[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN102065069A - Method and system for authenticating identity and device - Google Patents

Method and system for authenticating identity and device Download PDF

Info

Publication number
CN102065069A
CN102065069A CN 200910237819 CN200910237819A CN102065069A CN 102065069 A CN102065069 A CN 102065069A CN 200910237819 CN200910237819 CN 200910237819 CN 200910237819 A CN200910237819 A CN 200910237819A CN 102065069 A CN102065069 A CN 102065069A
Authority
CN
China
Prior art keywords
key information
user equipment
ims domain
identity
application server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200910237819
Other languages
Chinese (zh)
Other versions
CN102065069B (en
Inventor
彭华熹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN 200910237819 priority Critical patent/CN102065069B/en
Publication of CN102065069A publication Critical patent/CN102065069A/en
Application granted granted Critical
Publication of CN102065069B publication Critical patent/CN102065069B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Telephonic Communication Services (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The embodiment of the invention discloses a method for authenticating identity. The method comprises the following steps: receiving identity of user equipment (UE) submitted by an application server in the non-internet protocol (IP) multimedia subsystem (IMS) domain and inquiring whether key information corresponding to the identity exists and is in the valid period according to the identity; and if the key information exists and is in the valid period, inquiring whether the UE has been registered in the IMS domain, if no, returning the key information and the valid period of the key information to the application server in the non-IMS domain and ensuring the application server in the non-IMS domain to use the key information and the valid period of the key information to carry out identity authentication with the UE. The embodiment of the invention achieves unified authentication and state synchronization between IMS application and non-IMS application. The embodiment of the invention also discloses a device and system applying the method.

Description

一种身份认证方法、装置和系统 An identity authentication method, device and system

技术领域technical field

本发明涉及通信技术领域,尤其涉及一种身份认证方法、装置和系统。The present invention relates to the field of communication technology, in particular to an identity authentication method, device and system.

背景技术Background technique

随着通信网络的发展和多种通信业务的推动,3GPP(3rd GenerationPartnership Project,第三代移动通信标准化伙伴组织)推出了IMS(IPMultimedia Subsystem,互联网协议多媒体子系统)架构,能够提供一种标准化的开放结构来实现多种多样的IP(Internet Protocol,互联网协议)多媒体应用,提供更丰富的业务感受。With the development of communication networks and the promotion of various communication services, 3GPP (3rd Generation Partnership Project, the third generation mobile communication standardization partner organization) launched the IMS (IPMultimedia Subsystem, Internet Protocol Multimedia Subsystem) architecture, which can provide a standardized Open structure to realize a variety of IP (Internet Protocol, Internet Protocol) multimedia applications, providing a richer service experience.

3GPP还引入了ISIM(IMS Subscriber Identity Module,互联网协议多媒体子系统)用于IMS的接入,其具体实体包括CSCF(Call Session ControlFunction,呼叫状态控制功能)和HSS(Home Subscriber Server,归属签约用户服务器)功能实体,其中,CSCF包括服务CSCF(S-CSCF)、代理CSCF(P-CSCF)和查询CSCF(I-CSCF)3个逻辑实体,上述逻辑实体可以位于不同的物理设备上,也可以是同一个物理设备中不同的功能模块。S-CSCF是IMS的业务交换中心,用于执行会话控制、维持会话状态、管理用户信息和产生计费信息等;P-CSCF是终端用户接入IMS的接入点,用于完成用户注册、QoS(Quality of Service,服务质量)控制和安全管理等;I-CSCF负责IMS域之间的协同和管理、S-CSCF的分配、对外隐藏网络拓扑结构和配置信息,以及产生计费数据等。HSS(Home Subscriber Server,归属签约用户服务器)保存用户签约数据,用于支持网络实体对呼叫和会话的处理,ISIM的数据存储在HSS中。3GPP also introduced ISIM (IMS Subscriber Identity Module, Internet Protocol Multimedia Subsystem) for IMS access, and its specific entities include CSCF (Call Session Control Function, call state control function) and HSS (Home Subscriber Server, home subscriber server ) functional entity, wherein, CSCF includes three logical entities of Serving CSCF (S-CSCF), Proxy CSCF (P-CSCF) and Inquiring CSCF (I-CSCF), and the above logical entities may be located on different physical devices or be Different functional modules in the same physical device. S-CSCF is the service switching center of IMS, which is used to perform session control, maintain session status, manage user information and generate billing information, etc.; P-CSCF is the access point for terminal users to access IMS, and is used to complete user registration, QoS (Quality of Service) control and security management, etc.; I-CSCF is responsible for the coordination and management between IMS domains, the allocation of S-CSCF, the external hiding of network topology and configuration information, and the generation of billing data. HSS (Home Subscriber Server, Home Subscriber Server) saves user subscription data, which is used to support the processing of calls and sessions by network entities, and ISIM data is stored in HSS.

由于IMS的引入,越来越多的业务平台承载在IMS上,利用IMS的特点提供呼叫、视频会议等丰富的业务。在IMS业务中,UE(User Equipment)必需通过SIP(Session Initiation Protocol,会话发起协议)消息与业务平台AS(Application Server,应用服务器)交互,但UE在与AS交互的过程中还需要与非IMS域的服务器进行交互。例如,IMS企业通信助理客户端在登录IMS后,还需要访问群组管理服务器(XDMS)获得用户的群组信息,而XDMS只能使用XCAP(XML Configuration Access Protocol,XML配置接入协议)、以HTTP(Hypertext Transfer Protocol,超文本传输协议)1.1承载与终端(客户端)直接交互,通信过程无法经过IMS Core(IP Multimedia Subsystem Core,互联网协议多媒体子系统核心网),XDMS服务器必须首先对用户身份进行确认,然后才能发起XML(Extensible Markup Language,可扩展标记语言)文档操作。此外,IMS客户端在登录IMS后,还需要访问自服务门户网站,而访问门户网站也需要使用HTTP协议与客户端直接交互,交互过程不经过IMSCore,服务器也必须首先对用户身份进行确认,才能个性化的显示。Due to the introduction of the IMS, more and more service platforms are carried on the IMS, and various services such as calls and video conferencing are provided by using the characteristics of the IMS. In the IMS service, UE (User Equipment) must interact with the service platform AS (Application Server, application server) through SIP (Session Initiation Protocol) messages, but UE also needs to interact with non-IMS domain servers. For example, after the IMS enterprise communication assistant client logs in to IMS, it also needs to access the group management server (XDMS) to obtain the user's group information, and XDMS can only use XCAP (XML Configuration Access Protocol, XML Configuration Access Protocol), and HTTP (Hypertext Transfer Protocol, Hypertext Transfer Protocol) 1.1 bearer interacts directly with the terminal (client), and the communication process cannot pass through the IMS Core (IP Multimedia Subsystem Core, Internet Protocol Multimedia Subsystem Core Network). The XDMS server must first verify the user identity Confirmation is required before an XML (Extensible Markup Language, Extensible Markup Language) document operation can be initiated. In addition, after the IMS client logs in to the IMS, it needs to access the self-service portal website, and the access to the portal website also needs to use the HTTP protocol to directly interact with the client. The interaction process does not go through IMSCore, and the server must first confirm the user's identity before Personalized display.

