CN101232379A

Movatterモバイル変換

Info

Publication number: CN101232379A
Application number: CNA2008100570832A
Authority: CN
Inventors: 李跃; 高翔; 张滨; 赵刚; 余弦; 陈鹏; 沈岷; 郑永强
Original assignee: ZTE Corp; China Mobile Communications Group Co Ltd
Current assignee: ZTE Corp; China Mobile Communications Group Co Ltd
Priority date: 2008-01-29
Filing date: 2008-01-29
Publication date: 2008-07-30
Anticipated expiration: 2028-01-29
Also published as: CN101232379B

Abstract

本发明公开了一种实现系统登录的方法、信息技术系统和通信系统，解决了登录多个应用系统时需要逐个输入用户帐号和登录口令导致的登录效率低、安全性低以及管理复杂度高的问题。本发明技术方案包括：信息技术IT系统获得IT系统客户端发送的登录请求，所述登录请求中包括IT系统帐号；根据所述IT系统帐号，获得对应的因特网协议多媒体子系统IMS帐号，并将所述IMS帐号发送给IMS网络，请求IMS网络分配与所述IMS帐号对应的密钥；将所述IMS帐号和所述密钥，通过IT系统客户端发送给IMS客户端，用于IMS客户端登录到IMS网络。通过上述技术方案，能够提高登录效率及安全性，并且能够减少系统管理的复杂度。

The invention discloses a method for realizing system login, an information technology system and a communication system, which solve the problems of low login efficiency, low security and high management complexity caused by the need to input user accounts and login passwords one by one when logging into multiple application systems question. The technical solution of the present invention includes: the information technology IT system obtains the login request sent by the IT system client, and the login request includes the IT system account; according to the IT system account, obtains the corresponding Internet Protocol Multimedia Subsystem IMS account, and The IMS account number is sent to the IMS network, requesting the IMS network to allocate a key corresponding to the IMS account number; the IMS account number and the key are sent to the IMS client through the IT system client for the IMS client Log in to the IMS network. Through the above technical solution, the login efficiency and security can be improved, and the complexity of system management can be reduced.

Description

Translated fromChinese

一种实现系统登录的方法、信息技术系统和通信系统A method for realizing system login, information technology system and communication system

技术领域technical field

本发明涉及网络通信技术领域，尤其涉及通过信息技术系统登录到因特网协议多媒体子系统网络的技术。The invention relates to the technical field of network communication, in particular to the technology of logging into the Internet Protocol Multimedia Subsystem network through an information technology system.

背景技术Background technique

3GPP R5(3^rd Generation Partner Project，第三代伙伴计划)阶段引入了IMS(Internet Protocol Multimedia Subsystem，因特网协议多媒体子系统)，目前已经为ITU-T(International Telecommunication Union-TelecommunicationStandardization Sector，国际电联电信标准化部门)、ETSI(EuropeanTelecommunications Standards Institute，欧洲电信标准机构)、3GPP2等标准组织所接受。IMS可以灵活地提供更多业务应用，如：IMS不仅在规划上可以统一，在QoS(Quality of Service，服务质量)方面也可以做到统一；IMS不仅可以做到承载和控制分离，还可以实现与用户界面的分离；IMS不仅可以实现所有接入的方式，还能做到数据的集中。从业务融合的角度看，IMS具有很大的吸引力和优势。不管从理论上还是在实践中，都已证明IMS是NGN(NextGeneration Network，下一代网络)发展的基础。3GPP R5 (3^rd Generation Partner Project, Third Generation Partnership Project) stage introduced IMS (Internet Protocol Multimedia Subsystem, Internet Protocol Multimedia Subsystem), which has been established by ITU-T (International Telecommunication Union-Telecommunication Standardization Sector, ITU Telecom Standardization Department), ETSI (European Telecommunications Standards Institute, European Telecommunications Standards Institute), 3GPP2 and other standard organizations. IMS can flexibly provide more business applications. For example, IMS can be unified not only in terms of planning, but also in terms of QoS (Quality of Service). IMS can not only separate bearer and control, but also realize Separation from the user interface; IMS can not only implement all access methods, but also centralize data. From the perspective of business integration, IMS has great attractiveness and advantages. Both in theory and in practice, it has been proved that IMS is the basis for the development of NGN (NextGeneration Network, next-generation network).

随着信息技术和网络技术的发展，越来越多的企业认识到，将IMS网络应用与企业IT(Information Technology，信息技术)系统的融合，作为企业应用与通信进行无缝集成的解决方案时，可以为用户获得其所需要的信息提供一个更方便的途径，并且可以为用户提供更多的应用服务，从而能够有效提高企业的工作效率与IT成本。所以，有越来越多的企业引入了IMS网络应用与企业IT系统的融合技术。With the development of information technology and network technology, more and more enterprises realize that when the integration of IMS network application and enterprise IT (Information Technology, information technology) system is used as a solution for seamless integration of enterprise application and communication , can provide a more convenient way for users to obtain the information they need, and can provide users with more application services, thus effectively improving the work efficiency and IT costs of enterprises. Therefore, more and more enterprises have introduced the fusion technology of IMS network application and enterprise IT system.

