[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2007098669A1 - A method, system and apparatus for user terminal authentication - Google Patents

A method, system and apparatus for user terminal authentication Download PDF

Info

Publication number
WO2007098669A1
WO2007098669A1 PCT/CN2007/000234 CN2007000234W WO2007098669A1 WO 2007098669 A1 WO2007098669 A1 WO 2007098669A1 CN 2007000234 W CN2007000234 W CN 2007000234W WO 2007098669 A1 WO2007098669 A1 WO 2007098669A1
Authority
WO
WIPO (PCT)
Prior art keywords
user terminal
address
request message
authentication
address information
Prior art date
Application number
PCT/CN2007/000234
Other languages
French (fr)
Chinese (zh)
Inventor
Hui Li
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2007098669A1 publication Critical patent/WO2007098669A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Definitions

  • the present invention relates to the field of communications, and in particular, to a system and apparatus for authenticating a user terminal. Background of the invention
  • the IP Multimedia Subsystem is a subsystem that 3GPP superimposes on a packet network.
  • the IMS uses the packet domain as its bearer channel for control signaling and media transmission, and introduces Session Initiation Protocol (SIP) as its service control protocol.
  • SIP Session Initiation Protocol
  • IMS utilizes the characteristics of simple SIP, easy to expand, and convenient media combination to provide rich multimedia services by separating service control from bearer control.
  • the main functional entities in the IMS include Call Session Control Function (CSCF), which controls user registration, session control, etc.
  • CSCF Call Session Control Function
  • HSS Home Subscriber Server
  • AS Application Server
  • the 3GPP in order to complete the registration function of the user terminal, and the calling or called service, the 3GPP defines the user public identity (IMPU, IM Public Identity) and the private identity (IMPI, IM Private Identity), and the user uses the IMPU. Communication, use ⁇ to authenticate the user terminal.
  • the standard IMS terminal authenticates the user terminal by using the IMS authentication and key agreement (AKA) authentication and key agreement.
  • the IMS AKA authentication method establishes a secure channel in the access network between the IMS terminal and the P-CSCF through the registration process to protect the integrity and confidentiality of subsequent messages. But given the current IMS The processing power of the terminal makes it difficult to provide a secure channel. If the terminal does not establish a secure channel, the re-registration and session request initiated by the IMS terminal cannot be secured.
  • the existing solution is that when the IMS terminal initiates a re-registration request, a logout request, and a dialog request and a non-registered independent transaction request, the network initiates an authentication process to ensure user reliability. As the network authenticates each request of the IMS terminal, the request processing delay increases, which affects the user experience. At the same time, the network message traffic increases and the processing overhead increases. Other authentication methods, such as HTTP Digest, etc., use the per-session authentication method to ensure the reliability of the user request after the initial authentication is passed, so the same problem exists. Summary of the invention
  • the embodiment of the invention provides a user terminal authentication method and system, which simplifies the authentication process, ensures the reliability of the user terminal, and enhances the user experience.
  • a user terminal authentication system comprising: a network access control entity, a registration authentication control entity;
  • the network access control entity is configured to receive the request message of the user terminal, and carry the address information of the user terminal in the request message, and forward the request message carrying the user terminal address information to the registration authentication control entity;
  • the registration authentication control entity stores the address information of the user terminal, and after receiving the request message, compares whether the address information of the user terminal carried in the request message matches the stored address information of the user terminal, and if yes, determines the user terminal The right to pass.
  • a user terminal authentication system comprising: a network access control entity, and a registration authentication control Entity, session control entity;
  • the registration authentication control entity stores the address information of the user terminal
  • the network access control entity is configured to receive the request message of the user terminal, and carry the address information of the user terminal in the request message, and send the request message carrying the user terminal address information to the session control entity;
  • the session control entity is configured to receive a request message that carries the user terminal address information sent by the network access control entity, obtain the saved address information of the user terminal from the registration authentication control entity, and compare the address information and the saved address information in the request message. Whether it matches, if it matches, it determines that the user terminal is authenticated.
  • a registration authentication control entity is configured to store address information of a user terminal, receive a request message of the user terminal, and compare whether the address information of the user terminal carried in the request message matches the stored address information of the user terminal, and if so, Then, the user terminal is determined to pass the authentication.
  • a session control entity is configured to receive a request message carrying user terminal address information, obtain the stored address information of the user terminal, and compare whether the address information in the request message matches the saved address information, and if yes, determine the user terminal The authentication was passed.
  • the authentication method of the embodiment of the present invention enables the user terminal to initiate a re-registration request, a logout request, and a dialog request without establishing a secure channel while ensuring the reliability of the user terminal and the integrity and confidentiality of subsequent messages.
  • the non-registered independent transaction request is authenticated by comparing the address information of the user terminal in the request message with the stored address information of the user terminal, so that the network does not need to perform initial authentication for each request of the IMS terminal.
  • the authentication process simplifies the corresponding authentication process, so that the traffic of the network message is controlled, the network processing overhead is reduced, the delay of processing the request message is reduced, and the user experience is enhanced.
  • FIG. 1 is a network logical structure diagram of a user terminal authentication system according to an embodiment of the present invention.
  • FIG. 2 is a flowchart of an initial registration authentication request process when the IMS AKA authentication mode is adopted in the embodiment of the present invention.
  • FIG. 3 is a flowchart of a user terminal initiating a re-registration authentication request when the IMS AKA authentication mode is adopted in the embodiment of the present invention.
  • FIG. 4 is a flow chart of the user terminal initiating re-authentication in the process of re-registering the authentication request when the IMS AKA authentication mode is adopted in the embodiment of the present invention.
  • FIG. 5 is a flowchart of a user terminal initiating a non-registration authentication request when the IMS AKA authentication mode is used in the embodiment of the present invention.
  • FIG. 6 is a flow chart of initial authentication when the BA authentication mode is adopted in the embodiment of the present invention. Mode for carrying out the invention
  • the user terminal obtains an access address after being authenticated by the access network, and the access address is reliable.
  • the network can retain the address information of the user terminal when the authentication of the user terminal is passed.
  • the address information of the user terminal carried in the request message and the address information of the user terminal saved when the authentication is passed may be compared, if If yes, the user terminal is determined to pass the authentication; if different, the network initiates a re-authentication process to the user terminal, or returns a failure response.
  • the address information of the user terminal may be an IP address, a port number, or a Full Qualified Domain Name (FQDN).
  • the network logical structure of the user terminal authentication system in the embodiment of the present invention is as shown in FIG. 1, and includes a user terminal 101, a network access control entity 102, a registration authentication control entity 103, and a session control entity 104. among them:
  • the user terminal 101 is a communication terminal that can access a packet network, such as an IMS terminal, a PC, or the like.
  • the network access control entity 102 is a network entity that provides access control to the user terminal 101, and is responsible for proxy control such as registration, authentication, and session of the user terminal, and can access the user terminal 101 and the network according to the authentication information of the user.
  • a secure channel is established between the control entities 102.
  • the registration authentication control entity 103 provides a user with a registration mechanism and an authorization control function, and can control the network access control entity 101 to establish a secure channel for the authenticated user in the access network.
  • the session control entity 104 provides functions such as session control, routing connection, and service triggering for registered and authorized users.
  • the address information of the user terminal 101 takes an IP address as an example.
  • the request message carries its IP address, and forwards the registration authentication request message carrying the user terminal IP address to the registration authentication control entity 103;
  • the registration authentication control entity 103 authenticates the user terminal 101 using the authentication mode supported by the user terminal 101. If the authentication is passed, the registration authentication control entity 103 saves the IP address carried in the registration authentication request message it receives.
