The present invention relates generally to communication networks and, more particularly, to delivering services via communication networks.
The Internet Protocol (IP) Multimedia Subsystem (IMS) is a standard that has been developed to define the control and integration of multimedia services in a core, packet-switched network. In particular, the IMS architecture defines a set of logical functions that use a signaling protocol known as the session initiation protocol (SIP) to establish communication sessions in an IP network. A “session” may be, for example, a one-to-one voice call or a more complex interaction, such as a one-to-many conference call involving multimedia services. SIP may also be used to facilitate voice over IP (VoIP) services, in which voice is transported in IP data packets that are re-assembled and converted into an audio signal for the recipient. IMS may be characterized as a standardized way to connect IP devices and networks using SIP.
Referring to FIG. 1, an exemplary communication network 100 includes an IMS network 105 that is coupled to packet switching network(s) 110 and circuit switched network(s) 120, which may provide connectivity to the IMS network 105 for devices 10, 20, such as cell phones, WiFi-equipped computing devices, conventional telephones, modems, and other devices. A device may connect to the IMS network 105 using any of a number of different interfaces, generally depending on the nature of the device. The devices 10, 20 may include IP devices that are capable of communicating via SIP.
The IMS network 105 includes apparatus configured to provide a variety of different functions linked by standardized interfaces. Generally, functions of the IMS network 105 include a bundle of functions of SIP servers or proxies, collectively referred to as a Call Session Control Function (CSCF), which are used to process SIP signaling packets in the IMS network 105. Functions of the CSCF may include: registration of devices with the IMS network 105; routing and inspection of signaling messages; authentication of users and establishment of security associations; compression, decompression and other signal processing functions; authorization of resources; policy enforcement; bandwidth management; and generation of charging records. These functions may be apportioned among several call session control function proxies or servers, such as a Proxy-CSCF(P-CSCF) 130, Media Gateway Control Function (MGCF) 150, Interrogating-CSCF (I-CSCF), Serving-CSCF (S-CSCF), and various other functions, gateways and the like.
The P-CSCF 130 may be configured as a SIP proxy to function as an interface to the IMS network 105 for IP terminals/devices 10, 20. The P-CSCF 130 may enable the registration of IP terminals/devices and the routing of SIP and/or HTTP signaling messages between the devices 10, 20 and service providers, such as the SIP Service Provider 170. The P-CSCF 130 may communicate with devices 10 via the packet network(s) 110 and may communicate with devices 20 via MGCF 150, a media gateway 180, and circuit switched network(s) 120. The MGCF 150 may enable SIP signaling to inter-work with other types of signaling used by the media gateway 180. Thus, the combination of the MGCF 150 and the media gateway 180 may provide an interface between the SIP signaling used in the IMS network 105 and the signaling used in the circuit switched network(s) 120.
A Home Subscriber Server (HSS) database 190 may maintain a service profile and other information for each end-user and associated IP terminal/device that has registered with the IMS network 105. The profile and other information may include, but is not limited to, IP address information, roaming information, and/or telephony services information.
The devices 10 and/or 20 may desire to access a Web or browser based service. A Web Service is a reusable piece of software that interacts by exchanging messages over a network. Commonly, Web Services use Simple Object Access Protocol (SOAP), a protocol for exchanging XML-based messages. A common messaging pattern in SOAP is the Remote Procedure Call (RPC) pattern, in which a Web Service requester sends a request message to a Web Service Provider, and the Web Service Provider sends a response message that provides the requested service, for example, the result of applying a particular procedure based on parameters passed in the Web Service request.
Generally, it is desirable that a Web Service have some type of authentication capability, such that unauthorized access to the service may be prevented. A variety of different authentication techniques may be used for Web Services, including transmission of credentials to the Web Service Provider with or without encryption, digest techniques in which credentials may be hashed on the client and server and the results compared, and third party certificate approaches wherein a user requests and installs a certificate from a trusted third party (e.g., Verisign, Entrust, etc.), and the Web Service Provider can query the third party to verify credentials as required.
The Internet Protocol (IP) Multimedia Subsystem (IMS) allows devices to authenticate within the SIP domain using the HTTP Digest Authentication and Key Agreement (AKA) protocol. This level of authentication, i.e., device level of authentication, may be extended to the Web (HTTP) domain via the Generic Authentication Architecture (GAA) and the Generic Bootstrapping Architecture (GBA), which are described in the 3GPP Technical Specifications 3GPP TS 33.919 and TS 33.220
FIG. 2 illustrates a network employing a conventional GBA. The network includes a Bootstrapping Server Function (BSF) 220, a Network Application Function (NAF) 230, and a Home Subscriber System (HSS) 240. User Equipment (UE) 210 is configured to communicate with these components. The U E 210 may include the hardware and/or software to support the HTTP Digest AKA protocol and any communication protocols that are used for communicating with the various NAFs in the network. The UE 210 may contain a Universal Integrated Circuit Card (UICC), which contains the software and data for authenticating the UE 210 in an IMS network so that the UE establishes an IMS Public Identity (IMPU), which is registered in the HSS 240.
The BSF 220 may be included in a network element that is managed by a network operator. The BSF 220, HSS 240, and UE 210 participate in the GBA authentication protocol in which shared key material is shared between the UE 210 and the network by running the bootstrapping procedure. For example, the BSF 220 may authenticate the UE 210 using the AKA protocol. The key information established during this device authentication procedure can then be used by the UE 210 when accessing the NAF 230. The BSF 220 may restrict the lifetime of the key material and may also restrict the applicability of the key particular to particular NAFs by using a key derivation procedure.
The NAF 230 may provide one or more services to the UE 210 and may also communicate securely with the BSF 220. A NAF may also be referred to as an Application Server (AS). The HSS 240 maintains a service profile and other information for each UE that has registered with the network. The profile and other information may include, but is not limited to, IP address information, roaming information, and/or telephony services information.
The interface Ua specifies the application protocol between the UE 210 and the NAF 230, which is secured based on the shared key material obtained from running the AKA protocol to authenticate the UE 210. The interface Ub specifies the protocol mutually authenticating the UE 210 and the BSF 220. To authenticate the UE 210, the 3GPP AKA protocol may be used. The interface Zn specifies the protocol used by the NAF 230 to obtain key material agreed to between the UE 210 and BSF 220 in authenticating the UE 210, and used to obtain authenticated identity information associated with a user of the UE 210 from the BSF 220. The interface Zh specifies the protocol that the BSF 220 and HSS 240 use to communicate authentication information for the UE 210.