引入IMS网络应用与企业IT系统的融合技术的同时，用户需要登录的应用系统也会相应地增多。由于每个系统都要求用户遵循一定的安全策略，比如要求输入用户帐号和登录密码，这样，随着用户登录系统的增多，需要记忆的用户帐号和登录密码也会很多，从而导致出错的可能性增加，并且受到非法截获和破坏的可能性也会增大，登录网络的安全性也会相应降低。另外，用户有可能会忘记用户帐号或登录密码，此时就需要用户请求管理员的帮助，直到重新获得用户帐号或登录密码，才能执行任务。这样就会浪费很多时间，从而导致系统登录效率降低，并且由此使系统的管理复杂度增大。When the integration technology of IMS network application and enterprise IT system is introduced, the number of application systems that users need to log in will increase accordingly. Since each system requires users to follow certain security policies, such as requiring the input of user accounts and login passwords, as the number of users logging into the system increases, there will be many user accounts and login passwords that need to be memorized, resulting in the possibility of errors increase, and the possibility of being illegally intercepted and destroyed will also increase, and the security of logging into the network will decrease accordingly. In addition, the user may forget the user account or login password. At this time, the user needs to ask the administrator for help, and the task cannot be performed until the user account or login password is obtained again. In this way, a lot of time will be wasted, resulting in a decrease in system login efficiency, and thus increasing the complexity of system management.

为尽量避免上述情况发生，可以采用统一登录的方式实现多个系统的登录，也就是说，将IMS帐号和企业IT系统的帐号统一起来，采用同样的用户帐号和/或登录密码进行登录。为了实现统一登录，通常通过简化用户帐号和/或登录密码，或者在多个应用系统中使用相同的用户帐号和/或登录密码等方法来实现，以减少用户需要记忆的登录多个应用系统所需要的用户帐号和登录密码，减少操作的复杂性，但是，简化或单一的用户帐号和/或登录密码往往很容易被破解或盗用，这种方式也是极不安全的；另外，当这些安全风险逐步反映出来，管理员会增加一些新的安全措施，但是这些措施会减少系统的可用性，并且会增大系统管理的复杂度。In order to avoid the above situation as much as possible, the unified login method can be used to realize the login of multiple systems, that is, the IMS account and the account of the enterprise IT system are unified, and the same user account and/or login password are used for login. In order to achieve unified login, it is usually achieved by simplifying the user account and/or login password, or using the same user account and/or login password in multiple application systems, so as to reduce the number of times users need to remember to log in to multiple application systems. User accounts and login passwords are required to reduce the complexity of operations. However, simplified or single user accounts and/or login passwords are often easily cracked or stolen, and this method is also extremely unsafe; in addition, when these security risks It is gradually reflected that the administrator will add some new security measures, but these measures will reduce the availability of the system and increase the complexity of system management.

发明内容Contents of the invention

本发明提供一种实现系统登录的方法、信息技术系统和通信系统，以解决登录多个IMS网络应用系统时需要逐个输入用户帐号和登录密码导致登录效率低、安全性低以及管理复杂度高的问题。The present invention provides a method for realizing system login, an information technology system and a communication system to solve the problems of low login efficiency, low security and high management complexity caused by the need to input user accounts and login passwords one by one when logging into multiple IMS network application systems question.

本发明实施例通过如下技术方案实现：Embodiments of the present invention are realized through the following technical solutions:

本发明实施例提供了一种实现系统登录的方法，包括：The embodiment of the present invention provides a method for realizing system login, including:

信息技术IT系统获得IT系统客户端发送的登录请求，所述登录请求中包括IT系统帐号；The information technology IT system obtains the login request sent by the IT system client, and the login request includes the IT system account number;

根据所述IT系统帐号，获得对应的因特网协议多媒体子系统IMS帐号，并将所述IMS帐号发送给IMS网络，请求所述IMS网络分配与所述IMS帐号对应的密钥；Obtain a corresponding Internet Protocol Multimedia Subsystem IMS account according to the IT system account, and send the IMS account to the IMS network, requesting the IMS network to allocate a key corresponding to the IMS account;

将所述IMS帐号和所述IMS网络分配的密钥，通过IT系统客户端发送给IMS客户端，用于IMS客户端登录到IMS网络。The IMS account number and the key allocated by the IMS network are sent to the IMS client through the IT system client, for the IMS client to log in to the IMS network.

本发明实施例还提供了一种信息技术系统，所述信息技术系统包括：The embodiment of the present invention also provides an information technology system, and the information technology system includes:

网络通信单元，用于获得信息技术IT系统客户端发送的登录请求，所述登录请求中包括IT系统帐号；A network communication unit, configured to obtain a login request sent by an information technology IT system client, where the login request includes an IT system account;

帐号获得单元，用于根据所述IT系统帐号，获得对应的因特网协议多媒体子系统IMS帐号；An account obtaining unit, configured to obtain a corresponding Internet Protocol Multimedia Subsystem IMS account according to the IT system account;

数据请求单元，用于将所述IMS帐号发送给IMS网络，请求所述IMS网络分配与所述IMS帐号对应的密钥；以及，获得所述IMS网络分配的与所述IMS帐号对应的密钥；A data request unit, configured to send the IMS account number to the IMS network, request the IMS network to allocate a key corresponding to the IMS account; and obtain the key allocated by the IMS network corresponding to the IMS account ;

所述网络通信单元，还用于将所述IMS帐号和所述IMS网络分配的密钥，通过IT系统客户端发送给IMS客户端，用于IMS客户端登录到IMS网络。The network communication unit is further configured to send the IMS account number and the key allocated by the IMS network to the IMS client through the IT system client, so that the IMS client logs in to the IMS network.

