Internet Protocol (IP) Multimedia Subsystem (IMS) is a general-purpose, open industry standard for voice and multimedia communications over IP networks. It is a core network technology that serves as a low-level foundation for services such as, for example, voice over IP (VoIP), push-to-talk (PTT), video calling, video share, gaming, and other multimedia services.
IMS services enable person-to-person and person-to-content communications in a variety of modes, including voice, text, pictures, video, or any combination thereof. Carriers see benefit in IMS due to increased flexibility to offer new services and lower costs to launch and maintain these services.
The goal of IMS is the convergence of all voice and multimedia communications from both mobile and fixed networks to a single, flexible, packet-based communications system based upon IP technologies. IMS is based primarily upon the session initiation protocol (SIP). IMS allows for easy integration with existing and legacy network systems.
IMS requires security mechanisms for access security and network security. Access security includes authentication of users to the network and protection of network traffic between an IMS terminal (e.g., an IMS-compatible cellular telephone) and the network. Network security includes protection of traffic between network nodes in networks operated by the same or different carriers.
With regard to access security, users are required to be authenticated and authorized prior to accessing any IMS service. After a user is authorized, SIP traffic between their IMS terminal and the IMS is protected by using two IP security (IPsec) security associations. SIP REGISTER messages are used to authenticate and authorize the user and to establish the IPsec security associations. A serving call session control function (S-CSCF) of the IMS retrieves an authentication vector from a home subscriber server (HSS) to authenticate and authorize the user. The proxy-CSCF (P-CSCF) establishes the IPsec security associations with the IMS terminal.
Authentication and authorization in the IMS rely on security mechanisms stored on a circuit card that is inserted into the IMS terminal or integrated into the IMS terminal. In some networks, such as those governed by 3rd Generation Partnership Project (3GPP) specifications, the circuit card is a universal integrated circuit card (UICC). The UICC includes one or more applications that aid in allowing a terminal to communicate with various networks. For example, an IMS application called an IP-Multimedia Services Identity Module (ISIM) allows an IMS terminal to communicate with an IMS. Likewise, a subscriber identity module (SIM) allows a terminal to communicate with a global system for mobile communications (GSM) network, and a universal SIM (USIM) allows a terminal to communicate with a universal mobile telecommunications system (UMTS) network, for example.
In ISIM implementations, the ISIM includes a secret key that is shared with the HSS. The HSS is configured to store the secret key for each ISIM in the network. The S-CSCF uses the diameter protocol to obtain an authentication vector from the HSS with which to challenge the IMS terminal. The authentication vector includes a challenge and an expected challenge response, among others. If the IMS terminal issues a challenge response that is not the expected challenge response, the S-CSCF considers the authentication to have failed.
If the user does not have an ISIM, then the USIM may be employed because the security algorithms held on the USIM are the same as those held on the ISIM. An IMPI, however, will have to be resolved from the user's international mobile subscriber identity (IMSI) to initiate a registration and authentication process.