  • the request message carries the IP address of the user terminal, and the user terminal is carried.
  • the request message of the IP address is forwarded to the registration authentication control entity 103;
  • the registration authentication control entity 103 After receiving the request message, the registration authentication control entity 103 compares whether the saved IP address and the IP address in the request message are consistent. If they are consistent, the authentication is passed. Otherwise, if the authentication fails, the user terminal may be re-authenticated, and after the re-authentication is passed, the saved IP address is refreshed.
  • the method of the embodiment of the present invention is described in detail below by taking the IMS AKA authentication in the IMS network as an example.
  • the address information of the user terminal is obtained during the initial registration process, and the initial authentication is performed. After saving, the address information of the user terminal is saved, as shown in FIG. 2:
  • Step 201 The user terminal sends a registration request to the P-CSCF, where the registration request indicates that the terminal supports the IP address authentication method.
  • Step 202 The P-CSCF receives the registration request sent by the user terminal, and checks the IP address IP1 included in the "sent-by" parameter of the Via header field in the registration request. If the "sent-by" parameter contains a domain name, or if the IP address it contains and the source address received by the IP packet are different, the P-CSCF will add the parameter "received" in the Via header field, which contains the IP address IP2 used to receive the request. . Then forward the registration request to the I-CSCF.
  • Step-209 The I-CSCF receives the registration request forwarded by the P-CSCF, and then forwards the registration request to the S-CSCF.
  • Step 204 The S-CSCF receives the registration request forwarded by the I-CSCF. If the registration request includes the indication that the terminal supports the IP address authentication method, the S-CSCF considers that the terminal supports the IP address authentication method. The S-CSCF sends an authentication challenge (401 Challenge) to the user terminal according to the user authentication information obtained by the HSS query.
  • an authentication challenge (401 Challenge)
  • Step 205 The I-CSCF forwards the registration authentication challenge.
  • Step 206 After receiving the registration authentication ⁇ challenge, the P-CSCF forwards the registration authentication challenge to the user terminal.
  • Step 207 After receiving the registration authentication challenge, the user terminal does not need to establish a secure channel.
  • the network is authenticated and the authentication response is calculated, and the registration process is re-initiated.
  • Step 208 The P-CSCF forwards the registration request.
  • Step 209 The I-CSCF forwards the registration request.
  • Step 210 The S-CSCF receives the registration request, and performs matching according to the authentication response of the user terminal. If the matching is successful, the user status is set to the registered state. Then check whether the Via header field in the registration message contains the "sent-by" parameter. If it contains, the corresponding IP1 in the "sent-by” parameter is saved. If the Via header field also contains the "received” parameter, it is also saved. IP2 in the "received” parameter. The S-CSCF sends a successful acknowledgement to the user terminal.
  • Step 211 The I-CSCF forwards the successful confirmation.
  • Step 212 The P-CSCF forwards the successful confirmation.
  • the user terminal completes the initial registration authentication process, and saves the address information IP 1 or IP 1 and IP 2 when the user terminal passes the authentication in the S-CSCF.
  • the authentication process includes the following steps, as shown in Figure 3:
  • Step 301 The user terminal sends a re-registration request to the P-CSCF, where the registration message indicates that the terminal supports the IP address-based authentication method.
  • Step 302 The P-CSCF checks the IP address IP1 included in the "sent-by" parameter of the Via header field in the registration message. If the IP address of the "sent-by" parameter is different from the source address received by the IP packet, the P-CSCF will add the parameter "accepted” in the Via header field, and the parameter contains the source IP address IP2 received by the IP packet. The re-registration request is then forwarded to the I-CSCF.
  • Step 303 The I-CSCF receives the re-registration request forwarded by the P-CSCF, and then forwards the re-registration request to the S-CSCF.
  • Step 304 The S-CSCF receives the re-registration request, and the S-CSCF first checks whether the Via header field in the re-registration request includes a "sent-by" parameter and a "received" parameter. If included, the parameter value in the request message is The corresponding initial authentication is compared by the parameter values saved when the initial authentication is passed. If the matching is performed, the user terminal is deemed to have passed the authentication, and the successful confirmation is returned.
  • Step 305 the I-CSCF forwards the successful confirmation.
  • Step 306 the P-CSCF forwards the successful confirmation.
  • step 304 If the parameter values do not match in step 304, the user terminal fails to authenticate, and the user terminal needs to initiate re-authentication.
  • the process is as follows, as shown in Figure 4:
  • Steps 401 to 403 are the same as steps 301 to 303.
  • Step 404 the S-CSCF receives the re-registration request, and the S-CSCF first checks the registration request. Whether the Via header field contains the "sent-by" parameter and the "received” parameter. If yes, compare the parameter value in the request message with the corresponding initial registered parameter value. If it does not match, the user terminal needs to be re-authenticated. Then, the S-CSCF initiates re-authentication (401 challenge) to the user terminal according to the user authentication information obtained by the HSS query.
  • Steps 405 - 409 are the same as steps 205 ⁇ 209.
  • Step 410 The S-CSCF receives the registration request, and performs matching according to the authentication response of the user terminal. If the matching is successful, the user state is set to the registered state. Then check whether the Via header field in the registration message contains the "sent-by" parameter and the "received” parameter. If it contains, the corresponding IP2 in the "sent-by” parameter and the IP2 in the "received” parameter are saved. The IP address IP1 or EP1 and IP2 saved when the last authentication was passed. The S-CSCF sends a successful acknowledgement to the user terminal.
  • Step 411 the I-CSCF forwards the successful confirmation.
  • Step 412 The P-CSCF forwards the successful confirmation.
  • Step 501 The user terminal sends a non-registered authentication request, including a dialog request or a non-registered independent transaction request, and a non-registered authentication request.
  • the terminal is instructed to support an IP address based authentication method.
  • Step 502 The P-CSCF forwards the non-registered authentication request to the requested S-CSCF.
  • Step 503 The S-CSCF receives the request message, and first checks whether the Via header field in the request message includes a "sent-by" parameter and a "received” parameter, if included, and a parameter value and corresponding in the non-registered authentication request message. If the parameter values saved when the user terminal authentication succeeds, the S-CSCF continues to perform the service logic processing; otherwise, the S-CSCF returns a 403 (Forbidden) response.
  • the user terminal initiates an initial registration request using the HTTP Digest authentication method.
  • the initial registration authentication process is basically the same as the IMS AKA. The same is not repeated here.
  • Step 601 The user terminal initiates an initial registration request according to the NBA authentication method, and the registration request indicates that the terminal supports the IP address authentication method.
  • Steps 602 to 603 are the same as steps 202 to 203.
  • Step 604 The S-CSCF receives the registration request forwarded by the I-CSCF. If the registration request includes the indication that the terminal supports the IP address authentication method, the S-CSCF considers that the terminal supports the IP address authentication method. The S-CSCF compares the user authentication information (user location information) obtained by the HSS query with the location information in the user registration request, and if the comparison passes, saves the IP address in the user registration message, and then returns a registration success response.
  • user authentication information user location information
  • Step 605 The I-CSCF forwards the registration success response.
  • Step 606 After receiving the registration success response, the P-CSCF forwards the registration success response to the user terminal.
  • the IMS network adopts the Digest or the BA authentication mode.
  • the process of the user terminal to initiate the re-registration request is the same as that of the IMS AKA, and is not described here.
  • the network implemented by the present invention includes, but is not limited to, an IP Multimedia Subsystem (IMS) network, a packet network such as a Next Generation Network (GN), and an Internet network.
  • the signaling implemented includes but is not limited to The initial session protocol (SIP, Session Initial Protocol), Hypertext Transmission Protocol (HTTP), etc.;
  • the authentication mode of the network to the terminal includes but is not limited to the authentication methods such as IMS AKA and HTTP Digest;
  • the secure channels established between the ingress control entities include, but are not limited to, IPSec secure channels, Transport Layer Security (TLS) channels, or no secure channels.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A method for user terminal authentication which comprises: when received a request message from the user terminal, judging whether the address information of the user terminal is included in the said request message, if included, comparing the address information of the user terminal carried by the request message with the stored address information of the user terminal, if the address information match, the user terminal authentication passes. The invention also provides an user terminal Authentication System a Register Authentication Control Function and a Call Session Function, which promote the security of user terminal, simplify the authentication process and reduce the processing spending at the same time.