本发明实施例还提供了一种通信系统，所述通信系统包括：信息技术IT系统和因特网协议多媒体子系统IMS网络；The embodiment of the present invention also provides a communication system, and the communication system includes: an information technology IT system and an Internet Protocol Multimedia Subsystem (IMS) network;

其中，IT系统，用于获得IT系统客户端发送的登录请求，所述登录请求中包括IT系统帐号；根据所述IT系统帐号，获得对应的IMS帐号，并将所述IMS帐号发送给IMS网络，请求所述IMS网络分配与所述IMS帐号对应的密钥；将所述IMS帐号和所述IMS网络分配的密钥，通过IT系统客户端发送给IMS客户端，用于IMS客户端登录到IMS网络；Wherein, the IT system is used to obtain the login request sent by the IT system client, the login request includes the IT system account; obtain the corresponding IMS account according to the IT system account, and send the IMS account to the IMS network , requesting the IMS network to allocate a key corresponding to the IMS account; sending the IMS account and the key allocated by the IMS network to the IMS client through the IT system client, for the IMS client to log in to IMS network;

IMS网络，用于根据所述IT系统提供的IMS帐号，分配与所述IMS帐号对应的密钥。The IMS network is configured to allocate a key corresponding to the IMS account according to the IMS account provided by the IT system.

本发明通过上述技术方案，当用户需要登录到IMS网络时，只需要登录IT系统，通过IT系统获得与IT系统帐号对应的IMS帐号，请求IMS网络随机分配用于登录IMS网络并与该IMS帐号对应的密钥，通过该IMS帐号以及对应的密钥登录到IMS网络。通过本发明技术方案，能够减少用户登录IMS网络花费的时间以及由于登录失败而浪费的时间，提高了登录效率；同时，登录IMS网络不需要用户提交和记忆用户帐号和登录密码等认证信息，为用户提供了方便并且提高了登录系统时的安全性；同时，不用在系统中建立登录不同系统时的帐号密码数据库，减少了系统管理的复杂度。Through the above technical solution, when the user needs to log in to the IMS network, the present invention only needs to log in to the IT system, obtain the IMS account corresponding to the IT system account through the IT system, and request the IMS network to randomly allocate the IMS account for logging in to the IMS network and the IMS account. The corresponding key is used to log in to the IMS network through the IMS account and the corresponding key. Through the technical solution of the present invention, the time spent by the user logging in to the IMS network and the time wasted due to login failure can be reduced, and the login efficiency is improved; at the same time, the login to the IMS network does not require the user to submit and memorize authentication information such as user account number and login password, for The user provides convenience and improves the security when logging into the system; at the same time, it does not need to establish an account password database when logging into different systems in the system, which reduces the complexity of system management.

附图说明Description of drawings

图1为本发明第一实施例中一种实现系统登录的方法流程图；Fig. 1 is a flow chart of a method for realizing system login in the first embodiment of the present invention;

图2为本发明第一实施例中通过IMS客户端登录到IMS网络流程图；Fig. 2 is a flow chart of logging in to the IMS network through the IMS client in the first embodiment of the present invention;

图3为本发明第二实施例中IT系统的结构图；Fig. 3 is the structural diagram of IT system in the second embodiment of the present invention;

图4为本发明第三实施例中通信系统的结构图；FIG. 4 is a structural diagram of a communication system in a third embodiment of the present invention;

图5为本发明第三实施例中通信系统的第二结构图；FIG. 5 is a second structural diagram of the communication system in the third embodiment of the present invention;

图6为本发明第三实施例中用户登录通信系统的流程图。FIG. 6 is a flowchart of a user logging into the communication system in the third embodiment of the present invention.

具体实施方式Detailed ways

本发明实施例提供了一种实现系统登录的方法、信息技术系统和通信系统，通过IT系统获得用于登录IMS网络的IMS帐号以及对应的密钥，利用该IMS帐号以及对应的密钥能够登录到IMS网络，从而能够提高用户登录多个应用系统的效率和安全性，并且降低了管理系统的复杂度。下面结合说明书附图及具体实施例对本发明技术方案的主要实现原理、具体实施过程及其对应能够达到的有益效果进行详细的阐述。The embodiment of the present invention provides a method for realizing system login, an information technology system, and a communication system. The IMS account number and the corresponding key for logging into the IMS network are obtained through the IT system, and the IMS account number and the corresponding key can be used to log in. to the IMS network, thereby improving the efficiency and security of users logging in to multiple application systems, and reducing the complexity of the management system. The main implementation principle, specific implementation process and corresponding beneficial effects of the technical solution of the present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments.

本发明第一实施例提供了一种实现系统登录的方法，该实现系统登录的方法为：IT系统获得IT系统客户端发送的登录请求，所述登录请求中包括IT系统帐号；根据所述IT系统帐号，获得对应的IMS帐号，并将所述IMS帐号发送给IMS网络，请求所述IMS网络分配与所述IMS帐号对应的密钥；将所述IMS帐号和所述IMS网络分配的密钥，通过IT系统客户端发送给IMS客户端，用于IMS客户端登录到IMS网络。The first embodiment of the present invention provides a method for realizing system login. The method for realizing system login is as follows: the IT system obtains a login request sent by an IT system client, and the login request includes an IT system account; system account, obtain the corresponding IMS account, and send the IMS account to the IMS network, requesting the IMS network to allocate a key corresponding to the IMS account; and the IMS account and the key allocated by the IMS network , sent to the IMS client through the IT system client, for the IMS client to log in to the IMS network.

本实施例的具体实施过程如图1所示，包括如下内容：The specific implementation process of this embodiment is shown in Figure 1, including the following:

步骤101、IT系统获得IT系统客户端发送的登录请求，所述登录请求中包括IT系统帐号。Step 101, the IT system obtains a login request sent by an IT system client, and the login request includes an IT system account number.