发明人在实现本发明的过程中,发现现有技术至少存在以下缺陷:In the process of realizing the present invention, the inventor finds that the prior art has at least the following defects:

由于IMS域和非IMS域的鉴权机制是不一样的,例如,在IMS域中主要采用IMS Digest(分类)和IMS AKA(Authentication and Key Agreement,认证和密钥协商)进行鉴权,所有的鉴权消息用sip消息;而非IMS应用主要采用HTTP Digest、GBA(Generic Bootstrapping Architecture,通用引导架构)、TLS(Transport Layer Security,安全传输层协议)等协议,协议的不同造成了应用之间无法互通;IMS域中用户签约和鉴权数据主要存储在IMS HSS中,HSS是核心网元,其鉴权数据无法被第三方的非IMS域应用访问,因此第三方的非IMS域应用也无法对用户进行认证,导致MS域应用和非IMS域应用无法共享认证状态,实现统一认证。Since the authentication mechanisms of the IMS domain and non-IMS domain are different, for example, in the IMS domain, IMS Digest (classification) and IMS AKA (Authentication and Key Agreement, authentication and key agreement) are mainly used for authentication. Authentication messages use sip messages; non-IMS applications mainly use protocols such as HTTP Digest, GBA (Generic Bootstrapping Architecture, general bootstrapping architecture), TLS (Transport Layer Security, secure transport layer protocol). Interworking; user subscription and authentication data in the IMS domain are mainly stored in the IMS HSS. HSS is the core network element, and its authentication data cannot be accessed by third-party non-IMS domain applications. User authentication prevents MS domain applications and non-IMS domain applications from sharing the authentication status, achieving unified authentication.

发明内容Contents of the invention

本发明实施例提供了一种身份认证方法、装置和系统,用于实现IMS应用和非IMS应用之间的统一认证和状态同步。Embodiments of the present invention provide an identity authentication method, device and system for realizing unified authentication and state synchronization between IMS applications and non-IMS applications.

本发明实施例提供了一种身份认证方法,包括以下步骤:The embodiment of the present invention provides an identity authentication method, comprising the following steps:

接收非互联网协议多媒体子系统IMS域应用服务器提交的用户设备的身份标识,根据所述身份标识查询是否存在所述身份标识对应的密钥信息且所述密钥信息在有效期内;Receiving the identity of the user equipment submitted by the non-Internet Protocol Multimedia Subsystem IMS domain application server, querying according to the identity whether there is key information corresponding to the identity and the key information is within the validity period;

如果存在所述身份标识对应的密钥信息且所述密钥信息在有效期内,则查询所述用户设备在IMS域是否为已注册状态,如果查询结果为是,则向所述非IMS域应用服务器返回所述密钥信息和所述密钥信息的有效期,使所述非IMS域应用服务器使用所述密钥信息和所述密钥信息的有效期与所述用户设备进行身份认证。If there is key information corresponding to the identity and the key information is within the validity period, query whether the user equipment is registered in the IMS domain, and if the query result is yes, apply to the non-IMS domain The server returns the key information and the validity period of the key information, so that the non-IMS domain application server uses the key information and the validity period of the key information to perform identity authentication with the user equipment.

优选地,所述接收非IMS域应用服务器提交的用户设备的身份标识之前,还包括:Preferably, before receiving the identity of the user equipment submitted by the non-IMS domain application server, it also includes:

接收来自用户设备的会话发起协议SIP消息,获取所述SIP消息中携带的注册参数,所述注册参数由所述用户设备根据公用密钥生成;receiving a Session Initiation Protocol SIP message from the user equipment, and obtaining a registration parameter carried in the SIP message, the registration parameter being generated by the user equipment according to a public key;

使用自身保存的私有密钥对所述获取的注册参数进行解密,如果解密成功,则保存所述用户设备的身份标识对应的密钥信息,向所述用户设备返回注册成功消息,使所述用户设备保存所述密钥信息并根据所述密钥信息访问非IMS域应用服务器。Use the private key saved by itself to decrypt the obtained registration parameters, if the decryption is successful, save the key information corresponding to the identity of the user equipment, and return a registration success message to the user equipment, so that the user The device saves the key information and accesses the non-IMS domain application server according to the key information.

优选地,所述接收来自用户设备的SIP消息之前,还包括:Preferably, before receiving the SIP message from the user equipment, it also includes:

所述用户设备执行IMS鉴权流程,在IMS域进行注册;The user equipment performs an IMS authentication process and registers in the IMS domain;

当用户设备访问非IMS域应用时,检查本地是否存在密钥信息,如果不存在,则随机生成密钥信息,并根据所述密钥信息和公用密钥生成注册参数,并通过SIP消息发送所述注册参数。When the user equipment accesses the non-IMS domain application, check whether there is key information locally, if not, then randomly generate key information, and generate registration parameters according to the key information and public key, and send the key information through SIP message The above registration parameters.

优选地,所述用户设备根据密钥信息和公用密钥生成注册参数之前,还包括:Preferably, before the user equipment generates the registration parameters according to the key information and the public key, it further includes:

生成公私钥对,保存所述公私钥对中的私有密钥,并向所述用户设备公开所述公私钥对中的公用密钥。generating a public-private key pair, saving the private key in the public-private key pair, and disclosing the public key in the public-private key pair to the user equipment.

优选地,所述用户设备根据密钥信息访问非IMS域应用服务器,具体包括:Preferably, the user equipment accesses the non-IMS domain application server according to the key information, specifically including:

所述用户设备向所述非IMS域应用服务器发送访问请求,并接收所述非IMS域应用服务器返回的挑战消息;The user equipment sends an access request to the non-IMS domain application server, and receives a challenge message returned by the non-IMS domain application server;

所述用户设备根据自身的身份标识和所述密钥信息向所述非IMS域应用服务器返回挑战响应消息。The user equipment returns a challenge response message to the non-IMS domain application server according to its own identity and the key information.

优选地,所述非IMS域应用服务器使用密钥信息和密钥信息的有效期与用户设备进行身份认证,具体包括:Preferably, the non-IMS domain application server uses the key information and the validity period of the key information to perform identity authentication with the user equipment, specifically including:

所述非IMS域应用服务器使用所述密钥信息验证来自所述用户设备的挑战响应消息是否正确,如果正确,则向所述用户设备返回认证成功消息;The non-IMS domain application server uses the key information to verify whether the challenge response message from the user equipment is correct, and if correct, returns an authentication success message to the user equipment;

所述用户设备接收来自所述非IMS域应用服务器的认证成功消息,验证所述认证成功消息中包含的认证信息是否正确,如果正确,则完成与所述非IMS域应用服务器的双向认证,通过安全通道与所述非IMS域应用服务器进行交互。The user equipment receives the authentication success message from the non-IMS domain application server, verifies whether the authentication information contained in the authentication success message is correct, and if correct, completes the two-way authentication with the non-IMS domain application server, and passes The secure channel interacts with the non-IMS domain application server.

本发明实施例还提供了一种认证网关,包括:The embodiment of the present invention also provides an authentication gateway, including:

接收模块,用于接收非IMS域应用服务器提交的用户设备的身份标识;A receiving module, configured to receive the identity of the user equipment submitted by the non-IMS domain application server;

查询模块,用于根据所述接收模块接收到的身份标识查询是否存在所述身份标识对应的密钥信息且所述密钥信息在有效期内,在查询到存在所述身份标识对应的密钥信息且所述密钥信息在有效期内时,查询所述用户设备在IMS域是否为已注册状态;A query module, configured to query whether there is key information corresponding to the identity according to the identity received by the receiving module and the key information is within the validity period, and if the key information corresponding to the identity is found to exist And when the key information is within the validity period, query whether the user equipment is registered in the IMS domain;

发送模块,用于在所述查询模块查询到所述用户设备在IMS域为已注册状态时,向所述非IMS域应用服务器返回所述密钥信息和所述密钥信息的有效期,使所述非IMS域应用服务器使用所述密钥信息和所述密钥信息的有效期与所述用户设备进行身份认证。A sending module, configured to return the key information and the validity period of the key information to the non-IMS domain application server when the query module finds that the user equipment is registered in the IMS domain, so that the The non-IMS domain application server performs identity authentication with the user equipment by using the key information and the validity period of the key information.