Description

一种用户终端的鉴权方法、 系统及装置 技术领域  Method, system and device for authenticating user terminal
本发明涉及通信领域, 特别是涉及一种用户终端的鉴权方法系统及 装置。 发明背景  The present invention relates to the field of communications, and in particular, to a system and apparatus for authenticating a user terminal. Background of the invention
IP多媒体子系统(IMS, IP Multimedia Subsystem )是 3GPP在分组网 络上叠加的一个子系统。 IMS采用分組域作为其控制信令和媒体传输的 承载通道, 并引入会话发起协议 ( SIP, Session Initial Protocol )作为其业 务控制协议。 IMS利用 SIP简单、 易扩展、 媒体组合方便的特点, 通过将 业务控制与承载控制相分离, 提供丰富的多媒体业务。 IMS中主要的功 能实体包括控制用户注册、 会话控制等功能的呼叫会话控制功能实体 (CSCF, Call Session Control Function) ^ 集中管理用户签约数据的归属用 户服务器 (HSS, Home Subscriber Server)和提供各种业务逻辑控制功能的 应用服务器 (AS, Application Server)。  The IP Multimedia Subsystem (IMS) is a subsystem that 3GPP superimposes on a packet network. The IMS uses the packet domain as its bearer channel for control signaling and media transmission, and introduces Session Initiation Protocol (SIP) as its service control protocol. IMS utilizes the characteristics of simple SIP, easy to expand, and convenient media combination to provide rich multimedia services by separating service control from bearer control. The main functional entities in the IMS include Call Session Control Function (CSCF), which controls user registration, session control, etc. ^ The Home Subscriber Server (HSS) that centrally manages user subscription data and provides various The application server (AS, Application Server) of the business logic control function.
在 IMS应用中, 为了完成用户终端的注册功能, 以及主叫或者被叫 的业务, 3GPP定义了用户公有标识 (IMPU, IM Public Identity)以及私有 标识 (IMPI, IM Private Identity) , 用户使用 IMPU进行通信, 使用 ΙΜΡΙ对 用户终端进行鉴权。 按照 3GPP目前的定义, 标准的 IMS终端使用 IMS鉴 权和密钥十办定 ( AKA, Authentication and key agreement )答权方式对用 户终端进行鉴权。  In the IMS application, in order to complete the registration function of the user terminal, and the calling or called service, the 3GPP defines the user public identity (IMPU, IM Public Identity) and the private identity (IMPI, IM Private Identity), and the user uses the IMPU. Communication, use ΙΜΡΙ to authenticate the user terminal. According to the current definition of 3GPP, the standard IMS terminal authenticates the user terminal by using the IMS authentication and key agreement (AKA) authentication and key agreement.
IMS AKA鉴权方法通过注册过程,在 IMS终端和 P-CSCF之间的接入 网建立安全通道, 保护后续消息的完整性和机密性。 但是鉴于目前 IMS 终端的处理能力, 很难提供安全通道。 如果终端不建立安全通道, IMS 终端发起的重注册和会话请求就得不到安全保护。 现有的解决方法是在 IMS终端发起重注册请求、 注销请求以及对话请求和非注册的独立事务 请求时, 网络都发起鉴权流程, 以保证用户的可靠性。 由于网络对 IMS 终端的每次请求都进行鉴权, 导致请求处理时延增大, 影响用户体验; 同时导致网络消息流量增大, 增加处理开销。 其他鉴权方式, 如分类鉴 权(HTTP Digest )等, 在初始鉴权通过后, 采用每会话鉴权的方式保证 用户请求的可靠性, 因此也存在同样的问题。 发明内容 The IMS AKA authentication method establishes a secure channel in the access network between the IMS terminal and the P-CSCF through the registration process to protect the integrity and confidentiality of subsequent messages. But given the current IMS The processing power of the terminal makes it difficult to provide a secure channel. If the terminal does not establish a secure channel, the re-registration and session request initiated by the IMS terminal cannot be secured. The existing solution is that when the IMS terminal initiates a re-registration request, a logout request, and a dialog request and a non-registered independent transaction request, the network initiates an authentication process to ensure user reliability. As the network authenticates each request of the IMS terminal, the request processing delay increases, which affects the user experience. At the same time, the network message traffic increases and the processing overhead increases. Other authentication methods, such as HTTP Digest, etc., use the per-session authentication method to ensure the reliability of the user request after the initial authentication is passed, so the same problem exists. Summary of the invention
本发明实施例提供了一种用户终端鉴权方法及系统, 以简化鉴权流 程, 同时保证用户终端的可靠性, 增强用户体验。  The embodiment of the invention provides a user terminal authentication method and system, which simplifies the authentication process, ensures the reliability of the user terminal, and enhances the user experience.
本发明实施例的用户终端的鉴权方法包括以下步骤:  The authentication method of the user terminal in the embodiment of the present invention includes the following steps:
接收用户终端发送的请求消息, 比较请求消息中携带的用户终端的 地址信息和保存的用户终端的地址信息是否匹配, 如果匹配, 用户终端 鉴权通过。  Receiving the request message sent by the user terminal, comparing whether the address information of the user terminal carried in the request message and the stored address information of the user terminal match, and if yes, the user terminal authenticates.
一种用户终端鉴权系统, 包括: 网络接入控制实体、 注册鉴权控制 实体; 其中,  A user terminal authentication system, comprising: a network access control entity, a registration authentication control entity;
网络接入控制实体用于接收用户终端的请求消息 , 在请求消息中携 带用户终端的地址信息, 将携带用户终端地址信息的请求消息转发到注 册鉴权控制实体;  The network access control entity is configured to receive the request message of the user terminal, and carry the address information of the user terminal in the request message, and forward the request message carrying the user terminal address information to the registration authentication control entity;
注册鉴权控制实体保存有用户终端的地址信息, 在接收到请求消息 后 , 比较请求消息中携带的用户终端的地址信息与保存的用户终端的地 址信息是否匹配, 如果匹配, 则判断用户终端鉴权通过。  The registration authentication control entity stores the address information of the user terminal, and after receiving the request message, compares whether the address information of the user terminal carried in the request message matches the stored address information of the user terminal, and if yes, determines the user terminal The right to pass.
一种用户终端鉴权系统, 包括: 网絡接入控制实体、 注册鉴权控制 实体, 会话控制实体; 其中, A user terminal authentication system, comprising: a network access control entity, and a registration authentication control Entity, session control entity;
注册鉴权控制实体保存有用户终端的地址信息;  The registration authentication control entity stores the address information of the user terminal;
网络接入控制实体用于接收用户终端的请求消息, 在情求消息中携 带用户终端的地址信息, 将携带用户终端地址信息的请求消息发送给会 话控制实体;  The network access control entity is configured to receive the request message of the user terminal, and carry the address information of the user terminal in the request message, and send the request message carrying the user terminal address information to the session control entity;
会话控制实体用于接收网络接入控制实体发送的携带用户终端地 址信息的请求消息, 并从注册鉴权控制实体获取保存的用户终端的地址 信息, 比较请求消息中的地址信息与保存的地址信息是否匹配, 如果匹 配, 则判断用户终端鉴权通过。  The session control entity is configured to receive a request message that carries the user terminal address information sent by the network access control entity, obtain the saved address information of the user terminal from the registration authentication control entity, and compare the address information and the saved address information in the request message. Whether it matches, if it matches, it determines that the user terminal is authenticated.
一种注册鉴权控制实体, 用于保存有用户终端的地址信息, 接收用 户终端的请求消息, 比较请求消息中携带的用户终端的地址信息与保存 的用户终端的地址信息是否匹配,如果匹配,则判断用户终端鉴权通过。  A registration authentication control entity is configured to store address information of a user terminal, receive a request message of the user terminal, and compare whether the address information of the user terminal carried in the request message matches the stored address information of the user terminal, and if so, Then, the user terminal is determined to pass the authentication.
一种会话控制实体, 用于接收携带用户终端地址信息的请求消息 , 并获取保存的用户终端的地址信息, 比较请求消息中的地址信息与保存 的地址信息是否匹配, 如果匹配, 则判断用户终端鉴权通过。  A session control entity is configured to receive a request message carrying user terminal address information, obtain the stored address information of the user terminal, and compare whether the address information in the request message matches the saved address information, and if yes, determine the user terminal The authentication was passed.
本发明实施例的鉴权方法, 在保证用户终端的可靠性及后续消息的 完整性和机密性的同时, 使用户终端可以在不建立安全通道的情况下发 起重注册请求、 注销请求以及对话请求和非注册的独立事务请求, 通过 比较请求消息中的用户终端的地址信息和保存的用户终端的地址信息 进行鉴权,使网络不需要对 IMS终端的每次请求都按照初始鉴权的方式 进行鉴权, 简化了相应的鉴权流程, 使得网络消息的流量得到控制, 减 少了网络处理开销, 降低了处理请求消息的时延, 增强了用户体验。 附图简要说明  The authentication method of the embodiment of the present invention enables the user terminal to initiate a re-registration request, a logout request, and a dialog request without establishing a secure channel while ensuring the reliability of the user terminal and the integrity and confidentiality of subsequent messages. The non-registered independent transaction request is authenticated by comparing the address information of the user terminal in the request message with the stored address information of the user terminal, so that the network does not need to perform initial authentication for each request of the IMS terminal. The authentication process simplifies the corresponding authentication process, so that the traffic of the network message is controlled, the network processing overhead is reduced, the delay of processing the request message is reduced, and the user experience is enhanced. BRIEF DESCRIPTION OF THE DRAWINGS