该IT系统客户端发送的登录请求中还可以进一步包括与IT系统帐号对应的密钥；IT系统根据登录请求中包括的与IT系统帐号对应的密钥，对发起登录请求的IT系统客户端进行身份验证。The login request sent by the IT system client may further include a key corresponding to the IT system account; the IT system performs a check on the IT system client that initiated the login request according to the key corresponding to the IT system account included in the login request. Authentication.

步骤102、IT系统根据所述登录请求中包括的IT系统帐号，获得对应的IMS帐号，并将所述IMS帐号发送给IMS网络，请求IMS网络分配登录IMS网络并与所述IMS帐号对应的密钥。Step 102: The IT system obtains the corresponding IMS account according to the IT system account included in the login request, and sends the IMS account to the IMS network, requesting the IMS network to assign a password corresponding to the IMS account for logging in to the IMS network. key.

在进行该步骤之前，需要在IT系统中建立并存储IT系统帐号与IMS帐号的对应关系，IT系统通过查找该对应关系，从而获得与登录请求中包括的IT系统帐号对应的IMS帐号。Before performing this step, the corresponding relationship between the IT system account and the IMS account needs to be established and stored in the IT system, and the IT system obtains the IMS account corresponding to the IT system account included in the login request by searching the corresponding relationship.

当IMS网络收到IT系统发送的包括IMS帐号的请求后，IMS网络的归属用户服务器HSS(Home Subscriber Server，归属用户服务器)会为该IMS帐号随机生成密钥；或者，在IT系统与IMS网络之间的协议转换设备拦截IT系统发送的包括IMS帐号的请求，为该IMS帐号随机生成一个密钥，并将生成的密钥提供给IMS网络的HSS。When the IMS network receives the request including the IMS account number sent by the IT system, the Home Subscriber Server (HSS) of the IMS network will randomly generate a key for the IMS account; or, between the IT system and the IMS network The protocol conversion device between intercepts the request including the IMS account sent by the IT system, randomly generates a key for the IMS account, and provides the generated key to the HSS of the IMS network.

步骤103、IT系统获得HSS分配的密钥，该密钥还保存在HSS的用户档案数据库中。Step 103, the IT system obtains the key distributed by the HSS, and the key is also stored in the user profile database of the HSS.

步骤104、IT系统将IMS帐号以及HSS分配的密钥通过IT系统客户端提供给IMS客户端，用于IMS客户端登录到IMS网络。Step 104, the IT system provides the IMS account and the key allocated by the HSS to the IMS client through the IT system client, so that the IMS client can log in to the IMS network.

步骤104具体包括如下过程：Step 104 specifically includes the following processes:

步骤一、IT系统将IMS帐号以及HSS分配的密钥发送给IT系统客户端；Step 1. The IT system sends the IMS account number and the key assigned by the HSS to the IT system client;

步骤二、IT系统客户端调用IMS客户端，并在调用过程中将IT系统发送的IMS帐号以及对应的密钥提供给IMS客户端，用于IMS客户端登录到IMS网络。IT系统客户端调用IMS客户端可以采用标准调用技术，其调用流程如下：Step 2: The IT system client invokes the IMS client, and provides the IMS account and the corresponding key sent by the IT system to the IMS client during the invoking process, for the IMS client to log in to the IMS network. The IT system client can use the standard calling technology to call the IMS client, and the calling process is as follows:

IMS Client.exe％1％2IMS Client.exe%1%2

其中，％1为用户IMS账号；％2为用户的一次性密码。Among them, %1 is the user's IMS account number; %2 is the user's one-time password.

IMS客户端登录到IMS网络的具体过程如图2所示，包括如下内容：The specific process for the IMS client to log in to the IMS network is shown in Figure 2, including the following:

步骤201、IMS网络的CSCF(Call Session Control Function，呼叫会话控制功能)服务器接收IMS客户端发送的登录请求。Step 201, the CSCF (Call Session Control Function, call session control function) server of the IMS network receives the login request sent by the IMS client.

IMS客户端发送的登录请求中包括：IMS帐号以及登录方式信息，本实施例以登录方式信息的内容为单点登录方式为例，进行下面的说明。The login request sent by the IMS client includes: IMS account number and login mode information. In this embodiment, the content of the login mode information is single sign-on mode as an example, and the following description is made.

步骤202、CSCF服务器根据IMS客户端发送的登录请求，获得对应的鉴权数据。Step 202, the CSCF server obtains corresponding authentication data according to the login request sent by the IMS client.

CSCF服务器获得的鉴权数据包括：与所述IMS帐号对应的密钥以及单点登录方式要求的鉴权算法，单点登录方式要求的鉴权算法一般为MD5加密算法。The authentication data obtained by the CSCF server includes: the key corresponding to the IMS account and the authentication algorithm required by the single sign-on mode. The authentication algorithm required by the single sign-on mode is generally the MD5 encryption algorithm.

步骤202的具体实现包括如下过程：The specific implementation ofstep 202 includes the following processes:

S1、判断CSCF服务器中是否存在与IMS帐号对应并且符合单点登录方式要求的鉴权数据。S1. Determine whether there is authentication data corresponding to the IMS account and meeting the requirements of the single sign-on mode in the CSCF server.