优选地,所述接收模块,还用于接收来自用户设备的SIP消息,获取所述SIP消息中携带的注册参数,所述注册参数由所述用户设备根据公用密钥生成;Preferably, the receiving module is further configured to receive a SIP message from the user equipment, and obtain a registration parameter carried in the SIP message, the registration parameter is generated by the user equipment according to a public key;

所述认证网关,还包括:The authentication gateway also includes:

解密模块,用于使用自身保存的私有密钥对所述接收模块获取的注册参数进行解密;A decryption module, configured to decrypt the registration parameters obtained by the receiving module by using the private key stored by itself;

所述发送模块,还用于在所述解密模块解密成功时,保存所述用户设备的身份标识对应的密钥信息,向所述用户设备返回注册成功消息,使所述用户设备保存所述密钥信息并根据所述密钥信息访问非IMS域应用服务器。The sending module is further configured to store key information corresponding to the identity of the user equipment when the decryption module successfully decrypts, and return a registration success message to the user equipment, so that the user equipment stores the key information. key information and access the non-IMS domain application server according to the key information.

优选地,所述的认证网关,还包括:Preferably, the authentication gateway further includes:

生成模块,用于生成公私钥对,保存所述公私钥对中的私有密钥,供所述解密模块使用,并向所述用户设备公开所述公私钥对中的公用密钥。  本发明实施例还提供了一种身份认证系统,包括:A generating module, configured to generate a public-private key pair, save the private key in the public-private key pair for use by the decryption module, and disclose the public key in the public-private key pair to the user equipment. The embodiment of the present invention also provides an identity authentication system, including:

用户设备,用于向非IMS域应用服务器发送访问请求,并接收所述非IMS域应用服务器返回的挑战消息;根据自身的身份标识和所述密钥信息向所述非IMS域应用服务器返回挑战响应消息;The user equipment is configured to send an access request to a non-IMS domain application server, and receive a challenge message returned by the non-IMS domain application server; return a challenge to the non-IMS domain application server according to its own identity and the key information response message;

非IMS域应用服务器,用于向认证网关提交用户设备的身份标识,接收来自所述认证网关的密钥信息和所述密钥信息的有效期,使用所述密钥信息和所述密钥信息的有效期与所述用户设备进行身份认证;The non-IMS domain application server is configured to submit the identity of the user equipment to the authentication gateway, receive the key information and the validity period of the key information from the authentication gateway, and use the key information and the validity period of the key information Perform identity authentication with the user equipment during the validity period;

认证网关,用于接收所述非IMS域应用服务器提交的用户设备的身份标识,根据所述身份标识查询是否存在所述身份标识对应的密钥信息且所述密钥信息在有效期内;如果存在所述身份标识对应的密钥信息且所述密钥信息在有效期内,则查询所述用户设备在IMS域是否为已注册状态,如果查询结果为是,则向所述非IMS域应用服务器返回所述密钥信息和所述密钥信息的有效期。An authentication gateway, configured to receive the identity of the user equipment submitted by the non-IMS domain application server, and query according to the identity whether there is key information corresponding to the identity and the key information is within the validity period; if there is The key information corresponding to the identity and the key information is within the validity period, query whether the user equipment is registered in the IMS domain, and if the query result is yes, return to the non-IMS domain application server The key information and the validity period of the key information.

优选地,所述认证网关,还用于接收来自用户设备的会话发起协议SIP消息,获取所述SIP消息中携带的注册参数,所述注册参数由所述用户设备根据公用密钥生成;使用自身保存的私有密钥对所述获取的注册参数进行解密,如果解密成功,则保存所述用户设备的身份标识对应的密钥信息,向所述用户设备返回注册成功消息,使所述用户设备保存所述密钥信息并根据所述密钥信息访问非IMS域应用服务器。Preferably, the authentication gateway is further configured to receive a Session Initiation Protocol SIP message from the user equipment, and obtain a registration parameter carried in the SIP message, the registration parameter is generated by the user equipment according to a public key; using its own The saved private key decrypts the obtained registration parameters, if the decryption is successful, saves the key information corresponding to the identity of the user equipment, returns a registration success message to the user equipment, and makes the user equipment save The key information and access the non-IMS domain application server according to the key information.

优选地,所述用户设备,还用于执行IMS鉴权流程,在IMS域进行注册;当访问非IMS域应用时,检查本地是否存在密钥信息,如果不存在,则随机生成密钥信息,并根据所述密钥信息和公用密钥生成注册参数,并通过SIP消息发送所述注册参数。Preferably, the user equipment is also used to perform an IMS authentication process and register in the IMS domain; when accessing a non-IMS domain application, check whether there is key information locally, and if not, randomly generate the key information, And generate registration parameters according to the key information and the public key, and send the registration parameters through SIP messages.

与现有技术相比,本发明实施例具有以下优点:本发明实施例利用IMS的已有安全机制,为业务层提供安全服务,增强了UE与AS之间的安全性,且不会成为系统的安全瓶颈;在密钥信息的有效期内,不需要重复执行注册过程,提高了业务执行效率。Compared with the prior art, the embodiment of the present invention has the following advantages: the embodiment of the present invention utilizes the existing security mechanism of the IMS to provide security services for the business layer, enhances the security between the UE and the AS, and does not become a system The security bottleneck; within the validity period of the key information, there is no need to repeat the registration process, which improves the efficiency of business execution.

附图说明Description of drawings

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对本发明实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments of the present invention or the prior art. Obviously, the accompanying drawings in the following description These are only some embodiments of the present invention, and those skilled in the art can also obtain other drawings based on these drawings without any creative effort.

图1为本发明实施例中的一种身份认证方法流程图;Fig. 1 is a flow chart of an identity authentication method in an embodiment of the present invention;

图2为本发明实施例应用场景中的身份认证流程图;FIG. 2 is a flow chart of identity authentication in the application scenario of the embodiment of the present invention;

图3为本发明实施例应用场景中的AUG注册流程图;FIG. 3 is a flow chart of AUG registration in the application scenario of the embodiment of the present invention;

图4为本发明实施例中的一种认证网关结构示意图;FIG. 4 is a schematic structural diagram of an authentication gateway in an embodiment of the present invention;

图5为本发明实施例中的一种身份认证系统结构示意图。Fig. 5 is a schematic structural diagram of an identity authentication system in an embodiment of the present invention.

具体实施方式Detailed ways

本发明实施例提供的技术方案中,其核心思想为在系统中增加AUG(认证网关)网元,该AUG网元与IMS域的CSCF之间存在SIP接口,与非IMS域的AS之间存在HTTP接口。AUG网元接收非IMS域应用服务器提交的用户设备的身份标识,根据所述身份标识查询是否存在所述身份标识对应的密钥信息且所述密钥信息在有效期内;如果存在所述身份标识对应的密钥信息且所述密钥信息在有效期内,则查询所述用户设备在IMS域是否为已注册状态,如果查询结果为是,则向所述非IMS域应用服务器返回所述密钥信息和所述密钥信息的有效期,使所述非IMS域应用服务器使用所述密钥信息和所述密钥信息的有效期与所述用户设备进行身份认证。In the technical solution provided by the embodiment of the present invention, the core idea is to add an AUG (authentication gateway) network element in the system. There is a SIP interface between the AUG network element and the CSCF in the IMS domain, and a SIP interface between the AUG network element and the AS in the non-IMS domain. HTTP interface. The AUG network element receives the identity of the user equipment submitted by the non-IMS domain application server, and queries whether there is key information corresponding to the identity according to the identity and the key information is within the validity period; if the identity exists Corresponding key information and the key information is within the validity period, query whether the user equipment is registered in the IMS domain, and if the query result is yes, return the key to the non-IMS domain application server information and the validity period of the key information, so that the non-IMS domain application server uses the key information and the validity period of the key information to perform identity authentication with the user equipment.

下面将结合本发明实施例中的附图,对本发明实施例的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions of the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.

如图1所示,为本发明实施例中的一种身份认证方法流程图,包括以下步骤:As shown in Figure 1, it is a flow chart of an identity authentication method in an embodiment of the present invention, including the following steps:

步骤101,接收非IMS域应用服务器提交的用户设备的身份标识,根据所述身份标识查询是否存在所述身份标识对应的密钥信息且所述密钥信息在有效期内。如果存在所述身份标识对应的密钥信息且所述密钥信息在有效期内,则执行步骤103;否则,执行步骤102。Step 101: Receive the identity of the user equipment submitted by the non-IMS domain application server, and query whether there is key information corresponding to the identity and the key information is within the validity period according to the identity. If there is key information corresponding to the identity and the key information is within the validity period, perform step 103; otherwise, perform step 102.