图 1是本发明实施例用户终端鉴权系统的网络逻辑结构图。 图 2是本发明实施例采用 IMS AKA鉴权方式时的初始注册鉴权请 求过程的流程图。 1 is a network logical structure diagram of a user terminal authentication system according to an embodiment of the present invention. FIG. 2 is a flowchart of an initial registration authentication request process when the IMS AKA authentication mode is adopted in the embodiment of the present invention.
图 3是本发明实施例采用 IMS AKA鉴权方式时用户终端发起重注 册鉴权请求时的流程图。  FIG. 3 is a flowchart of a user terminal initiating a re-registration authentication request when the IMS AKA authentication mode is adopted in the embodiment of the present invention.
图 4是本发明实施例采用 IMS AKA鉴权方式时用户终端在重注册 鉴权请求过程中发起重鉴权的流程图。  FIG. 4 is a flow chart of the user terminal initiating re-authentication in the process of re-registering the authentication request when the IMS AKA authentication mode is adopted in the embodiment of the present invention.
图 5是本发明实施例采用 IMS AKA鉴权方式时用户终端发起非注 册鉴权请求时的流程图。  FIG. 5 is a flowchart of a user terminal initiating a non-registration authentication request when the IMS AKA authentication mode is used in the embodiment of the present invention.
图 6是本发明实施例采用 BA鉴权方式时初始鉴权的流程图。 实施本发明的方式  FIG. 6 is a flow chart of initial authentication when the BA authentication mode is adopted in the embodiment of the present invention. Mode for carrying out the invention
为使本发明实施例的技术方案更加清楚, 下面结合附图及具体实施 例对本发明作进一步地详细描述。  In order to make the technical solutions of the embodiments of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
通常, 用户终端经过接入网认证后会获得接入地址, 且该接入地址 是可靠的。 在终端接入地址可靠的前提下, 网络在对用户终端的鉴权通 过时, 可以保留用户终端的地址信息。 对于后续的重注册请求、 注销请 求、 对话请求和非注册的独立事务请求消息, 可以通过将请求消息中携 带的用户终端的地址信息和鉴权通过时保存的用户终端的地址信息进 行比较, 如果相同, 则判断用户终端鉴权通过; 如果不同, 网络对用户 终端发起重鉴权流程, 或者返回失败响应。 其中, 用户终端的地址信息 可以是 IP地址、 端口号, 或者全称域名 (FQDN, Full Qualified Domain Name)等。  Generally, the user terminal obtains an access address after being authenticated by the access network, and the access address is reliable. On the premise that the terminal access address is reliable, the network can retain the address information of the user terminal when the authentication of the user terminal is passed. For the subsequent re-registration request, the logout request, the dialog request, and the non-registered independent transaction request message, the address information of the user terminal carried in the request message and the address information of the user terminal saved when the authentication is passed may be compared, if If yes, the user terminal is determined to pass the authentication; if different, the network initiates a re-authentication process to the user terminal, or returns a failure response. The address information of the user terminal may be an IP address, a port number, or a Full Qualified Domain Name (FQDN).
本发明实施例的用户终端鉴权系统的网络逻辑结构如图 1所示, 包 括, 用户终端 101, 网络接入控制实体 102, 注册鉴权控制实体 103和 会话控制实体 104。 其中: 用户终端 101是可以接入分组网络的通信终端, 如 IMS终端、 PC 机等。 The network logical structure of the user terminal authentication system in the embodiment of the present invention is as shown in FIG. 1, and includes a user terminal 101, a network access control entity 102, a registration authentication control entity 103, and a session control entity 104. among them: The user terminal 101 is a communication terminal that can access a packet network, such as an IMS terminal, a PC, or the like.
网络接入控制实体 102是向用户终端 101 提供接入控制的网络实 体, 负责用户终端的注册、 鉴权、 会话等代理控制, 并可以根据用户的 鉴权信息,在用户终端 101和网络接入控制实体 102之间建立安全通道。  The network access control entity 102 is a network entity that provides access control to the user terminal 101, and is responsible for proxy control such as registration, authentication, and session of the user terminal, and can access the user terminal 101 and the network according to the authentication information of the user. A secure channel is established between the control entities 102.
注册鉴权控制实体 103为用户提供注册机制和授权控制等功能, 可 以控制网络接入控制实体 101为已鉴权用户在接入网建立安全通道。  The registration authentication control entity 103 provides a user with a registration mechanism and an authorization control function, and can control the network access control entity 101 to establish a secure channel for the authenticated user in the access network.
会话控制实体 104为已注册和授权的用户提供会话控制、路由接续、 业务触发等功能。  The session control entity 104 provides functions such as session control, routing connection, and service triggering for registered and authorized users.
本发明实施例中, 用户终端 101的地址信息以 IP地址为例。用户终端 101发起初始注册请求时,在请求消息中携带其 IP地址, 并将携带用户终 端 IP地址的注册鉴权清求消息转发到注册鉴权控制实体 103;  In the embodiment of the present invention, the address information of the user terminal 101 takes an IP address as an example. When the user terminal 101 initiates an initial registration request, the request message carries its IP address, and forwards the registration authentication request message carrying the user terminal IP address to the registration authentication control entity 103;
注册鉴权控制实体 103使用用户终端 101支持的鉴权方式对用户终 端 101进行鉴权, 如果鉴权通过, 注册鉴权控制实体 103保存其收到的注 册鉴权请求消息中携带的 IP地址。  The registration authentication control entity 103 authenticates the user terminal 101 using the authentication mode supported by the user terminal 101. If the authentication is passed, the registration authentication control entity 103 saves the IP address carried in the registration authentication request message it receives.
在用户终端 101的注册生命期内, 当用户终端 101发起重注册请求、 注销请求消息、 对话请求消息或独立的事务请求消息时, 则在请求消息 中携带用户终端的 IP地址, 将携带用户终端 IP地址的请求消息转发到注 册鉴权控制实体 103;  During the registration lifetime of the user terminal 101, when the user terminal 101 initiates a re-registration request, a logout request message, a dialog request message, or an independent transaction request message, the request message carries the IP address of the user terminal, and the user terminal is carried. The request message of the IP address is forwarded to the registration authentication control entity 103;
注册鉴权控制实体 103接收到请求消息后,比较保存的 IP地址和请求 消息中的 IP地址是否一致, 如果一致, 则鉴权通过。 否则, 鉴权失败, 可以对用户终端发起重鉴权, 重鉴权通过后, 刷新保存的 IP地址。  After receiving the request message, the registration authentication control entity 103 compares whether the saved IP address and the IP address in the request message are consistent. If they are consistent, the authentication is passed. Otherwise, if the authentication fails, the user terminal may be re-authenticated, and after the re-authentication is passed, the saved IP address is refreshed.
下面首先以 IMS网络中采用 IMS AKA鉴权为例对本发明实施例的方 法进行详细说明。  The method of the embodiment of the present invention is described in detail below by taking the IMS AKA authentication in the IMS network as an example.
首先, 在初始注册过程中获取用户终端的地址信息, 并在初始鉴权 通过后保存用户终端的地址信息, 如图 2所示: First, the address information of the user terminal is obtained during the initial registration process, and the initial authentication is performed. After saving, the address information of the user terminal is saved, as shown in FIG. 2:
步骤 201 , 用户终端向 P-CSCF发送注册请求, 注册请求指示终端支 持基于 IP地址鉴权方法。  Step 201: The user terminal sends a registration request to the P-CSCF, where the registration request indicates that the terminal supports the IP address authentication method.
步骤 202, P- CSCF接收到用户终端发送的注册请求, 检查注册请求 中的 Via头域的 "sent-by"参数包含的 IP地址 IP1。如果" sent-by"参数包含域 名, 或者其包含的 IP地址和 IP包接收的源地址不同, P-CSCF将在 Via头 域中增加参数 "received" , 该参数包含接收请求使用的 IP地址 IP2。 然后 转发注册请求到 I-CSCF。  Step 202: The P-CSCF receives the registration request sent by the user terminal, and checks the IP address IP1 included in the "sent-by" parameter of the Via header field in the registration request. If the "sent-by" parameter contains a domain name, or if the IP address it contains and the source address received by the IP packet are different, the P-CSCF will add the parameter "received" in the Via header field, which contains the IP address IP2 used to receive the request. . Then forward the registration request to the I-CSCF.
步-骤 203, I-CSCF收到 P-CSCF转发的注册请求, 然后转发注册请求 到 S-CSCF。  Step-209: The I-CSCF receives the registration request forwarded by the P-CSCF, and then forwards the registration request to the S-CSCF.