一般情况下，当用户首次登录时，系统中并没有任何鉴权数据；而对于已经登录到IMS网络的用户，为了保证网络连接更加通畅，需要定时刷新网络，也即刷新登录，此时CSCF服务器中已保存有首次登录时下载的鉴权数据，对于刷新登录，该鉴权数据依然有效。Generally, when a user logs in for the first time, there is no authentication data in the system; for users who have already logged in to the IMS network, in order to ensure a smoother network connection, it is necessary to refresh the network regularly, that is, to refresh the login. At this time, the CSCF server The authentication data downloaded when logging in for the first time has been saved in , and the authentication data is still valid for refreshing login.

S2、当判断CSCF服务器中存在所述鉴权数据时，则执行步骤S3；否则执行步骤S4。S2. When it is judged that the authentication data exists in the CSCF server, execute step S3; otherwise, execute step S4.

S3、获得CSCF服务器中的鉴权数据。S3. Obtain the authentication data in the CSCF server.

S4、请求IMS网络的HSS分配与IMS帐号对应并符合单点登录方式要求的鉴权数据。S4. Request the HSS of the IMS network to allocate authentication data corresponding to the IMS account and meeting the requirements of the single sign-on mode.

进一步，为了保证IMS客户端必须在登录IT系统后才能使用单点登录方式登入IMS网络，防止非法用户的重放攻击，也即重复发送相同的信息以攻击网络，例如，截取登录包文后重新发送给IMS网络，需要保证登录IMS网络的密钥的一次性特征，所以需要根据登录方式信息或用户信息，进一步判断一次性密钥是否有效，并当一次性密钥无效后，需要下载新的鉴权数据。Furthermore, in order to ensure that the IMS client must log in to the IT system before using the single sign-on method to log in to the IMS network, prevent replay attacks by illegal users, that is, repeatedly send the same information to attack the network, for example, intercept the login packet and re- To send to the IMS network, it is necessary to ensure the one-time feature of the key for logging into the IMS network, so it is necessary to further determine whether the one-time key is valid based on the login method information or user information, and when the one-time key is invalid, a new one-time key needs to be downloaded. Authentication data.

判断需要获得新的鉴权数据需要满足如下条件中的至少一个成立：Judging that new authentication data needs to be obtained must meet at least one of the following conditions:

A、用户登录IMS网络的登录方式发生变化。A. The login method for users to log in to the IMS network has changed.

例如：前一次登录IMS网络采用HTTP Digest登录方式，而本次采用单点登录方式，因为不同登录方式之间是不兼容的，并且不同登录方式需要的鉴权数据也是不同的，所以当登录方式发生变化时，就需要重新下载鉴权数据。For example: the previous login to the IMS network used the HTTP Digest login method, but this time the single sign-on method is used, because different login methods are incompatible, and the authentication data required by different login methods are also different, so when the login method When a change occurs, the authentication data needs to be downloaded again.

B、用户的联系地址或注册信息发生变化。B. The user's contact address or registration information changes.

例如，当用户关闭了IT系统客户端并换用其它终端登录，或用户关闭或重启了IT系统客户端并重启了IMS客户端时，用户的联系地址或注册信息都会发生变化，所以也需要重新下载鉴权数据。For example, when the user closes the IT system client and logs in with another terminal, or the user closes or restarts the IT system client and then restarts the IMS client, the user's contact address or registration information will change, so a new Download authentication data.

同时，为了保证与IMS帐号对应的密钥更加安全，当HSS将与IMS帐号对应的鉴权数据分配给CSCF服务器后，将保存在其用户档案数据库中的该条与IMS帐号对应的密钥删除或设置为无效，直到再次收到IT系统发送的包含IMS帐号的请求时，HSS会生成一个新的密钥，所以，登录IMS网络需要的密码的生命周期限定在用户在某个终端上的一次登录周期内，即用户成功登录到IT系统中，并触发IMS网络的一次登录。At the same time, in order to ensure that the key corresponding to the IMS account is more secure, when the HSS distributes the authentication data corresponding to the IMS account to the CSCF server, it will delete the key corresponding to the IMS account stored in its user profile database. Or set it to invalid, until the HSS will generate a new key when it receives the request containing the IMS account number sent by the IT system again, so the life cycle of the password required to log in to the IMS network is limited to one time on a certain terminal of the user During the login period, the user successfully logs in to the IT system and triggers a login to the IMS network.

步骤203、CSCF服务器将IMS网络对应的网络信息，提供给IMS客户端，用于IMS客户端对所述IMS网络进行认证。Step 203, the CSCF server provides the network information corresponding to the IMS network to the IMS client, so that the IMS client can authenticate the IMS network.

IMS客户端对IMS网络的认证可以通过MAC(Message AuthenticationCheck，消息认证验证)算法实现，IMS网络提供给IMS客户端的网络信息中包括AUTN(Authentication Token，鉴权标识)，IMS客户端收到IMS网络发送的网络信息后，计算期望的消息认证码XMAC校验值，比较从AUTN中取得的由HSS计算的消息认证码MAC校验值与IMS客户端生成的XMAC校验值，若MAC校验值和XMAC校验值一致，则认证成功。The authentication of the IMS client to the IMS network can be realized through the MAC (Message Authentication Check) algorithm. The network information provided by the IMS network to the IMS client includes AUTN (Authentication Token, authentication identifier). After sending the network information, calculate the expected message authentication code XMAC check value, compare the message authentication code MAC check value calculated by the HSS obtained from AUTN with the XMAC check value generated by the IMS client, if the MAC check value If it is consistent with the XMAC check value, the authentication is successful.