具体地,认证网关预先生成公私钥对,保存该公私钥对中的私有密钥,并向用户设备公开公私钥对中的公用密钥。Specifically, the authentication gateway generates a public-private key pair in advance, saves the private key in the public-private key pair, and discloses the public key in the public-private key pair to the user equipment.

所述用户设备执行IMS鉴权流程,在IMS域进行注册;当用户设备访问非IMS域应用时,检查本地是否存在密钥信息,如果不存在,则随机生成密钥信息,并根据所述密钥信息和公用密钥生成注册参数,并通过SIP消息发送所述注册参数。The user equipment performs an IMS authentication process and registers in the IMS domain; when the user equipment accesses a non-IMS domain application, checks whether there is key information locally, if not, randomly generates key information, and according to the encryption key information The key information and the public key are used to generate registration parameters, and the registration parameters are sent through SIP messages.

认证网关接收来自用户设备的会话发起协议SIP消息,获取所述SIP消息中携带的注册参数,所述注册参数由所述用户设备根据公用密钥生成;使用自身保存的私有密钥对所述获取的注册参数进行解密,如果解密成功,则保存所述用户设备的身份标识对应的密钥信息,向所述用户设备返回注册成功消息,使所述用户设备保存所述密钥信息并根据所述密钥信息访问非IMS域应用服务器。The authentication gateway receives the Session Initiation Protocol SIP message from the user equipment, acquires the registration parameter carried in the SIP message, and the registration parameter is generated by the user equipment according to the public key; The registration parameters are decrypted, if the decryption is successful, save the key information corresponding to the identity of the user equipment, and return a registration success message to the user equipment, so that the user equipment saves the key information and according to the Key information to access non-IMS domain application servers.

上述用户设备根据密钥信息访问非IMS域应用服务器,具体包括:用户设备向所述非IMS域应用服务器发送访问请求,并接收所述非IMS域应用服务器返回的挑战消息;用户设备根据自身的身份标识和所述密钥信息向所述非IMS域应用服务器返回挑战响应消息。The user equipment accessing the non-IMS domain application server according to the key information specifically includes: the user equipment sends an access request to the non-IMS domain application server, and receives the challenge message returned by the non-IMS domain application server; The identity and the key information return a challenge response message to the non-IMS domain application server.

步骤102,向非IMS域应用服务器返回错误信息。Step 102, returning error information to the non-IMS domain application server.

步骤103,查询所述用户设备在IMS域是否为已注册状态。Step 103, inquire whether the user equipment is registered in the IMS domain.

如果查询结果为是,则执行步骤104;否则,执行步骤102。If the query result is yes, execute step 104; otherwise, execute step 102.

步骤104,向非IMS域应用服务器返回密钥信息和该密钥信息的有效期,使非IMS域应用服务器使用密钥信息和该密钥信息的有效期与用户设备进行身份认证。Step 104: Return the key information and the valid period of the key information to the non-IMS domain application server, so that the non-IMS domain application server uses the key information and the valid period of the key information to perform identity authentication with the user equipment.

具体地,上述非IMS域应用服务器使用密钥信息和密钥信息的有效期与用户设备进行身份认证,具体包括:非IMS域应用服务器使用所述密钥信息验证来自所述用户设备的挑战响应消息是否正确,如果正确,则向所述用户设备返回认证成功消息;用户设备接收来自所述非IMS域应用服务器的认证成功消息,验证所述认证成功消息中包含的认证信息是否正确,如果正确,则完成与所述非IMS域应用服务器的双向认证,通过安全通道与所述非IMS域应用服务器进行交互。Specifically, the non-IMS domain application server uses the key information and the validity period of the key information to perform identity authentication with the user equipment, specifically including: the non-IMS domain application server uses the key information to verify the challenge response message from the user equipment Whether it is correct, if correct, return an authentication success message to the user equipment; the user equipment receives the authentication success message from the non-IMS domain application server, verifies whether the authentication information contained in the authentication success message is correct, if correct, The two-way authentication with the non-IMS domain application server is completed, and the non-IMS domain application server interacts with the non-IMS domain application server through a secure channel.

本发明实施例利用IMS的已有安全机制,为业务层提供安全服务,增强了UE与AS之间的安全性,且不会成为系统的安全瓶颈;在密钥信息的有效期内,不需要重复执行注册过程,提高了业务执行效率。The embodiment of the present invention utilizes the existing security mechanism of IMS to provide security services for the service layer, which enhances the security between UE and AS, and will not become a security bottleneck of the system; within the validity period of the key information, there is no need to repeat Executing the registration process improves the efficiency of business execution.

以下结合具体应用场景对本发明实施例中的身份认证方法进行详细的描述。The identity authentication method in the embodiment of the present invention will be described in detail below in combination with specific application scenarios.

如图2所示,为本发明实施例应用场景中的身份认证流程图,具体包括以下步骤:As shown in Figure 2, it is a flow chart of identity authentication in the application scenario of the embodiment of the present invention, which specifically includes the following steps:

步骤201,UE启动非IMS客户端访问非IMS域应用服务器AS2,向AS2发送HTTP Request(请求)消息。Step 201, the UE starts the non-IMS client to access the non-IMS domain application server AS2, and sends an HTTP Request (request) message to AS2.

其中,非IMS域应用服务器AS2可以为HTTP服务器,HTTP Request消息不经过IMS core。Among them, the non-IMS domain application server AS2 can be an HTTP server, and the HTTP Request message does not pass through the IMS core.

步骤202,AS2发起HTTP Digest双向认证,向UE返回挑战信息。Step 202, AS2 initiates HTTP Digest mutual authentication, and returns challenge information to UE.

具体地,AS2接收到HTTP Request消息后,要求对UE执行HTTP Digest双向认证,返回401 unauthorized的HTTP Digest挑战消息,该挑战消息中的WWW-Authenticate Header参数包含AS2对UE的挑战信息。Specifically, after receiving the HTTP Request message, AS2 requires the UE to perform HTTP Digest two-way authentication, and returns a 401 unauthorized HTTP Digest challenge message. The WWW-Authenticate Header parameter in the challenge message contains AS2's challenge information for the UE.

步骤203,UE向AS2返回挑战响应消息。In step 203, the UE returns a challenge response message to AS2.

具体地,UE以IMPU(IP Multimedia Public Identity,互联网协议多媒体公共标识)作为username(用户名),key(密钥)作为password(密码)计算response(响应),通过HTTP request返回包含response的挑战响应消息,该响应消息中的Authorization(认证)参数Header包含UE的挑战响应。Specifically, UE uses IMPU (IP Multimedia Public Identity, Internet Protocol Multimedia Public Identity) as username (user name), key (key) as password (password) to calculate response (response), and returns a challenge response containing response through HTTP request message, and the Authorization (authentication) parameter Header in the response message contains the challenge response of the UE.

步骤204,AS2向AUG提交IMPU,查询IMPU对应的UE在IMS域中的状态和相关key信息。In step 204, AS2 submits the IMPU to the AUG, and queries the state of the UE corresponding to the IMPU in the IMS domain and related key information.

步骤205,AUG通过IMPU查询UE是否已经在本地注册且key在有效期内。如果查询结果为是,则执行步骤206;否则,向AS2返回错误信息。In step 205, the AUG inquires through the IMPU whether the UE has registered locally and the key is within the validity period. If the query result is yes, execute step 206; otherwise, return an error message to AS2.

步骤206,AUG向HSS查询UE的注册状态是否为已注册。如果查询结果为是,则执行步骤207,如果查询结果为否,则向AS2返回错误信息。In step 206, the AUG queries the HSS whether the registration status of the UE is registered. If the query result is yes, execute step 207, and if the query result is no, return an error message to AS2.

