimedia service subsystem
WO2006133624A1 (en) A method for registering at the internet protocol multimedia subsystem
KR101535446B1 (en) Method and system for registering a smartcard terminal with a broadcast server
EP1609322B1 (en) Service provisioning in a communication system
JP2012010051A (en) Ims authentication control system and ims authentication control method
KR101004556B1 (en) Internet protocol multimedia subsystem and call processing method thereof
CN101072230A (en) Authentication method for Internet protocol multimedia service sub-system
WO2011134157A1 (en) Registration method, equipment and system for personal network element

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07801004

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

NENP Non-entry into the national phase

Ref country code: RU

122 Ep: pct application non-entry in european phase

Ref document number: 07801004

Country of ref document: EP

Kind code of ref document: A1