IMS客户端计算XMAC校验值的过程如下：The process of calculating the XMAC check value by the IMS client is as follows:

客户端利用共享密钥来校验AUTN，如果AUTN校验成功，客户端通过随机数RAND计算出过程密钥AK，然后使用过程密钥AK来恢复序列号SQN，接着通过得到的序列号SQN、RAND和客户端中保存的AMF(AuthenticationManagement Function，认证管理功能)来计算期望的消息认证码XMAC校验值。The client uses the shared key to verify the AUTN. If the AUTN verification is successful, the client calculates the process key AK through the random number RAND, and then uses the process key AK to restore the serial number SQN, and then passes the obtained serial number SQN, RAND and the AMF (AuthenticationManagement Function) stored in the client to calculate the expected message authentication code XMAC check value.

步骤204、判断IMS客户端对IMS网络的认证是否通过，若通过，则执行步骤205；否则拒绝该IMS网络发送的信息。Step 204, judging whether the authentication of the IMS client to the IMS network is passed, and if so, performingstep 205; otherwise, rejecting the information sent by the IMS network.

步骤205、CSCF服务器将获得的鉴权数据中包括的鉴权算法提供给IMS客户端，利用IMS客户端中的密钥以及该鉴权算法生成鉴权响应；以及，CSCF服务器获得IMS客户端生成的鉴权响应；并利用本地获得的鉴权数据中包括的密钥以及鉴权算法生成鉴权响应。Step 205, the CSCF server provides the authentication algorithm included in the obtained authentication data to the IMS client, and uses the key in the IMS client and the authentication algorithm to generate an authentication response; and, the CSCF server obtains the authentication algorithm generated by the IMS client. The authentication response; and use the key and authentication algorithm included in the locally obtained authentication data to generate the authentication response.

步骤206、将步骤205中IMS客户端生成的鉴权响应与CSCF服务器生成的鉴权响应进行比较，当所生成的两个鉴权响应一致时，执行步骤207；否则拒绝该IMS客户端登录到IMS网络。Step 206, comparing the authentication response generated by the IMS client instep 205 with the authentication response generated by the CSCF server, and when the generated two authentication responses are consistent, execute step 207; otherwise, reject the IMS client to log in to the IMS network.

步骤207、允许该IMS客户端登录到IMS网络。Step 207, allowing the IMS client to log in to the IMS network.

进一步地，为了保证用户信息的安全性，上述过程中，客户端与IT系统之间进行交互可以采用安全连接(如安全套接字技术)，以保证传递的各种信息(如一次性密钥)不会泄漏。Further, in order to ensure the security of user information, in the above process, the interaction between the client and the IT system can use a secure connection (such as secure socket technology) to ensure that various information transmitted (such as one-time key ) will not leak.

本发明第二实施例提供了一种IT系统，该IT系统如图3所示，包括网络通信单元、帐号获得单元、数据请求单元；本实施例提供的IT系统还可以进一步包括：帐号存储单元；The second embodiment of the present invention provides an IT system. As shown in Figure 3, the IT system includes a network communication unit, an account number obtaining unit, and a data requesting unit; the IT system provided by this embodiment may further include: an account number storage unit ;

其中，网络通信单元，用于获得IT系统客户端发送的登录请求，所述登录请求中包括IT系统帐号；Wherein, the network communication unit is used to obtain the login request sent by the IT system client, and the login request includes the IT system account number;

帐号获得单元，用于根据所述IT系统帐号，获得对应的IMS帐号；an account obtaining unit, configured to obtain a corresponding IMS account according to the IT system account;

数据请求单元，用于将所述IMS帐号发送给IMS网络，请求所述IMS网络分配与所述IMS帐号对应的密钥；并接收IMS网络分配的与所述IMS帐号对应的密钥；A data request unit, configured to send the IMS account number to the IMS network, request the IMS network to allocate a key corresponding to the IMS account; and receive the key allocated by the IMS network corresponding to the IMS account;

相应地，所述网络通信单元，还用于将所述IMS帐号和所述IMS网络分配的密钥，通过IT系统客户端发送给IMS客户端，用于IMS客户端登录到IMS网络。Correspondingly, the network communication unit is further configured to send the IMS account number and the key allocated by the IMS network to the IMS client through the IT system client, so that the IMS client logs in to the IMS network.

本实施例提供的IT系统进一步包括的帐号存储单元，用于将建立IT系统帐号与IMS帐号的对应关系，并将所述对应关系提供给帐号获得单元。The IT system provided in this embodiment further includes an account storage unit, configured to establish a correspondence between an IT system account and an IMS account, and provide the correspondence to the account obtaining unit.

本发明第三实施例提供了一种通信系统，如图4所示，该通信系统包括如下功能实体：The third embodiment of the present invention provides a communication system. As shown in FIG. 4, the communication system includes the following functional entities:

IT系统401，用于获得IT系统客户端发送的登录请求，所述登录请求中包括IT系统帐号；根据所述IT系统帐号，获得对应的IMS帐号，并将所述IMS帐号发送给IMS网络，请求所述IMS网络分配与所述IMS帐号对应的密钥；将所述IMS帐号和所述IMS网络分配的密钥，通过IT系统客户端发送给IMS客户端，用于IMS客户端登录到IMS网络。The IT system 401 is configured to obtain a login request sent by an IT system client, where the login request includes an IT system account; obtain a corresponding IMS account according to the IT system account, and send the IMS account to the IMS network, Requesting the IMS network to allocate a key corresponding to the IMS account; sending the IMS account and the key allocated by the IMS network to the IMS client through the IT system client, for the IMS client to log in to the IMS network.

IMS网络402，用于根据所述IT系统发送的包含IMS帐号的请求，分配与所述IMS帐号对应的密钥。The IMS network 402 is configured to allocate a key corresponding to the IMS account according to the request sent by the IT system that includes the IMS account.