步骤207,AUG向AS2返回key和key有效期。In step 207, the AUG returns the key and key validity period to AS2.

步骤208,AS2使用key验证来自UE的挑战响应消息中的response是否正确,如果正确,则执行步骤210;否则向UE返回错误信息。In step 208, AS2 uses the key to verify whether the response in the challenge response message from the UE is correct, and if it is correct, executes step 210; otherwise, returns an error message to the UE.

步骤209,AS2向UE返回认证成功消息。In step 209, AS2 returns an authentication success message to the UE.

具体地,如果AS2验证response正确,则表明已经通过了UE接入,AS2计算挑战响应,向UE返回200OK消息,200OK消息中的Authentication-InfoHeader参数包含AS2的挑战响应。Specifically, if AS2 verifies that the response is correct, it indicates that the UE has passed the access, AS2 calculates the challenge response, and returns a 200OK message to the UE, and the Authentication-InfoHeader parameter in the 200OK message contains the challenge response of AS2.

步骤210,UE验证认证成功消息是否正确,如果正确,则执行步骤211;否则,向AS2返回错误消息。In step 210, the UE verifies whether the authentication success message is correct, and if it is correct, executes step 211; otherwise, returns an error message to AS2.

具体地,UE验证Authentication-Info Header参数是否正确。Specifically, the UE verifies whether the Authentication-Info Header parameter is correct.

步骤211,UE与AS2完成双向认证,通过HTTP Digest的安全通道与AS2进行交互。Step 211, UE and AS2 complete mutual authentication, and interact with AS2 through the secure channel of HTTP Digest.

本发明实施例利用IMS的已有安全机制,为业务层提供安全服务,增强了UE与AS之间的安全性,且不会成为系统的安全瓶颈;在密钥信息的有效期内,不需要重复执行注册过程,提高了业务执行效率。The embodiment of the present invention utilizes the existing security mechanism of IMS to provide security services for the service layer, which enhances the security between UE and AS, and will not become a security bottleneck of the system; within the validity period of the key information, there is no need to repeat Executing the registration process improves the efficiency of business execution.

在上述应用场景之前,UE需要先向AUG注册,以便于访问非IMS域应用服务器。如图3所示,为本发明实施例应用场景中的AUG注册流程图,具体包括以下步骤:Before the above application scenarios, the UE needs to register with the AUG first, so as to access the non-IMS domain application server. As shown in Figure 3, it is a flow chart of AUG registration in the application scenario of the embodiment of the present invention, which specifically includes the following steps:

步骤301,UE启动IMS客户端,执行IMS鉴权流程,进行IMS注册。In step 301, the UE starts an IMS client, executes an IMS authentication process, and performs IMS registration.

具体地,用户打开IMS客户端,登录IMS网,IMS客户端会在UE、CSCF、HSS间执行IMS鉴权流程,并完成IMS注册。Specifically, the user opens the IMS client and logs in to the IMS network, and the IMS client will perform an IMS authentication process between the UE, CSCF, and HSS, and complete the IMS registration.

步骤302,UE与IMS应用服务AS1进行交互。In step 302, the UE interacts with the IMS application service AS1.

步骤303,UE的IMS客户端触发访问非IMS应用。Step 303, the IMS client of the UE triggers access to the non-IMS application.

步骤304,UE检查本地是否存在key且key在有效期内,如果检查结果为是,则执行步骤310;否则执行步骤305。In step 304, the UE checks whether the key exists locally and the key is within the validity period, and if the check result is yes, then execute step 310; otherwise, execute step 305.

步骤305,UE随机生成key,使用AUG的PubKey(公用密钥)加密生成Ekey=E(PubKey,key)。In step 305, the UE randomly generates a key, and encrypts it using the PubKey (public key) of the AUG to generate Ekey=E(PubKey, key).

其中,E为RSA的加密算法,AUG预先生成1024bits的RSA(Rivest-Shamir-Adleman,公开密钥算法)公私钥对,该公私钥对包括PriKey(私有密钥)和PubKey,AUG秘密保存PriKey,并将PubKey公开给IMS客户端且预置在UE中。Among them, E is the encryption algorithm of RSA, AUG pre-generates 1024bits RSA (Rivest-Shamir-Adleman, public key algorithm) public-private key pair, the public-private key pair includes PriKey (private key) and PubKey, AUG stores PriKey secretly, The PubKey is disclosed to the IMS client and preset in the UE.

步骤306,UE通过sip消息将Ekey作为AUG注册消息的参数发送给AUG,请求AUG注册。In step 306, the UE sends the Ekey as a parameter of the AUG registration message to the AUG through a sip message, requesting AUG registration.

步骤307,AUG使用PriKey解密Ekey,如果解密成功,则执行步骤309;否则,向UE返回错误消息。In step 307, the AUG uses the PriKey to decrypt the Ekey, and if the decryption is successful, execute step 309; otherwise, return an error message to the UE.

步骤308,AUG保存UE的IMPU对应的key,并向UE返回sip 200OK消息。Step 308, the AUG saves the key corresponding to the IMPU of the UE, and returns a sip 200 OK message to the UE.

步骤309,UE保存key作为与AUG通信的临时秘密参数。In step 309, the UE saves the key as a temporary secret parameter for communicating with the AUG.

步骤310,UE启动非IMS客户端访问AS2,向AS2发送HTTP Request消息。Step 310, the UE starts a non-IMS client to access AS2, and sends an HTTP Request message to AS2.

本发明实施例利用IMS的已有安全机制,为业务层提供安全服务,增强了UE与AS之间的安全性,且不会成为系统的安全瓶颈;在密钥信息的有效期内,不需要重复执行注册过程,提高了业务执行效率。The embodiment of the present invention utilizes the existing security mechanism of IMS to provide security services for the service layer, which enhances the security between UE and AS, and will not become a security bottleneck of the system; within the validity period of the key information, there is no need to repeat Executing the registration process improves the efficiency of business execution.

本发明实施例在上述实施方式中提供了身份认证方法和应用场景,相应地,本发明实施例还提供了应用上述身份认证方法的装置和系统。Embodiments of the present invention provide identity authentication methods and application scenarios in the above implementation manners, and accordingly, embodiments of the present invention also provide devices and systems for applying the above identity authentication methods.

如图4所示,为本发明实施例中的一种认证网关结构示意图,包括:As shown in Figure 4, it is a schematic structural diagram of an authentication gateway in an embodiment of the present invention, including:

接收模块410,用于接收非IMS域应用服务器提交的用户设备的身份标识。The receiving module 410 is configured to receive the identity of the user equipment submitted by the non-IMS domain application server.

上述接收模块410,还用于接收来自用户设备的SIP消息,获取所述SIP消息中携带的注册参数,所述注册参数由所述用户设备根据公用密钥生成。The above-mentioned receiving module 410 is further configured to receive a SIP message from the user equipment, and obtain a registration parameter carried in the SIP message, and the registration parameter is generated by the user equipment according to a public key.

查询模块420,用于根据接收模块410接收到的身份标识查询是否存在所述身份标识对应的密钥信息且所述密钥信息在有效期内,在查询到存在所述身份标识对应的密钥信息且所述密钥信息在有效期内时,查询所述用户设备在IMS域是否为已注册状态。The query module 420 is configured to query whether the key information corresponding to the identity exists according to the identity received by the receiving module 410 and the key information is within the validity period, and if the key information corresponding to the identity is found to exist And when the key information is within the validity period, query whether the user equipment is registered in the IMS domain.

发送模块430,用于在查询模块420查询到所述用户设备在IMS域为已注册状态时,向所述非IMS域应用服务器返回所述密钥信息和所述密钥信息的有效期,使所述非IMS域应用服务器使用所述密钥信息和所述密钥信息的有效期与所述用户设备进行身份认证。The sending module 430 is configured to return the key information and the validity period of the key information to the non-IMS domain application server when the query module 420 finds that the user equipment is registered in the IMS domain, so that the The non-IMS domain application server performs identity authentication with the user equipment by using the key information and the validity period of the key information.