步骤 204, S-CSCF接收到 I-CSCF转发的注册请求, 如果注册请求包 含终端支持基于 IP地址鉴权方法的指示, 则 S-CSCF认为终端支持基于 IP 地址鉴权方法。 S-CSCF根据 HSS查询获得的用户鉴权信息, 向用户终端 发送鉴权挑战 (401 Challenge)。  Step 204: The S-CSCF receives the registration request forwarded by the I-CSCF. If the registration request includes the indication that the terminal supports the IP address authentication method, the S-CSCF considers that the terminal supports the IP address authentication method. The S-CSCF sends an authentication challenge (401 Challenge) to the user terminal according to the user authentication information obtained by the HSS query.
步驟 205, I-CSCF转发注册鉴权挑战。  Step 205: The I-CSCF forwards the registration authentication challenge.
步骤 206, P-CSCF收到注册鉴权<挑战后, 转发注册鉴权挑战到用户 终端。  Step 206: After receiving the registration authentication <challenge, the P-CSCF forwards the registration authentication challenge to the user terminal.
步骤 207, 用户终端收到注册鉴权挑战后, 不需要建立安全通道。 对网絡鉴权并计算鉴权响应, 重新发起注册过程。  Step 207: After receiving the registration authentication challenge, the user terminal does not need to establish a secure channel. The network is authenticated and the authentication response is calculated, and the registration process is re-initiated.
步驟 208, P-CSCF转发注册请求。  Step 208: The P-CSCF forwards the registration request.
步骤 209, I-CSCF转发注册请求。  Step 209: The I-CSCF forwards the registration request.
步骤 210, S-CSCF接收到注册请求, 根据用户终端的鉴权响应, 进 行匹配; 如匹配成功, 将用户状态置为已注册状态。 然后检查注册消息 中的 Via头域是否包含 "sent-by"参数, 如果包含, 则相应的保存 "sent-by" 参数中的 IP1 , 如果 Via头域中还包含 "received"参数, 则同时保存 "received"参数中的 IP2。 S-CSCF向用户终端发送成功确认。 Step 210: The S-CSCF receives the registration request, and performs matching according to the authentication response of the user terminal. If the matching is successful, the user status is set to the registered state. Then check whether the Via header field in the registration message contains the "sent-by" parameter. If it contains, the corresponding IP1 in the "sent-by" parameter is saved. If the Via header field also contains the "received" parameter, it is also saved. IP2 in the "received" parameter. The S-CSCF sends a successful acknowledgement to the user terminal.
步骤 211 , I-CSCF转发成功确认。  Step 211: The I-CSCF forwards the successful confirmation.
步骤 212, P-CSCF转发成功确认。  Step 212: The P-CSCF forwards the successful confirmation.
至此, 用户终端完成了初始注册鉴权过程, 并在 S-CSCF中保存了用 户终端通过鉴权时的地址信息 IP 1或 IP 1和 IP2。  So far, the user terminal completes the initial registration authentication process, and saves the address information IP 1 or IP 1 and IP 2 when the user terminal passes the authentication in the S-CSCF.
当用户终端在注册生命期内发起重注册请求时, 鉴权流程包括以下 步骤, 如图 3所示:  When the user terminal initiates a re-registration request during the registration lifetime, the authentication process includes the following steps, as shown in Figure 3:
步驟 301 , 用户终端向 P-CSCF发送重注册请求, 注册消息指示终端 支持基于 IP地址鉴权方法。  Step 301: The user terminal sends a re-registration request to the P-CSCF, where the registration message indicates that the terminal supports the IP address-based authentication method.
步骤 302, P-CSCF检查注册消息中的 Via头域的 "sent-by"参数包含的 IP地址 IP1。 如果" sent-by"参数包含的 IP地址 IP1和 IP包接收的源地址不 同, P-CSCF将在 Via头域中增加参数" received" , 参数包含 IP包接收的源 IP地址 IP2。 然后转发重注册请求到 I-CSCF。  Step 302: The P-CSCF checks the IP address IP1 included in the "sent-by" parameter of the Via header field in the registration message. If the IP address of the "sent-by" parameter is different from the source address received by the IP packet, the P-CSCF will add the parameter "accepted" in the Via header field, and the parameter contains the source IP address IP2 received by the IP packet. The re-registration request is then forwarded to the I-CSCF.
步骤 303 , I-CSCF收到 P-CSCF转发的重注册请求, 然后转发重注册 请求到 S-CSCF。  Step 303: The I-CSCF receives the re-registration request forwarded by the P-CSCF, and then forwards the re-registration request to the S-CSCF.
步骤 304, S-CSCF接收到重注册请求, S-CSCF先检查重注册请求中 的 Via头域是否包含 "sent-by"参数和 "received"参数, 如果包含,将请求消 息中的参数值和对应的初始鉴权通过时保存的参数值进行比较, 如果匹 配, 则认为用户终端鉴权通过, 返回成功确认。  Step 304: The S-CSCF receives the re-registration request, and the S-CSCF first checks whether the Via header field in the re-registration request includes a "sent-by" parameter and a "received" parameter. If included, the parameter value in the request message is The corresponding initial authentication is compared by the parameter values saved when the initial authentication is passed. If the matching is performed, the user terminal is deemed to have passed the authentication, and the successful confirmation is returned.
步骤 305, I-CSCF转发成功确认。  Step 305, the I-CSCF forwards the successful confirmation.
步骤 306, P-CSCF转发成功确认。  Step 306, the P-CSCF forwards the successful confirmation.
如果在步驟 304中参数值不匹配, 则用户终端鉴权失败, 需要对用 户终端发起重鉴权, 流程如下, 如图 4所示:  If the parameter values do not match in step 304, the user terminal fails to authenticate, and the user terminal needs to initiate re-authentication. The process is as follows, as shown in Figure 4:
步骤 401 ~ 403与步骤 301 ~ 303相同。  Steps 401 to 403 are the same as steps 301 to 303.
步驟 404, S-CSCF接收到重注册请求, S-CSCF先检查注册请求中的 Via头域是否包含 "sent-by"参数和 "received"参数,如果包含, 将请求消息 中的参数值和对应的初始注册保存的参数值进行比较, 如果不匹配, 需 要对用户终端重鉴权, 则由 S-CSCF根据 HSS查询获得的用户鉴权信息, 对用户终端发起重鉴权(401挑战)。 Step 404, the S-CSCF receives the re-registration request, and the S-CSCF first checks the registration request. Whether the Via header field contains the "sent-by" parameter and the "received" parameter. If yes, compare the parameter value in the request message with the corresponding initial registered parameter value. If it does not match, the user terminal needs to be re-authenticated. Then, the S-CSCF initiates re-authentication (401 challenge) to the user terminal according to the user authentication information obtained by the HSS query.
步骤 405 - 409与步驟 205 ~ 209相同。  Steps 405 - 409 are the same as steps 205 ~ 209.
步骤 410, S-CSCF接收到注册请求, 根据用户终端的鉴权响应, 进 行匹配; 如匹配成功, 将用户状态置为已注册状态。 然后检查注册消息 中的 Via头域是否包含 "sent-by"参数和 "received"参数,如果包含, 则相应 的保存 "sent-by"参数中的 IP 1和" received"参数中的 IP2, 刷新上次鉴权通 过时保存的 IP地址 IP1或 EP1和 IP2。 S-CSCF向用户终端发送成功确认。  Step 410: The S-CSCF receives the registration request, and performs matching according to the authentication response of the user terminal. If the matching is successful, the user state is set to the registered state. Then check whether the Via header field in the registration message contains the "sent-by" parameter and the "received" parameter. If it contains, the corresponding IP2 in the "sent-by" parameter and the IP2 in the "received" parameter are saved. The IP address IP1 or EP1 and IP2 saved when the last authentication was passed. The S-CSCF sends a successful acknowledgement to the user terminal.
步骤 411 , I-CSCF转发成功确认。  Step 411, the I-CSCF forwards the successful confirmation.
步骤 412, P-CSCF转发成功确认。  Step 412: The P-CSCF forwards the successful confirmation.
除了在用户终端鉴权失败后发起重鉴权外 , 还可以根据网络的运行 状况或者用户的注册信息或者运营商的配置信息等判断是否需要对用 户终端进行重鉴权。  In addition to the re-authentication after the authentication of the user terminal fails, it is also possible to determine whether the user terminal needs to be re-authenticated according to the running status of the network or the registration information of the user or the configuration information of the operator.
当用户终端发起非注册鉴权请求时, 主叫侧处理流程如图 5所示: 步骤 501 , 用户终端发送非注册鉴权请求, 包括对话请求或非注册 的独立事务请求, 非注册鉴权请求指示终端支持基于 IP地址鉴权方法。  When the user terminal initiates a non-registration authentication request, the processing process of the calling side is as shown in FIG. 5: Step 501: The user terminal sends a non-registered authentication request, including a dialog request or a non-registered independent transaction request, and a non-registered authentication request. The terminal is instructed to support an IP address based authentication method.
步骤 502, P-CSCF转发非注册鉴权请求到请求的 S-CSCF。  Step 502: The P-CSCF forwards the non-registered authentication request to the requested S-CSCF.
步骤 503, S-CSCF收到请求消息, 先检查请求消息中的 Via头域是否 包含" sent-by"参数和" received "参数, 如果包含, 且非注册鉴权请求消 息中的参数值和对应的用户终端鉴权通过时保存的参数值匹配, 则 S-CSCF继续进行业务逻辑处理;否则, S-CSCF返回 403 (Forbidden)响应。  Step 503: The S-CSCF receives the request message, and first checks whether the Via header field in the request message includes a "sent-by" parameter and a "received" parameter, if included, and a parameter value and corresponding in the non-registered authentication request message. If the parameter values saved when the user terminal authentication succeeds, the S-CSCF continues to perform the service logic processing; otherwise, the S-CSCF returns a 403 (Forbidden) response.
如果 IMS网络中采用 HTTP Digest養权,则用户终端使用 HTTP Digest 鉴权方式发起初始注册请求,其初始注册的鉴权流程与 IMS AKA基本相 同, 在此不再赘述。 If the HTTP Digest is used in the IMS network, the user terminal initiates an initial registration request using the HTTP Digest authentication method. The initial registration authentication process is basically the same as the IMS AKA. The same is not repeated here.