该IMS网络包括：CSCF服务器，该CSCF服务器，用于获得IMS客户端发送的登录请求，所述登录请求中包括IMS帐号以及登录方式信息；根据所述IMS帐号，获得对应的密钥；根据所述登录方式信息，获得所述登录方式所要求的鉴权算法；将所述鉴权算法提供给IMS客户端，并接收所述IMS客户端利用所述鉴权算法以及通过IT系统客户端获得的密钥生成的鉴权响应；利用所述密钥以及鉴权算法，对所述IMS客户端生成的鉴权响应进行校验，并当验证通过后，允许所述IMS客户端登录到IMS网络。The IMS network includes: a CSCF server, the CSCF server is used to obtain the login request sent by the IMS client, the login request includes the IMS account and login mode information; according to the IMS account, obtain the corresponding key; according to the The login method information, obtain the authentication algorithm required by the login method; provide the authentication algorithm to the IMS client, and receive the authentication algorithm obtained by the IMS client using the authentication algorithm and the IT system client The authentication response generated by the key; using the key and the authentication algorithm, verifying the authentication response generated by the IMS client, and allowing the IMS client to log in to the IMS network after the verification is passed.

进一步，该IMS网络还包括：HSS，用于当收到所述IT系统发送的包含IMS帐号的请求时，分配与该IMS帐号对应的密钥；Further, the IMS network further includes: HSS, configured to allocate a key corresponding to the IMS account when receiving the request including the IMS account sent by the IT system;

上述CSCF服务器包括：The above CSCF servers include:

第一鉴权数据获得单元，用于判断IMS网络的呼叫会话控制功能CSCF服务器中是否存在与IMS帐号对应的密钥以及所述登录方式信息要求的鉴权算法；当确定所述CSCF服务器中存在所述密钥以及所述鉴权算法时，则从所述CSCF服务器中获得所述密钥以及所述鉴权算法；否则，从所述HSS中获得所述密钥以及所述鉴权算法；The first authentication data obtaining unit is used to determine whether there is a key corresponding to the IMS account and the authentication algorithm required by the login mode information in the call session control function CSCF server of the IMS network; when it is determined that the CSCF server exists When the key and the authentication algorithm are selected, obtain the key and the authentication algorithm from the CSCF server; otherwise, obtain the key and the authentication algorithm from the HSS;

或，or,

第二鉴权数据获得单元，用于判断IMS网络的呼叫会话控制功能CSCF服务器中是否存在与IMS帐号对应的密钥以及所述登录方式信息要求的鉴权算法；当确定所述CSCF服务器中存在所述密钥以及所述鉴权算法时，根据所述登录方式信息或用户信息，判断是否需要获得新的密钥以及鉴权算法，当确定需要获得新的密钥以及鉴权算法时，则从所述HSS中获得所述密钥以及所述鉴权算法；否则，从所述CSCF服务器中获得所述密钥以及所述鉴权算法；当确定所述CSCF服务器中不存在所述密钥以及所述鉴权算法时，从所述HSS中获得所述密钥以及所述鉴权算法。The second authentication data obtaining unit is used to determine whether there is a key corresponding to the IMS account number and the authentication algorithm required by the login mode information in the call session control function CSCF server of the IMS network; when it is determined that the CSCF server exists When the key and the authentication algorithm are used, according to the login method information or user information, it is judged whether a new key and an authentication algorithm need to be obtained, and when it is determined that a new key and an authentication algorithm need to be obtained, then Obtain the key and the authentication algorithm from the HSS; otherwise, obtain the key and the authentication algorithm from the CSCF server; when it is determined that the key does not exist in the CSCF server and the authentication algorithm, the key and the authentication algorithm are obtained from the HSS.

当上述CSCF服务器包括第二鉴权数据获得单元时，其进一步判断是否需要下载新的鉴权数据的目的在于，保证IMS客户端必须在登录IT系统后才能使用单点登录方式登入IMS网络，防止非法用户的重放攻击，也即重复发送相同的信息以攻击网络，进一步保证本实施例中登录IMS网络所使用密钥的一次性特征。When the above-mentioned CSCF server includes a second authentication data obtaining unit, the purpose of further judging whether to download new authentication data is to ensure that the IMS client must log in to the IT system before using the single sign-on method to log in to the IMS network, preventing The replay attack of illegal users, that is, repeatedly sending the same information to attack the network, further ensures the one-time feature of the key used to log in to the IMS network in this embodiment.

本实施例提供的通信系统如图5所示，还可以进一步包括接口机403，用于在IT系统与IMS网络之间进行协议转换。设置该接口机的目的是为了解决某些情况下IT系统支持的协议接口与IMS无交集的情况，例如IT系统一般都支持HTTP(Hyper-Text Transfer Protocol，超文本传输协议)，但IMS系统中的HSS并不支持协议，故需要设置一个接口设备。As shown in FIG. 5 , the communication system provided by this embodiment may further include an interface machine 403 for performing protocol conversion between the IT system and the IMS network. The purpose of setting up the interface machine is to solve the situation that the protocol interface supported by the IT system does not overlap with the IMS in some cases. For example, the IT system generally supports HTTP (Hyper-Text Transfer Protocol, hypertext transfer protocol), but the IMS system The HSS does not support the protocol, so an interface device needs to be set.

进一步，该接口机还用于拦截所述IT系统发送的包含IMS帐号的请求，生成与该IMS帐号对应的密钥，并将生成的密钥提供给所述归属用户服务器。Further, the interface machine is also used to intercept the request containing the IMS account sent by the IT system, generate a key corresponding to the IMS account, and provide the generated key to the home user server.