上述发送模块430,还用于在所述解密模块440解密成功时,保存所述用户设备的身份标识对应的密钥信息,向所述用户设备返回注册成功消息,使所述用户设备保存所述密钥信息并根据所述密钥信息访问非IMS域应用服务器。生成模块,生成公私钥对,保存所述公私钥对中的私有密钥,供所述解密模块使用,并向所述用户设备公开所述公私钥对中的公用密钥。The above-mentioned sending module 430 is further configured to save the key information corresponding to the identity of the user equipment when the decryption by the decryption module 440 is successful, and return a successful registration message to the user equipment, so that the user equipment saves the key information and access the non-IMS domain application server according to the key information. The generation module generates a public-private key pair, saves the private key in the public-private key pair for use by the decryption module, and discloses the public key in the public-private key pair to the user equipment.

解密模块440,用于使用自身保存的私有密钥对所述接收模块410获取的注册参数进行解密。The decryption module 440 is configured to decrypt the registration parameters acquired by the receiving module 410 by using the private key stored by itself.

生成模块450,用于生成公私钥对,保存所述公私钥对中的私有密钥,供所述解密模块440使用,并向所述用户设备公开所述公私钥对中的公用密钥。The generation module 450 is configured to generate a public-private key pair, save the private key in the public-private key pair for use by the decryption module 440, and disclose the public key in the public-private key pair to the user equipment.

本发明实施例利用IMS的已有安全机制,为业务层提供安全服务,增强了UE与AS之间的安全性,且不会成为系统的安全瓶颈;在密钥信息的有效期内,不需要重复执行注册过程,提高了业务执行效率。The embodiment of the present invention utilizes the existing security mechanism of IMS to provide security services for the service layer, which enhances the security between UE and AS, and will not become a security bottleneck of the system; within the validity period of the key information, there is no need to repeat Executing the registration process improves the efficiency of business execution.

如图5所示,为本发明实施例中的一种身份认证系统结构示意图,包括:As shown in Figure 5, it is a schematic structural diagram of an identity authentication system in an embodiment of the present invention, including:

用户设备510,用于向非IMS域应用服务器520发送访问请求,并接收所述非IMS域应用服务器520返回的挑战消息;根据自身的身份标识和所述密钥信息向所述非IMS域应用服务器520返回挑战响应消息。The user equipment 510 is configured to send an access request to the non-IMS domain application server 520, and receive a challenge message returned by the non-IMS domain application server 520; Server 520 returns a challenge response message.

上述用户设备510,还用于执行IMS鉴权流程,在IMS域进行注册;当访问非IMS域应用时,检查本地是否存在密钥信息,如果不存在,则随机生成密钥信息,并根据所述密钥信息和公用密钥生成注册参数,并通过SIP消息发送所述注册参数。The above user equipment 510 is also used to execute the IMS authentication process and register in the IMS domain; when accessing non-IMS domain applications, check whether there is key information locally, if not, randomly generate key information, and according to the Generate registration parameters based on the key information and public key, and send the registration parameters through SIP messages.

非IMS域应用服务器520,用于向认证网关530提交用户设备的身份标识,接收来自所述认证网关530的密钥信息和所述密钥信息的有效期,使用所述密钥信息和所述密钥信息的有效期与所述用户设备510进行身份认证。The non-IMS domain application server 520 is configured to submit the identity of the user equipment to the authentication gateway 530, receive the key information and the validity period of the key information from the authentication gateway 530, and use the key information and the encryption key The validity period of the key information is used for identity authentication with the user equipment 510.

认证网关530,用于接收所述非IMS域应用服务器520提交的用户设备510的身份标识,根据所述身份标识查询是否存在所述身份标识对应的密钥信息且所述密钥信息在有效期内;如果存在所述身份标识对应的密钥信息且所述密钥信息在有效期内,则查询所述用户设备510在IMS域是否为已注册状态,如果查询结果为是,则向所述非IMS域应用服务器520返回所述密钥信息和所述密钥信息的有效期。The authentication gateway 530 is configured to receive the identity of the user equipment 510 submitted by the non-IMS domain application server 520, and query whether there is key information corresponding to the identity and the key information is within the validity period according to the identity ; If there is key information corresponding to the identity and the key information is within the validity period, query whether the user equipment 510 is registered in the IMS domain, and if the query result is yes, send the non-IMS The domain application server 520 returns the key information and the validity period of the key information.

上述认证网关530,还用于接收来自用户设备510的SIP消息,获取所述SIP消息中携带的注册参数,所述注册参数由所述用户设备510根据公用密钥生成;使用自身保存的私有密钥对所述获取的注册参数进行解密,如果解密成功,则保存所述用户设备510的身份标识对应的密钥信息,向所述用户设备510返回注册成功消息,使所述用户设备510保存所述密钥信息并根据所述密钥信息访问非IMS域应用服务器。The aforementioned authentication gateway 530 is also configured to receive a SIP message from the user equipment 510, and acquire registration parameters carried in the SIP message, the registration parameters are generated by the user equipment 510 according to the public key; key to decrypt the obtained registration parameters, if the decryption is successful, save the key information corresponding to the identity of the user equipment 510, and return a registration success message to the user equipment 510, so that the user equipment 510 saves the access the non-IMS domain application server according to the key information.

本发明实施例利用IMS的已有安全机制,为业务层提供安全服务,增强了UE与AS之间的安全性,且不会成为系统的安全瓶颈;在密钥信息的有效期内,不需要重复执行注册过程,提高了业务执行效率。The embodiment of the present invention utilizes the existing security mechanism of IMS to provide security services for the service layer, which enhances the security between UE and AS, and will not become a security bottleneck of the system; within the validity period of the key information, there is no need to repeat Executing the registration process improves the efficiency of business execution.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到本发明可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。基于这样的理解,本发明实施例的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台终端设备(可以是手机,个人计算机,服务器,或者网络设备等)执行本发明各个实施例所述的方法。Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by means of software plus a necessary general-purpose hardware platform, and of course also by hardware, but in many cases the former is a better implementation Way. Based on this understanding, the technical solution of the embodiment of the present invention is essentially or the part that contributes to the prior art can be embodied in the form of a software product. The computer software product is stored in a storage medium and includes several instructions for Make a terminal device (which may be a mobile phone, a personal computer, a server, or a network device, etc.) execute the methods described in various embodiments of the present invention.

以上所述仅是本发明的优选实施方式,应当指出,对于本技术领域的普通技术人员来说,在不脱离本发明实施例原理的前提下,还可以做出若干改进和润饰,这些改进和润饰也应视本发明的保护范围。The above descriptions are only preferred implementations of the present invention. It should be pointed out that for those skilled in the art, some improvements and modifications can be made without departing from the principle of the embodiments of the present invention. These improvements and Retouching should also be considered within the protection scope of the present invention.

本领域技术人员可以理解实施例中的装置中的模块可以按照实施例描述进行分布于实施例的装置中,也可以进行相应变化位于不同于本实施例的一个或多个装置中。上述实施例的模块可以集成于一体,也可以分离部署;可以合并为一个模块,也可以进一步拆分成多个子模块。Those skilled in the art can understand that the modules in the device in the embodiment can be distributed in the device in the embodiment according to the description in the embodiment, or can be located in one or more devices different from the embodiment according to corresponding changes. The modules in the above embodiments can be integrated or deployed separately; they can be combined into one module, or further split into multiple sub-modules.

上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the above embodiments of the present invention are for description only, and do not represent the advantages and disadvantages of the embodiments.

以上公开的仅为本发明的几个具体实施例,但是,本发明并非局限于此,任何本领域的技术人员能思之的变化都应落入本发明的保护范围。The above disclosures are only a few specific embodiments of the present invention, however, the present invention is not limited thereto, and any changes conceivable by those skilled in the art shall fall within the protection scope of the present invention.

