A Next Generation Network (NGN) as well as a mobile network may generally be divided into an access network and a service network. A user may access to an IP network via the access network provided an access network operator, and then enjoy different services such as voice, video, stream media, etc., through service networks provided one or multiple service network operators.
When the access network and the service network belong to different operators, authentications of the user in the access network and the service network are independent. In such a scenario, the user needs two types of authentications before enjoying the service. One authentication is in the access layer; after the authentication in the access layer succeeds, the user is able to access to the NGN network. The other authentication is in the service layer; and after the authentication in the service layer succeeds, the user is able to enjoy the services provided by the service network.
When the service network and the access network belong to the same operator, or when there exists cooperation between the access network operator and the service network operator, the service network operator may bind the authentication in the service layer with that in the access layer under some networking scenarios. In other words, the user is regarded to be legal after the authentication in the access layer succeeds, and the authentication in the service layer is no longer required.
In the IMS access layer, an Authentication and Key Agreement (AKA) scheme is usually employed for the authentication of the UE in the IMS service layer.
Referring to FIG. 1, the IMS AKA scheme includes:
Block s101: a User Equipment (UE) sends a Register message to a Proxy-Call Session Control Function (P-CSCF).
Block s102: The P-CSCF, acting as a Session Initial Protocol (SIP) proxy server, forwards the Register message of the UE to an Interrogating-CSCF (I-CSCF).
Block s103: The I-CSCF interacts with a Home Subscriber Server (HSS) through a Cx-Selection-Info message to select a corresponding Service-CSCF (S-CSCF), i.e., the I-CSCF sends a request to the HSS to search a user profile in the HSS to select the S-CSCF for processing the Register message.
Block s104: The I-CSCF forwards the Register message of the UE to the S-CSCF selected in the Block s103.
Block s105: The S-CSCF sends a Cx-Put message to the HSS to update S-CSCF indication information in the HSS and notify the HSS that it has been assigned to serve this user.
Block s106: The S-CSCF sends an AV-Req message to the HSS requesting an authentication vector of the user.
Block s107: The HSS returns an AV-Req-Resp message to the S-CSCF carrying the authentication vector of the user.
Block s108: The S-CSCF determines that the UE needs to be authenticated according to the authentication vector received in Block s107 and the Register message of the UE, then the S-CSCF sends a 4xx Auth_Challenge message containing authentication-relevant information indicating that the UE needs to be authenticated to the I-CSCF. The 4xx denotes a kind of error and the xx stands for a number within 00˜99.
Block s109: The I-CSCF forwards the 4xx Auth_Challenge message to the P-CSCF.
Block s110: The P-CSCF forwards the 4xx Auth_Challenge message to the UE.
Block s111: after receiving the 4xx Auth_Challenge message, the UE sends another Register message to the P-CSCF, at this time, the Register message carries an authentication parameter.
Block s112: The P-CSCF forwards the Register message of the UE to the I-CSCF.
Block s113: after receiving the Register message, the I-CSCF sends a Cx-Query message to the HSS to determine the S-CSCF for processing the Register message, i.e., the I-CSCF queries the HSS about the S-CSCF which has been assigned to serve this user. The HSS returns the S-CSCF name which was previously selected to the I-CSCF according to the S-CSCF indication information stored in the HSS.
Block s114: The I-CSCF forwards the Register message to the S-CSCF determined in the Block s113.
Block s115: The S-CSCF sends a Cx-Put message to the HSS to update the S-CSCF indication information in the HSS and notify the HSS that it has been assigned to serve this user.
Block s116: The S-CSCF downloads a user profile from the HSS through a Cx-Pull message.
Block s117: The S-CSCF authenticates the UE according to the user profile and the authentication parameter in the Register message of the UE. If the authentication succeeds, the S-CSCF sends a 2xx Auth_OK message to the I-CSCF indicating that the registration succeeds, wherein the 2xx indicates that the message is success relevant, and the xx is a number within 00˜99. If the authentication fails, the S-CSCF sends an authentication failure message indicating that the authentication is failed to the I-CSCF.
Block s118: if the authentication succeeds, the I-CSCF forwards the 2xx Auth_OK message to the P-CSCF. If the authentication fails, the I-CSCF forwards the authentication failure message to the P-CSCF.
Block s119: if the authentication succeeds, the P-CSCF forwards the 2xx Auth_OK message to the UE. If the authentication fails, the P-CSCF forwards the authentication failure message to the UE.
France Telecom has put forward a Network Attach Sub System (NASS) Bundled Authentication (NBA) scheme to implement IMS-NASS bundled authentication at the Telecommunications and Internet Converged Services and Protocols for Advanced Networking (TISPAN) #6bis. In the NBA scheme, a Connection Location Function (CLF) in the NASS holds a bundled indication and a corresponding relationship between an IP address of the UE and association information of the UE in the access network. Each connection of the user holds one piece of association information.
Referring to FIG. 2, the NBA scheme includes:
Block s201: The UE sends a Register message to the P-CSCF.
Block s202: The P-CSCF queries the CLF about NASS attachment information of the UE according to a source IP address of the Register message, wherein the NASS attachment information contains the association information of the UE and the bundled indication.
Block s203: The P-CSCF compares the association information and an IP Multimedia Private Identity (IMPI) in an authentication header of the Register message. If the association information is consistent with the IMPI, it means that the authentication in the IMS service layer succeeds, proceed to Block s205; otherwise, it means that the authentication in the IMS service layer is failed, proceed to Block s204 to send a 403 Forbidden to the UE.
Block s205: The P-CSCF forwards the Register message carrying an indicator indicating whether the authentication succeeds to the I-CSCF.
Block s206: The I-CSCF interacts with the HSS through a Cx-Selection-Info message to select a corresponding S-CSCF, i.e., the I-CSCF sends a request to the HSS to search the user profile in the HSS to select the S-CSCF for processing the Register message.
Block s207: The I-CSCF forwards the Register message to the S-CSCF selected in the Block s206.
Block s208: after confirming that the user has successfully registered, without requesting the HSS for the authentication vector of the user, the S-CSCF sends a Cx-Put message to the HSS to update the S-CSCF indication information in the HSS and notify the HSS that it has been assigned to serve this user, and downloads the user profile from the HSS through a Cx-Pull message.
Block s209: The S-CSCF returns a 2xx Auth_OK message to the I-CSCF indicating that the authentication succeeds.
Block s210: The I-CSCF forwards the 2xx Auth_OK message to the P-CSCF.
Block s211: The P-CSCF forwards the 2xx Auth_OK message to the UE.
In the above scheme, the IMPI contained in the Register message is required to be consistent with the association information, i.e., the IMPI in the service layer and the association information in the access layer are the same identity. However, the service network operator is usually not the same with the access network operator. Thus the requirement of using the same identity for the service network operator and the access network operator restricts the flexibility of network applications. Moreover, it is unreasonable that the bundled indication is saved in the NASS. The reasonable method should be that the bundled indication is saved in the service layer (e.g., the HSS), while the access layer is only responsible for providing relevant information. Further, it is also unreasonable for the P-CSCF to implement the authentication. It may be more reasonable that the S-CSCF in a home network implements the authentication in the service layer, and the P-CSCF only provides relevant information of the authentication.
Further, when the state of the user changes, e.g., the user may employ different terminals when in different locations, the authentication adopting the IMS authentication bundled with NASS, which is configured as a default authentication mechanism, will fail. Thus the quality of service is decreased. Therefore, a second authentication mechanism pre-configured in the HSS is required to authenticate the user. However, there are no such solutions in the related art.