如果 IMS网络中采用 NBA鉴权, 则初始注册的鉴权流程如下,如图 6 所示:  If NBA authentication is used in the IMS network, the initial registration authentication process is as follows, as shown in Figure 6:
步骤 601 , 用户终端按照 NBA鉴权方法发起初始注册请求, 注册请 求指示终端支持基于 IP地址鉴权方法。  Step 601: The user terminal initiates an initial registration request according to the NBA authentication method, and the registration request indicates that the terminal supports the IP address authentication method.
步骤 602 ~ 603与步骤 202 ~ 203相同。  Steps 602 to 603 are the same as steps 202 to 203.
步骤 604, S-CSCF接收到 I-CSCF转发的注册请求, 如果注册请求包 含终端支持基于 IP地址鉴权方法的指示, 则 S-CSCF认为终端支持基于 IP 地址鉴权方法。 S-CSCF根据 HSS查询获得的用户鉴权信息(用户位置信 息), 和用户注册请求中的位置信息比较, 如果比较通过, 则保存用户 注册消息中的 IP地址, 然后返回注册成功应答。  Step 604: The S-CSCF receives the registration request forwarded by the I-CSCF. If the registration request includes the indication that the terminal supports the IP address authentication method, the S-CSCF considers that the terminal supports the IP address authentication method. The S-CSCF compares the user authentication information (user location information) obtained by the HSS query with the location information in the user registration request, and if the comparison passes, saves the IP address in the user registration message, and then returns a registration success response.
步骤 605, I-CSCF转发注册成功应答。  Step 605: The I-CSCF forwards the registration success response.
步骤 606, P-CSCF收到注册成功应答后, 转发注册成功应答到用户 终端。  Step 606: After receiving the registration success response, the P-CSCF forwards the registration success response to the user terminal.
在 IMS网络中采用 Digest或 BA鉴权方式, 用户终端发起重注册请 求时的流程与采用 IMS AKA方式相同, 在此不再赘述。  The IMS network adopts the Digest or the BA authentication mode. The process of the user terminal to initiate the re-registration request is the same as that of the IMS AKA, and is not described here.
本发明实施的网络包括但不限于 IP多媒体子系统 (IMS , IP Multimedia Subsystem ) 网络、 下一^;网洛 ( GN , Next Generation Network ) 、 Internet网络等分组网络; 实施的信令包括但不限于初始会 话协议(SIP, Session Initial Protocol )、超文本传输协议( HTTP , Hyper Text Transmission Protocol )等;网络对终端的鉴权方式包括但不限于 IMS AKA、 HTTP Digest等鉴权方式; 终端和网络接入控制实体之间建立的 安全通道包括但不限于 IPSec安全通道, 传输层安全(TLS , Transport Layer Security )通道等, 或者没有安全通道。  The network implemented by the present invention includes, but is not limited to, an IP Multimedia Subsystem (IMS) network, a packet network such as a Next Generation Network (GN), and an Internet network. The signaling implemented includes but is not limited to The initial session protocol (SIP, Session Initial Protocol), Hypertext Transmission Protocol (HTTP), etc.; the authentication mode of the network to the terminal includes but is not limited to the authentication methods such as IMS AKA and HTTP Digest; The secure channels established between the ingress control entities include, but are not limited to, IPSec secure channels, Transport Layer Security (TLS) channels, or no secure channels.
总之, 以上所述仅为本发明的较佳实施例而已, 并非用于限定本发 明的保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同 替换、 改进等, 均应包含在本发明的保护范围之内。 In summary, the above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention. The scope of protection. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求书 Claim
1、 一种用户终端的鉴权方法, 其特征在于, 该方法包括以下步驟: 接收用户终端发送的请求消息, 比较请求消息中携带的用户终端的 地址信息和保存的用户终端的地址信息是否匹配, 如果匹配, 用户终端 鉴权通过。  A method for authenticating a user terminal, the method comprising the steps of: receiving a request message sent by a user terminal, and comparing whether address information of the user terminal carried in the request message and the stored address information of the user terminal match If it matches, the user terminal is authenticated.
2、 根据权利要求 1 所述的方法, 其特征在于, 所述请求消息中携 ,带的用户终端的地址信息和保存的用户终端的地址信息均为用户终端 的 IP地址, 如果所述请求消息中携带的 IP地址和所述请求消息接收的 源 IP地址不同, 则将所述请求消息接收的源 IP地址也保存于请求消息 中。  The method according to claim 1, wherein the address information of the user terminal carried in the request message and the stored address information of the user terminal are both IP addresses of the user terminal, if the request message The IP address carried in the request is different from the source IP address received by the request message, and the source IP address received by the request message is also saved in the request message.
3、 #居权利要求 2所述的方法, 其特征在于, 所述比较请求消息 中携带的用户终端的地址信息和保存的用户终端的地址信息是否匹配 的步骤包括. - 当所述请求消息中携带的用户终端的 IP地址与所述请求消息接收 的源 IP地址相同时, 比较请求消息中携带的用户终端的 IP地址与保存 的 IP地址是否相同;  The method of claim 2, wherein the step of matching the address information of the user terminal carried in the comparison request message with the stored address information of the user terminal comprises: - in the request message When the IP address of the user terminal is the same as the source IP address received by the request message, the IP address of the user terminal carried in the request message is the same as the saved IP address.
当所述请求消息中携带的用户终端的 IP地址与所述请求消息接收 的源 IP地址不同时, 比较请求消息中携带的用户终端的 IP地址和所述 请求消息接收的源 IP地址与保存的用户终端的 IP地址和所述请求消息 接收的源 IP地址是否相同。  When the IP address of the user terminal carried in the request message is different from the source IP address received by the request message, the IP address of the user terminal carried in the request message and the source IP address received by the request message are saved and saved. Whether the IP address of the user terminal and the source IP address received by the request message are the same.
4、 才 据权利要求 1所述的方法, 其特征在于, 该方法进一步包括, 如果地址信息不匹配, 则向用户终端发起重鉴权, 或者返回鉴权失败响 应。  4. The method according to claim 1, wherein the method further comprises: if the address information does not match, initiating re-authentication to the user terminal, or returning an authentication failure response.
5、 才艮据权利要求 4所述的方法, 其特征在于, 进一步包括, 在重 鉴权通过后, 刷新用户终端的地址信息。 5. The method of claim 4, further comprising: After the authentication is passed, the address information of the user terminal is refreshed.
6、根据权利要求 1所述的方法, 其特征在于, 所述保存的地址信息 是在用户终端初始鉴权通过时保存的。  The method according to claim 1, wherein the saved address information is saved when the initial authentication of the user terminal is passed.
7、 ^^据权利要求 1 所述的方法, 其特征在于, 在比较请求消息中 携带的用户终端的地址信息和保存的用户终端的地址信息是否匹配之 前, 该方法进一步包括:  The method according to claim 1, wherein the method further comprises: before comparing the address information of the user terminal carried in the request message with the stored address information of the user terminal, the method further comprising:
判断用户终端是否支持基于用户终端地址信息的鉴权方法, 如果用 户终端支持基于用户终端地址信息的鉴权方法, 则比较请求消息中携带 的用户终端的地址信息和保存的用户终端的地址信息是否匹配。  Determining whether the user terminal supports the authentication method based on the user terminal address information. If the user terminal supports the authentication method based on the user terminal address information, compares the address information of the user terminal carried in the request message with the saved address information of the user terminal. match.
8、 根据权利要求 1 所述的方法, 其特征在于, 所述鉴权方法可应 用于: IMS 鉴权和密钥协定 (IMS AKA , IP Multimedia Subsystem Authentication and key agreement )、 HTTP Digest或 NBA鉴权方式。  8. The method according to claim 1, wherein the authentication method is applicable to: IMS authentication and key agreement (IMS AKA, IP Multimedia Subsystem Authentication and key agreement), HTTP Digest or NBA authentication the way.
9、 一种用户终端鉴权系统, 其特征在于, 包括: 网络接入控制实 体、 注册鉴权控制实体;  A user terminal authentication system, comprising: a network access control entity and a registration authentication control entity;
网络接入控制实体用于接收用户终端的请求消息, 在请求消息中携 带用户终端的地址信息, 将携带用户终端地址信息的请求消息发送给注 册鉴权控制实体;  The network access control entity is configured to receive the request message of the user terminal, and carry the address information of the user terminal in the request message, and send the request message carrying the user terminal address information to the registration authentication control entity;
注册鉴权控制实体保存有用户终端的地址信息, 从网络接入控制实 体接收所述奇求消息, 比较请求消息中携带的用户终端的地址信息与保 存的用户终端的地址信息是否匹配, 如果匹配, 则判断用户终端鉴权通 过。  The registration authentication control entity stores the address information of the user terminal, and receives the odd message from the network access control entity, and compares whether the address information of the user terminal carried in the request message matches the stored address information of the user terminal, if it matches Then, the user terminal is judged to pass the authentication.
10、 根据权利要求 9所述的系统, 其特征在于, 所述的地址信息为 用户终端的 IP地址,所述网絡接入控制实体进一步用于比较请求消息中 携带的 IP地址和所述请求消息接收的源 IP地址不同, 则将所述请求消 息接收的源 IP地址也保存于请求消息中; 所述注册鉴权控制实体进一步用于: 当所述请求消息中携.带的用户 终端的 IP地址与所述请求消息接收的源 IP地址相同时, 比较请求消息 中携带的用户终端的 IP地址与保存的 IP地址是否相同; The system according to claim 9, wherein the address information is an IP address of the user terminal, and the network access control entity is further configured to compare the IP address carried in the request message with the request message. If the source IP address is different, the source IP address received by the request message is also saved in the request message. The registration authentication control entity is further configured to compare the IP address of the user terminal carried in the request message when the IP address of the user terminal carried in the request message is the same as the source IP address received by the request message. Is it the same as the saved IP address;
当所述请求消息中携带的用户终端的 IP地址与所述请求消息接收 的源 IP地址不同时, 比较请求消息中携带的用户终端的 IP地址和所述 倩求消息接收的源 IP地址与保存的用户终端的 IP地址和所述请求消息 接收的源 IP地址是否相同。  When the IP address of the user terminal carried in the request message is different from the source IP address received by the request message, the IP address of the user terminal carried in the request message and the source IP address received by the request message are saved and saved. Whether the IP address of the user terminal and the source IP address received by the request message are the same.
11、 根据权利要求 9所迷的系统, 其特征在于, 所述的注册鉴权控 制实体进一步用于在用户终端鉴权失败后, 发起重鉴权, 并在重鉴权通 过后, 刷新保存的用户终端的地址信息。  The system according to claim 9, wherein the registration authentication control entity is further configured to initiate a re-authentication after the user terminal fails to authenticate, and refresh the saved after the re-authentication is passed. Address information of the user terminal.
12、 一种用户终端鉴权系统, 其特征在于, 包括: 网络接入控制实 体、 注册鉴权控制实体, 会话控制实体; 其中,  12. A user terminal authentication system, comprising: a network access control entity, a registration authentication control entity, and a session control entity; wherein
注册鉴权控制实体保存有用户终端的地址信息;  The registration authentication control entity stores the address information of the user terminal;
网络接入控制实体用于接收用户终端的请求消息, 在请求消息中携 带用户终端的地址信息, 将携带用户终端地址信息的请求消息发送给会 话控制实体;  The network access control entity is configured to receive the request message of the user terminal, and carry the address information of the user terminal in the request message, and send the request message carrying the user terminal address information to the session control entity;
会话控制实体用于接收网络接入控制实体发送的携带用户终端地 址信息的请求消息, 并从注册鉴权控制实体获取保存的用户终端的地址 信息, 比较请求消息中的地址信息与保存的地址信息是否匹配, 如果匹 配, 则判断用户终端鉴权通过。  The session control entity is configured to receive a request message that carries the user terminal address information sent by the network access control entity, obtain the saved address information of the user terminal from the registration authentication control entity, and compare the address information and the saved address information in the request message. Whether it matches, if it matches, it determines that the user terminal is authenticated.
13、 根据权利要求 12 所述的系统, 其特征在于, 所述的地址信息 为用户终端的 IP地址,所述网络接入控制实体进一步用于比较请求消息 中携带的 IP地址和所述请求消息接收的源 IP地址不同, 则将所述请求 消息接收的源 IP地址也保存于请求消息中;  The system according to claim 12, wherein the address information is an IP address of the user terminal, and the network access control entity is further configured to compare the IP address carried in the request message with the request message. If the source IP address is different, the source IP address received by the request message is also saved in the request message.
所述会话控制实体进一步用于: 当所述请求消息中携带的用户终端 的 IP地址与所述请求消息接收的源 IP地址相同时, 比较倚求消息中携 带的用户终端的 IP地址与保存的 IP地址是否相同; The session control entity is further configured to: when the user terminal carried in the request message When the IP address is the same as the source IP address received by the request message, the IP address of the user terminal carried in the message is the same as the saved IP address.
当所述请求消息中携带的用户终端的 IP地址与所述请求消息接收 的源 IP地址不同时, 比较请求消息中携带的用户终端的 IP地址和所述 请求消息接收的源 IP地址与保存的用户终端的 IP地址和所述请求消息 接收的源 IP地址是否相同。  When the IP address of the user terminal carried in the request message is different from the source IP address received by the request message, the IP address of the user terminal carried in the request message and the source IP address received by the request message are saved and saved. Whether the IP address of the user terminal and the source IP address received by the request message are the same.
14、 根据权利要求 12 所述的系统, 其特征在于, 所述的注册鉴权 控制实体进一步用于在用户终端鉴权失败后, 发起重鉴权, 并在重鉴权 通过后, 刷新保存的用户终端的地址信息。  The system according to claim 12, wherein the registration authentication control entity is further configured to initiate a re-authentication after the user terminal fails to authenticate, and refresh the saved after the re-authentication is passed. Address information of the user terminal.
15、 一种注册鉴权控制实体, 其特征在于, 用于保存有用户终端的 地址信息, 接收用户终端的请求消息, 比较请求消息中携带的用户终端 的地址信息与保存的用户终端的地址信息是否匹配, 如果匹配, 则判断 用户终端鉴权通过。  A registration authentication control entity, configured to store address information of a user terminal, receive a request message of the user terminal, compare address information of the user terminal carried in the request message with address information of the saved user terminal Whether it matches, if it matches, it determines that the user terminal is authenticated.
16、 根据权利要求 15 所述的注册鉴权控制实体, 其特征在于, 所 述的地址信息为用户终端的 IP 地址, 所述注册鉴权控制实体进一步用 于:当所述请求消息中携带的用户终端的 IP地址与所述请求消息接收的 源 IP地址相同时, 比较请求消息中携带的用户终端的 IP地址与保存的 IP地址是否相同;  The registration authentication control entity according to claim 15, wherein the address information is an IP address of the user terminal, and the registration authentication control entity is further configured to: carry in the request message When the IP address of the user terminal is the same as the source IP address received by the request message, the IP address of the user terminal carried in the request message is the same as the saved IP address.
当所述请求消息中携带的用户终端的 IP 地址与所述请求消息接收 的源 IP地址不同时, 比较请求消息中携带的用户终端的 IP地址和所述 请求消息接收的源 IP地址与保存的用户终端的 IP地址和所述请求消息 接收的源 IP地址是否相同。  When the IP address of the user terminal carried in the request message is different from the source IP address received by the request message, the IP address of the user terminal carried in the request message and the source IP address received by the request message are saved and saved. Whether the IP address of the user terminal and the source IP address received by the request message are the same.
17、 根据权利要求 15 所述的注册鉴权控制实体, 其特征在于, 进 一步用于在用户终端鉴权失败后, 发起重鉴权, 并在重鉴权通过后, 刷 新保存的用户终端的地址信息。 The registration authentication control entity according to claim 15, further configured to: after the user terminal fails to authenticate, initiate a re-authentication right, and after the re-authentication right is passed, refresh the saved user terminal address. information.
18、 一种会话控制实体, 其特征在于, 用于接收携带用户终端地址 信息的请求消息, 并获取保存的用户终端的地址信息, 比较请求消息中 的地址信息与保存的地址信息是否匹配, 如果匹配, 则判断用户终端鉴 权通过 A session control entity, configured to receive a request message carrying user terminal address information, and obtain the stored address information of the user terminal, and compare whether the address information in the request message matches the saved address information, if Match, then judge the user terminal to pass the authentication
19、 根据权利要求 18 所述的会话控制实体, 其特征在于, 所述地 址信息为用户终端的 IP地址,所述的会话控制实体进一步用于: 当所述 请求消息中携带的用户终端的 IP地址与所述请求消息接收的源 IP地址 相同时, 比较请求消息中携带的用户终端的 IP地址与保存的 IP地址是 否相同;  The session control entity according to claim 18, wherein the address information is an IP address of the user terminal, and the session control entity is further configured to:: an IP of the user terminal carried in the request message When the address is the same as the source IP address received by the request message, the IP address of the user terminal carried in the comparison request message is the same as the saved IP address;
当所述请求消息中携带的用户终端的 IP地址与所述请求消息接收 的源 IP地址不同时, 比较请求消息中携带的用户终端的 IP地址和所述 请求消息接收的源 IP地址与保存的用户终端的 IP地址和所述请求消息 接收的源 IP地址是否相同。  When the IP address of the user terminal carried in the request message is different from the source IP address received by the request message, the IP address of the user terminal carried in the request message and the source IP address received by the request message are saved and saved. Whether the IP address of the user terminal and the source IP address received by the request message are the same.
PCT/CN2007/000234 2006-03-02 2007-01-22 A method, system and apparatus for user terminal authentication WO2007098669A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200610034080.8 2006-03-02
CN2006100340808A CN101030853B (en) 2006-03-02 2006-03-02 Method for authenticating user terminal