Claims (12)

1.一种身份认证方法,其特征在于,包括以下步骤:1. A method for identity authentication, characterized in that, comprising the following steps: 接收非互联网协议多媒体子系统IMS域应用服务器提交的用户设备的身份标识,根据所述身份标识查询是否存在所述身份标识对应的密钥信息且所述密钥信息在有效期内;Receiving the identity of the user equipment submitted by the non-Internet Protocol Multimedia Subsystem IMS domain application server, querying according to the identity whether there is key information corresponding to the identity and the key information is within the validity period; 如果存在所述身份标识对应的密钥信息且所述密钥信息在有效期内,则查询所述用户设备在IMS域是否为已注册状态,如果查询结果为是,则向所述非IMS域应用服务器返回所述密钥信息和所述密钥信息的有效期,使所述非IMS域应用服务器使用所述密钥信息和所述密钥信息的有效期与所述用户设备进行身份认证。If there is key information corresponding to the identity and the key information is within the validity period, query whether the user equipment is registered in the IMS domain, and if the query result is yes, apply to the non-IMS domain The server returns the key information and the validity period of the key information, so that the non-IMS domain application server uses the key information and the validity period of the key information to perform identity authentication with the user equipment. 2.如权利要求1所述的方法,其特征在于,所述接收非IMS域应用服务器提交的用户设备的身份标识之前,还包括:2. The method according to claim 1, wherein, before receiving the identity of the user equipment submitted by the non-IMS domain application server, further comprising: 接收来自用户设备的会话发起协议SIP消息,获取所述SIP消息中携带的注册参数,所述注册参数由所述用户设备根据公用密钥生成;receiving a Session Initiation Protocol SIP message from the user equipment, and obtaining a registration parameter carried in the SIP message, the registration parameter being generated by the user equipment according to a public key; 使用自身保存的私有密钥对所述获取的注册参数进行解密,如果解密成功,则保存所述用户设备的身份标识对应的密钥信息,向所述用户设备返回注册成功消息,使所述用户设备保存所述密钥信息并根据所述密钥信息访问非IMS域应用服务器。Use the private key saved by itself to decrypt the obtained registration parameters, if the decryption is successful, save the key information corresponding to the identity of the user equipment, and return a registration success message to the user equipment, so that the user The device saves the key information and accesses the non-IMS domain application server according to the key information. 3.如权利要求2所述的方法,其特征在于,所述接收来自用户设备的SIP消息之前,还包括:3. The method according to claim 2, further comprising: before receiving the SIP message from the user equipment: 所述用户设备执行IMS鉴权流程,在IMS域进行注册;The user equipment performs an IMS authentication process and registers in the IMS domain; 当用户设备访问非IMS域应用时,检查本地是否存在密钥信息,如果不存在,则随机生成密钥信息,并根据所述密钥信息和公用密钥生成注册参数,并通过SIP消息发送所述注册参数。When the user equipment accesses the non-IMS domain application, check whether there is key information locally, if not, then randomly generate key information, and generate registration parameters according to the key information and public key, and send the key information through SIP message The above registration parameters. 4.如权利要求3所述的方法,其特征在于,所述用户设备根据密钥信息和公用密钥生成注册参数之前,还包括:4. The method according to claim 3, wherein, before the user equipment generates registration parameters according to the key information and the public key, further comprising: 生成公私钥对,保存所述公私钥对中的私有密钥,并向所述用户设备公开所述公私钥对中的公用密钥。generating a public-private key pair, saving the private key in the public-private key pair, and disclosing the public key in the public-private key pair to the user equipment. 5.如权利要求2所述的方法,其特征在于,所述用户设备根据密钥信息访问非IMS域应用服务器,具体包括:5. The method according to claim 2, wherein the user equipment accesses the non-IMS domain application server according to the key information, specifically comprising: 所述用户设备向所述非IMS域应用服务器发送访问请求,并接收所述非IMS域应用服务器返回的挑战消息;The user equipment sends an access request to the non-IMS domain application server, and receives a challenge message returned by the non-IMS domain application server; 所述用户设备根据自身的身份标识和所述密钥信息向所述非IMS域应用服务器返回挑战响应消息。The user equipment returns a challenge response message to the non-IMS domain application server according to its own identity and the key information. 6.如权利要求5所述的方法,其特征在于,所述非IMS域应用服务器使用密钥信息和密钥信息的有效期与用户设备进行身份认证,具体包括:6. The method according to claim 5, wherein the non-IMS domain application server uses the key information and the validity period of the key information to perform identity authentication with the user equipment, specifically comprising: 所述非IMS域应用服务器使用所述密钥信息验证来自所述用户设备的挑战响应消息是否正确,如果正确,则向所述用户设备返回认证成功消息;The non-IMS domain application server uses the key information to verify whether the challenge response message from the user equipment is correct, and if correct, returns an authentication success message to the user equipment; 所述用户设备接收来自所述非IMS域应用服务器的认证成功消息,验证所述认证成功消息中包含的认证信息是否正确,如果正确,则完成与所述非IMS域应用服务器的双向认证,通过安全通道与所述非IMS域应用服务器进行交互。The user equipment receives the authentication success message from the non-IMS domain application server, verifies whether the authentication information contained in the authentication success message is correct, and if correct, completes the two-way authentication with the non-IMS domain application server, and passes The secure channel interacts with the non-IMS domain application server. 7.一种认证网关,其特征在于,包括:7. An authentication gateway, characterized in that, comprising: 接收模块,用于接收非IMS域应用服务器提交的用户设备的身份标识;A receiving module, configured to receive the identity of the user equipment submitted by the non-IMS domain application server; 查询模块,用于根据所述接收模块接收到的身份标识查询是否存在所述身份标识对应的密钥信息且所述密钥信息在有效期内,在查询到存在所述身份标识对应的密钥信息且所述密钥信息在有效期内时,查询所述用户设备在IMS域是否为已注册状态;A query module, configured to query whether there is key information corresponding to the identity according to the identity received by the receiving module and the key information is within the validity period, and if the key information corresponding to the identity is found to exist And when the key information is within the validity period, query whether the user equipment is registered in the IMS domain; 发送模块,用于在所述查询模块查询到所述用户设备在IMS域为已注册状态时,向所述非IMS域应用服务器返回所述密钥信息和所述密钥信息的有效期,使所述非IMS域应用服务器使用所述密钥信息和所述密钥信息的有效期与所述用户设备进行身份认证。A sending module, configured to return the key information and the validity period of the key information to the non-IMS domain application server when the query module finds that the user equipment is registered in the IMS domain, so that the The non-IMS domain application server performs identity authentication with the user equipment by using the key information and the validity period of the key information. 8.如权利要求7所述的认证网关,其特征在于,8. The authentication gateway according to claim 7, characterized in that, 所述接收模块,还用于接收来自用户设备的SIP消息,获取所述SIP消息中携带的注册参数,所述注册参数由所述用户设备根据公用密钥生成;The receiving module is further configured to receive a SIP message from the user equipment, and obtain a registration parameter carried in the SIP message, the registration parameter is generated by the user equipment according to a public key; 所述认证网关,还包括:The authentication gateway also includes: 解密模块,用于使用自身保存的私有密钥对所述接收模块获取的注册参数进行解密;A decryption module, configured to decrypt the registration parameters obtained by the receiving module by using the private key stored by itself; 所述发送模块,还用于在所述解密模块解密成功时,保存所述用户设备的身份标识对应的密钥信息,向所述用户设备返回注册成功消息,使所述用户设备保存所述密钥信息并根据所述密钥信息访问非IMS域应用服务器。The sending module is further configured to store key information corresponding to the identity of the user equipment when the decryption module succeeds in decrypting, and return a registration success message to the user equipment, so that the user equipment stores the key information. key information and access the non-IMS domain application server according to the key information. 9.如权利要求8所述的认证网关,其特征在于,还包括:9. The authentication gateway according to claim 8, further comprising: 生成模块,用于生成公私钥对,保存所述公私钥对中的私有密钥,供所述解密模块使用,并向所述用户设备公开所述公私钥对中的公用密钥。A generating module, configured to generate a public-private key pair, save the private key in the public-private key pair for use by the decryption module, and disclose the public key in the public-private key pair to the user equipment. 10.一种身份认证系统,其特征在于,包括:10. An identity authentication system, characterized in that it comprises: 用户设备,用于向非IMS域应用服务器发送访问请求,并接收所述非IMS域应用服务器返回的挑战消息;根据自身的身份标识和所述密钥信息向所述非IMS域应用服务器返回挑战响应消息;The user equipment is configured to send an access request to a non-IMS domain application server, and receive a challenge message returned by the non-IMS domain application server; return a challenge to the non-IMS domain application server according to its own identity and the key information response message; 非IMS域应用服务器,用于向认证网关提交用户设备的身份标识,接收来自所述认证网关的密钥信息和所述密钥信息的有效期,使用所述密钥信息和所述密钥信息的有效期与所述用户设备进行身份认证;The non-IMS domain application server is configured to submit the identity of the user equipment to the authentication gateway, receive the key information and the validity period of the key information from the authentication gateway, and use the key information and the validity period of the key information Perform identity authentication with the user equipment during the validity period; 认证网关,用于接收所述非IMS域应用服务器提交的用户设备的身份标识,根据所述身份标识查询是否存在所述身份标识对应的密钥信息且所述密钥信息在有效期内;如果存在所述身份标识对应的密钥信息且所述密钥信息在有效期内,则查询所述用户设备在IMS域是否为已注册状态,如果查询结果为是,则向所述非IMS域应用服务器返回所述密钥信息和所述密钥信息的有效期。An authentication gateway, configured to receive the identity of the user equipment submitted by the non-IMS domain application server, and query according to the identity whether there is key information corresponding to the identity and the key information is within the validity period; if there is The key information corresponding to the identity and the key information is within the validity period, query whether the user equipment is registered in the IMS domain, and if the query result is yes, return to the non-IMS domain application server The key information and the validity period of the key information. 11.如权利要求10所述的系统,其特征在于,11. The system of claim 10, wherein: 所述认证网关,还用于接收来自用户设备的会话发起协议SIP消息,获取所述SIP消息中携带的注册参数,所述注册参数由所述用户设备根据公用密钥生成;使用自身保存的私有密钥对所述获取的注册参数进行解密,如果解密成功,则保存所述用户设备的身份标识对应的密钥信息,向所述用户设备返回注册成功消息,使所述用户设备保存所述密钥信息并根据所述密钥信息访问非IMS域应用服务器。The authentication gateway is further configured to receive a Session Initiation Protocol SIP message from the user equipment, and obtain a registration parameter carried in the SIP message, the registration parameter is generated by the user equipment according to a public key; The key decrypts the obtained registration parameters, and if the decryption is successful, saves the key information corresponding to the identity of the user equipment, returns a registration success message to the user equipment, and makes the user equipment save the encryption key. key information and access the non-IMS domain application server according to the key information. 12.如权利要求10所述的系统,其特征在于,12. The system of claim 10, wherein: 所述用户设备,还用于执行IMS鉴权流程,在IMS域进行注册;当访问非IMS域应用时,检查本地是否存在密钥信息,如果不存在,则随机生成密钥信息,并根据所述密钥信息和公用密钥生成注册参数,并通过SIP消息发送所述注册参数。The user equipment is also used to execute the IMS authentication process and register in the IMS domain; when accessing non-IMS domain applications, check whether there is key information locally, if not, randomly generate key information, and according to the Generate registration parameters based on the key information and public key, and send the registration parameters through SIP messages.
CN 200910237819 2009-11-11 2009-11-11 Method and system for authenticating identity and device Active CN102065069B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200910237819 CN102065069B (en) 2009-11-11 2009-11-11 Method and system for authenticating identity and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200910237819 CN102065069B (en) 2009-11-11 2009-11-11 Method and system for authenticating identity and device