下面，以IMS客户端为首次登录为例，对本实施例所述的通信系统中，通过IT系统登录IMS网络的具体过程进行详细说明，如图6所示，包括如下内容：In the following, taking the IMS client as the first login as an example, the specific process of logging into the IMS network through the IT system in the communication system described in this embodiment will be described in detail, as shown in FIG. 6 , including the following content:

步骤601、用户通过智能终端的IT系统客户端向IT系统发送登录请求，该登录请求中包括IT系统帐号以及对应的密钥；Step 601, the user sends a login request to the IT system through the IT system client of the smart terminal, and the login request includes the IT system account number and the corresponding key;

步骤602、IT系统对请求登录的IT系统客户端进行身份验证，并当验证通过后，根据IT系统帐号获得IMS帐号；Step 602, the IT system authenticates the IT system client requesting to log in, and obtains the IMS account according to the IT system account after the authentication is passed;

步骤603、IT系统将获得的IMS帐号包含在用户登录通知中发送给IMS网络的HSS；Step 603, the IT system includes the obtained IMS account number in the user login notification and sends it to the HSS of the IMS network;

步骤604、HSS收到IT系统发送的登录通知后，为该登录通知中包括的IMS帐号随机生成对应的密钥，并将该一次性密钥保存到用户档案数据库中；Step 604: After receiving the login notification sent by the IT system, the HSS randomly generates a corresponding key for the IMS account included in the login notification, and saves the one-time key in the user profile database;

步骤605、HSS将生成的密钥返回给IT系统；Step 605, the HSS returns the generated key to the IT system;

步骤606、IT系统获得IMS分配的密钥，并将IMS帐号以及该密钥提供给IT系统客户端；Step 606, the IT system obtains the key assigned by the IMS, and provides the IMS account and the key to the IT system client;

步骤607、IT系统客户端收到IT系统发送的IMS帐号及对应密钥后，调用IMS客户端，并在调用过程中将该IMS帐号及对应密钥提供给IMS客户端；Step 607: After receiving the IMS account number and the corresponding key sent by the IT system, the IT system client invokes the IMS client, and provides the IMS account and the corresponding key to the IMS client during the invocation process;

步骤608、IMS客户端收到IT系统客户端发送的IMS帐号及对应密钥后，向IMS网络的CSCF服务器发起登录请求，该登录请求中包括IMS帐号以及单点登录信息；Step 608: After receiving the IMS account number and the corresponding key sent by the IT system client, the IMS client initiates a login request to the CSCF server of the IMS network, and the login request includes the IMS account number and single sign-on information;

步骤609、CSCF服务器向HSS发起鉴权数据下载请求，该下载请求中包括IMS帐号；Step 609, the CSCF server initiates an authentication data download request to the HSS, and the download request includes the IMS account number;

步骤610、HSS将用户档案数据库中与IMS帐号对应的密钥以及单点登录方式要求的鉴权算法提供给CSCF服务器，同时将该密钥设为无效；Step 610, the HSS provides the key corresponding to the IMS account in the user profile database and the authentication algorithm required by the single sign-on method to the CSCF server, and sets the key as invalid;

步骤611、CSCF获得HSS提供的密钥以及鉴权算法，并向IMS客户端发起鉴权挑战，该鉴权挑战中包括与IMS网络对应的网络信息以及鉴权算法；Step 611, CSCF obtains the key and authentication algorithm provided by HSS, and initiates an authentication challenge to the IMS client, the authentication challenge includes network information and authentication algorithm corresponding to the IMS network;

步骤612、IMS客户端根据鉴权挑战中的网络信息对IMS网络进行认证，并当认证通过后，利用本端保存的密钥及鉴权挑战中的鉴权算法，生成鉴权响应；Step 612, the IMS client authenticates the IMS network according to the network information in the authentication challenge, and when the authentication is passed, generates an authentication response using the key stored at the local end and the authentication algorithm in the authentication challenge;

步骤613、IMS客户端将生成的鉴权响应提供给CSCF服务器；Step 613, the IMS client provides the generated authentication response to the CSCF server;

步骤614、CSCF利用HSS提供的密钥及鉴权算法对IMS客户端生成的鉴权响应进行校验，并当校验通过后允许该IMS客户端登录到IMS网络；Step 614, the CSCF uses the key provided by the HSS and the authentication algorithm to verify the authentication response generated by the IMS client, and allows the IMS client to log in to the IMS network after the verification is passed;

步骤615、CSCF向IMS客户端反馈登录成功响应。Step 615, the CSCF feeds back a successful login response to the IMS client.

本实施例中的智能终端用于发送登录请求，其包括：IT系统客户端以及IMS客户端；该智能终端可以是一台个人计算机、笔记本或手持终端(如手机)，其包括的IT系统客户端可以是一个Web浏览器或者其它类型的客户端。The intelligent terminal in this embodiment is used to send login request, and it comprises: IT system client and IMS client; This intelligent terminal can be a personal computer, notebook or handheld terminal (such as mobile phone), and the IT system client that it comprises The end can be a web browser or other type of client.

显然，本领域的技术人员可以对本发明进行各种改动和变型而不脱离本发明的精神和范围。这样，倘若本发明的这些修改和变型属于本发明权利要求及其等同技术的范围之内，则本发明也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the present invention without departing from the spirit and scope of the present invention. Thus, if these modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalent technologies, the present invention also intends to include these modifications and variations.