Publications (1)

Publication Number Publication Date
WO2007098669A1 true WO2007098669A1 (en) 2007-09-07

Family

ID=38458650

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2007/000234 WO2007098669A1 (en) 2006-03-02 2007-01-22 A method, system and apparatus for user terminal authentication

Country Status (2)

Country Link
CN (1) CN101030853B (en)
WO (1) WO2007098669A1 (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101184008B (en) * 2007-12-14 2010-06-09 北京中星微电子有限公司 Remote information access method and device
CN101997828B (en) * 2009-08-28 2014-10-08 中国移动通信集团公司 Method, device and network for network re-registration of Internet protocol multimedia subsystem (IMS)
CN104243422A (en) * 2013-06-19 2014-12-24 中兴通讯股份有限公司 Login implement method for user terminal to have access to IMS network and IMS
CN108243403B (en) * 2016-12-26 2021-01-01 中国移动通信集团河南有限公司 Method for controlling VoLTE user to register S-CSCF and I-CSCF network element
CN108811012A (en) * 2018-06-01 2018-11-13 中国联合网络通信集团有限公司 Audio communication method, IMS network and terminal

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002098062A1 (en) * 2001-05-24 2002-12-05 British Telecommunications Public Limited Company Method for providing network access to a mobile terminal and corresponding network
US20030159067A1 (en) * 2002-02-21 2003-08-21 Nokia Corporation Method and apparatus for granting access by a portable phone to multimedia services
CN1650659A (en) * 2002-08-16 2005-08-03 西门子公司 Method for identifying communications terminal device
CN1802016A (en) * 2005-06-21 2006-07-12 华为技术有限公司 Method for carrying out authentication on user terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002098062A1 (en) * 2001-05-24 2002-12-05 British Telecommunications Public Limited Company Method for providing network access to a mobile terminal and corresponding network
US20030159067A1 (en) * 2002-02-21 2003-08-21 Nokia Corporation Method and apparatus for granting access by a portable phone to multimedia services
CN1650659A (en) * 2002-08-16 2005-08-03 西门子公司 Method for identifying communications terminal device
CN1802016A (en) * 2005-06-21 2006-07-12 华为技术有限公司 Method for carrying out authentication on user terminal

Also Published As

Publication number Publication date
CN101030853B (en) 2010-04-14
CN101030853A (en) 2007-09-05

Similar Documents

Publication Publication Date Title
US7574735B2 (en) Method and network element for providing secure access to a packet data network
JP5139570B2 (en) Method and apparatus for accessing an IP multimedia subsystem
JP3936362B2 (en) Method and communication system for controlling the lifetime of a security association
US8335487B2 (en) Method for authenticating user terminal in IP multimedia sub-system
KR101343039B1 (en) Authentication system, method and device
JP5345154B2 (en) Message handling in IP multimedia subsystem
WO2011079522A1 (en) Authentication method, system and device
US8713634B2 (en) Systems, methods and computer program products supporting provision of web services using IMS
US20080120705A1 (en) Systems, Methods and Computer Program Products Supporting Provision of Web Services Using IMS
WO2007098660A1 (en) An authentication method and system between network entities in ip multimedia subsystem
US7940748B2 (en) Systems, methods and computer program products supporting provision of web services using IMS
WO2008025280A1 (en) A method and system of authentication
WO2007000115A1 (en) A method for authenticating the device receiving the sip request message
US20040043756A1 (en) Method and system for authentication in IP multimedia core network system (IMS)
WO2007098669A1 (en) A method, system and apparatus for user terminal authentication
WO2014201904A1 (en) Method for achieving registration when user terminal accesses ims network, and ims
CN102111379A (en) Authentication system, method and device
CN102065069B (en) Method and system for authenticating identity and device
WO2011035579A1 (en) Authentication method, system and terminal for wireless local area network authentication and privacy infrastructure (wapi) terminal accessing ip multimedia subsystem (ims) network
WO2008089699A1 (en) A method and a system for authenticating a user terminal in ims network
CN1697368A (en) Method for protecting access security of IP multimedia subsystem based on TLS
CN102082769B (en) System, devices and method for authenticating IMS (IP multimedia subsystem) terminal during obtaining non-IMS services
WO2008037196A1 (en) The method, system and device for authenticating in ims
Βράκας Enhancing security and privacy in VoIP/IMS environments
WO2008083631A1 (en) User identity conversion apparatus, ims and methods of registration, calling and called

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07702164

Country of ref document: EP

Kind code of ref document: A1