Publications (2)

Publication Number Publication Date
CN102065069A true CN102065069A (en) 2011-05-18
CN102065069B CN102065069B (en) 2013-07-31

Family

ID=44000172

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200910237819 Active CN102065069B (en) 2009-11-11 2009-11-11 Method and system for authenticating identity and device

Country Status (1)

Country Link
CN (1) CN102065069B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013127342A2 (en) * 2012-03-02 2013-09-06 中兴通讯股份有限公司 Ims single sign on combined authentication method and system
CN103856454A (en) * 2012-12-04 2014-06-11 中国电信股份有限公司 Method for intercommunication between IP multimedia subsystem and internet services and service intercommunication gateway
CN105577606A (en) * 2014-10-09 2016-05-11 华为技术有限公司 Method and device for realizing register of authenticator
CN103888414B (en) * 2012-12-19 2017-05-03 中国移动通信集团公司 Data processing method and equipment

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108259157B (en) * 2016-12-29 2021-06-01 华为技术有限公司 Identity authentication method and network equipment in IKE negotiation

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101197673B (en) * 2006-12-05 2011-08-10 中兴通讯股份有限公司 Fixed network access into IMS bidirectional authentication and key distribution method
CN101540678A (en) * 2009-04-20 2009-09-23 中兴通讯股份有限公司 Fixed terminal and authentication method thereof

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2013127342A2 (en) * 2012-03-02 2013-09-06 中兴通讯股份有限公司 Ims single sign on combined authentication method and system
CN103297969A (en) * 2012-03-02 2013-09-11 中兴通讯股份有限公司 IMS single sign-on combination authentication method and system
WO2013127342A3 (en) * 2012-03-02 2014-02-20 中兴通讯股份有限公司 Ims single sign on combined authentication method and system
CN103856454A (en) * 2012-12-04 2014-06-11 中国电信股份有限公司 Method for intercommunication between IP multimedia subsystem and internet services and service intercommunication gateway
CN103856454B (en) * 2012-12-04 2017-08-11 中国电信股份有限公司 IP IP multimedia subsystem, IMSs and the method and business intercommunication gateway of Internet service intercommunication
CN103888414B (en) * 2012-12-19 2017-05-03 中国移动通信集团公司 Data processing method and equipment
CN105577606A (en) * 2014-10-09 2016-05-11 华为技术有限公司 Method and device for realizing register of authenticator
CN105577606B (en) * 2014-10-09 2019-03-01 华为技术有限公司 A kind of method and apparatus for realizing authenticator registration

Also Published As

Publication number Publication date
CN102065069B (en) 2013-07-31

Similar Documents

Publication Publication Date Title
KR101461455B1 (en) Authentication method, system and device
EP1879324B1 (en) A method for authenticating user terminal in ip multimedia sub-system
US8239551B2 (en) User device, control method thereof, and IMS user equipment
JP5139570B2 (en) Method and apparatus for accessing an IP multimedia subsystem
US10516660B2 (en) Methods, systems, devices and products for authentication
CN101635823B (en) Method and system of terminal for encrypting videoconference data
US8959343B2 (en) Authentication system, method and device
US8713634B2 (en) Systems, methods and computer program products supporting provision of web services using IMS
US20080120705A1 (en) Systems, Methods and Computer Program Products Supporting Provision of Web Services Using IMS
WO2009141919A1 (en) Ims user equipment, control method thereof, host device, and control method thereof
US7940748B2 (en) Systems, methods and computer program products supporting provision of web services using IMS
WO2008040213A1 (en) Message encryption and signature method, system and device in communication system
CN102065069A (en) Method and system for authenticating identity and device
CN103888414B (en) Data processing method and equipment
CN104753872A (en) Authentication method, authentication platform, service platform, network elements and system
CN102111379A (en) Authentication system, method and device
WO2006072209A1 (en) A method for agreeing upon the key in the ip multimedia sub-system
CN102082769B (en) Authentication system, device and method for IMS terminal when obtaining non-IMS service
US20090089425A1 (en) Systems, Methods and Computer Program Products for Coordinated Session Termination in an IMS Network
CN101540678A (en) Fixed terminal and authentication method thereof

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant