Emergency call based authentication method, device and system

An emergency call and equipment technology, which is applied in the transmission system, emergency/dangerous communication service, connection management, etc., can solve the problems of poor security of emergency calls, and achieve the effect of improving and ensuring safety

Active Publication Date: 2014-03-26
ZTE CORP
5 Cites 5 Cited by

AI-Extracted Technical Summary

Problems solved by technology

[0013] Embodiments of the present invention provide an emergency call-based authentication method, device, and system, which are used to solve the problem in the prior art that when a user terminal sen...
View more

Abstract

The invention discloses an emergency call based authentication method, device and system. The main content of the authentication method comprises the following steps: respectively storing corresponding relation between an IMEI of a user terminal and an equipment key in the user terminal side and an HSS side, obtaining a safe key containing the equipment key from the HSS by an MME when the user terminal sends an emergency call request message to the MME, carrying out operation to random verification information to obtain first authentication data, receiving second authentication data which is obtained by computing the locally stored safe key and the received authenticated message and transmitted by the user terminal, comparing the first authentication data with the second authentication data; when the comparison results are the same, confirming that the authentication passes, and permitting that the user terminal accesses the communication network. Therefore, that the illegal user terminal accesses the communication network by the emergency call manner malignantly can be avoided, the security of the emergency call can be promoted, and the application security of the communication network can be ensured.

Application Domain

Connection managementWireless commuication services +4

Technology Topic

Application securityComputer science +2

Image

  • Emergency call based authentication method, device and system
  • Emergency call based authentication method, device and system
  • Emergency call based authentication method, device and system

Examples

  • Experimental program(4)

Example Embodiment

[0047] Example one:
[0048] Such as figure 2 Shown is a flowchart of an emergency call-based authentication method according to Embodiment 1 of the present invention, and the method includes:
[0049] Step 101: The MME receives the emergency call request message carrying the access network identifier sent by the user terminal, and carries the received access network identifier in the query request and sends it to the HSS.
[0050] Wherein, the access network identifier is the IMEI identifier of the user terminal.
[0051] In step 101, when the user terminal is under call restriction or the SIM card/USIM card is not inserted, and needs to initiate an emergency call request, the user terminal carries its IMEI identifier as the access network identifier in the emergency call request message and sends it to the MME .
[0052] Preferably, when the MME receives the emergency call request message sent by the user, it instructs the user terminal to report the access network identification to facilitate the identification of the user terminal.
[0053] When the MME receives that the access network identifier reported by the user terminal is GUIT or P_TMSI, it instructs the user terminal to report the IMSI identifier of the user terminal; when the MME receives that the access network identifier reported by the user terminal is the IMSI identifier, it instructs the user terminal to report the user terminal IMEI logo.
[0054] It should be noted that when the user terminal is in the state where the SIM card is not inserted, there is no IMSI identification, and only the IMEI identification can be provided to the MME.
[0055] Preferably, after the MME receives the emergency call request message, before sending the query request to the HSS, the method further includes:
[0056] First, the MME searches for the number of emergency call requests sent by the user terminal to the MME within a set time period according to the correspondence between the access network identifier of the user terminal and the number of emergency call requests.
[0057] Specifically, the MME itself has a counter for counting the number of emergency calls made by the user terminal. Whenever the user terminal sends an emergency call request message, the MME increases the number of emergency calls for the user terminal by one, and records the time and the user terminal. The corresponding relationship between the access network identifier and the number of emergency calls.
[0058] Secondly, the MME determines whether the number of call requests found is greater than the set threshold, and if so, it refuses to respond to the emergency call request of the user terminal; otherwise, it executes the operation of sending a query request to the HSS.
[0059] The threshold is set to limit the number of emergency calls sent by a user terminal to the MME within a unit time, which is generally determined according to actual needs, and no specific limitation is made here.
[0060] Step 102: The MME receives the query result that carries the verification information and the first authentication data returned by the HSS.
[0061] Wherein: the first authentication data is obtained by HSS calculating the searched security key and randomly generated verification information, wherein the security key contains the device key, and the device key is the HSS according to the locally stored access key. The corresponding relationship between the incoming network identifier and the device key is determined.
[0062] In step 102, the MME includes the access network identifier carried in the received emergency call request message in the query request and sends it to the HSS.
[0063] After HSS receives the query request sent by the MME, it performs the following operations:
[0064] Step 1: Determine the device key corresponding to the access network identifier contained in the query request according to the correspondence between the locally stored access network identifier and the device key.
[0065] Step 2: Use the security key containing the device key and randomly generated verification information to calculate the first authentication data.
[0066] It should be noted that the calculation method may be to use a set algorithm, or to perform calculation in accordance with the protocol rules in the 3GPP protocol, which is not specifically limited here.
[0067] Step 3: Send the randomly generated verification information and the obtained first authentication data to the MME as the query result.
[0068] Wherein: the verification information may be verification information in 3GPP format, for example, RAND; the first verification data is device-challenge, the query result is RAND||device-challenge, or other forms of information, according to The actual need to be determined, there is no limitation here.
[0069] Step 103: The MME receives the second authentication data sent by the user terminal.
[0070] Wherein, the second authentication data is calculated by the user terminal after receiving the authentication information sent by the MME, using a locally stored security key and the authentication information.
[0071] In step 103, the MME receives the query result returned by the HSS, which contains random verification information, and the MME sends the random verification information to the user terminal.
[0072] After receiving the verification information, the user terminal performs the following operations:
[0073] Step 1: Determine the device key corresponding to the IMEI logo.
[0074] Step 2: Use the security key containing the determined device key to calculate the received verification information to obtain the second authentication data.
[0075] Step 3: Send the obtained second authentication data to the MME.
[0076] Step 104: The MME compares the first authentication data with the second authentication data, and when the comparison result is the same, determines that the authentication is passed and the user terminal is allowed to access the communication network.
[0077] In step 104, the MME judges whether the received first authentication data and the second authentication data are the same. If they are the same, the authentication is passed and the network access operation is allowed; otherwise, the authentication is not passed and the network access operation is denied .
[0078] Step 105: After allowing the user terminal to access the communication network, the MME receives the emergency call message carrying the emergency call content sent by the user terminal, where the emergency call content is obtained after the user terminal is encrypted using a security key.
[0079] In order to ensure that the emergency call message sent by the user terminal is not tampered with, when the user terminal sends the emergency call message to the MME, the carried emergency call content is encrypted, which ensures the security of the transmitted message.
[0080] Step 106: The MME sends the received emergency call message to the HSS for analysis, and returns a response message to the user terminal according to the analysis result.
[0081] Since the HSS stores the device key and the security key is determined by the device key, when the MME receives the encrypted emergency call message, it needs to decrypt the received encrypted emergency call message through the HSS.
[0082] In the solution of the first embodiment of the present invention, by storing the corresponding relationship between the IMEI identifier of the user terminal and the device key locally in the user terminal and the HSS locally, when the user terminal sends an emergency call request message to the MME, the MME slave The HSS obtains the security key containing the device key, and calculates the first authentication data with the random verification information, and receives the first authentication data calculated from the locally stored security key and the received verification message sent by the user terminal. The second authentication data, and the first authentication data is compared with the second authentication data. When the comparison result is the same, the authentication is determined to be passed, and the user terminal is allowed to access the communication network. This prevents illegal user terminals from maliciously using communication by emergency calling The network improves the security of emergency calls and ensures the security of the application of the communication network.

Example Embodiment

[0083] Embodiment two:
[0084] Such as image 3 As shown, this is a schematic structural diagram of an emergency call-based authentication device of the second embodiment. The device includes: a first receiving module 11, a second receiving module 12, a third receiving module 13, and a comparing module 14, wherein:
[0085] The first receiving module 11 is configured to receive an emergency call request message carrying an access network identifier sent by a user terminal, and carry the received access network identifier in a query request and send it to the HSS;
[0086] The second receiving module 12 is configured to receive the query result returned by the HSS carrying the verification information and the first authentication data, where the first authentication data is calculated by the HSS on the searched security key and the generated verification information, where , The security key contains the device key, and the device key is determined by the HSS according to the correspondence between the locally stored access network identifier and the device key;
[0087] The third receiving module 13 is configured to receive second authentication data sent by the user terminal, where the second authentication data is the user terminal, after receiving the authentication information sent by the MME, calculates the authentication information using a locally stored security key owned;
[0088] The comparison module 14 is configured to compare the first authentication data with the second authentication data, and when the comparison result is the same, determine that the authentication is passed and allow the user terminal to access the communication network.
[0089] Preferably, the device further includes: a fourth receiving module 15 and a message processing module 16, wherein:
[0090] The fourth receiving module is used to receive an emergency call message carrying emergency call content sent by the user terminal after allowing the user terminal to access the communication network, wherein the emergency call content is obtained after the user terminal is encrypted using a security key of;
[0091] The message processing module is configured to send the received emergency call message to the HSS for analysis, and return a response message to the user terminal according to the analysis result.
[0092] Wherein, the emergency call request message carries the identifier of the user terminal.
[0093] The device further includes: a calling number determining module 17 and a calling judgment module 18, wherein:
[0094] The number of calls determining module 17 is configured to search for the user terminal's device status according to the correspondence between the user terminal's identification and the number of emergency call requests before carrying the received access network identifier in the query request and sending it to the HSS. The number of emergency call requests sent within a fixed period of time;
[0095] The call judging module 18 is used to judge whether the number of call requests found is greater than the set threshold, and if so, refuse to respond to the emergency call request of the user terminal; otherwise, execute the received access network identifier and send it to the query request. HSS operation.
[0096] The comparison module 14 is specifically used to determine whether the received first authentication data and the second authentication data are the same. If they are the same, perform the operation of passing the authentication and allowing access to the network; otherwise, performing the operation of failing the authentication and denying access The operation of the network.

Example Embodiment

[0097] Example three:
[0098] Such as Figure 4 As shown, this is a schematic structural diagram of an HSS of the third embodiment. The HSS includes: a receiving module 21, a first authentication data calculation module 22, and a sending module 23, wherein:
[0099] The receiving module 21 is configured to receive a query request sent by the MME, where the query request includes an access network identifier, and the access network identifier is carried when the user terminal sends an emergency call request message to the MME;
[0100] The first authentication data calculation module 22 is configured to determine the device key corresponding to the access network identification contained in the query request according to the correspondence between the locally stored access network identification and the device key, and use the device key that contains the device key. The security key of the key and randomly generated verification information are calculated to obtain the first authentication data;
[0101] The sending module 23 is configured to send the randomly generated verification information and the obtained first authentication data as a query result to the MME, so that the MME compares the obtained first authentication data with the received second authentication data sent by the user terminal, And when the comparison results are the same, it is determined that the authentication is passed and the user terminal is allowed to access the communication network.
[0102] Preferably, the access network identifier is the IMEI identifier of the user terminal;
[0103] The first authentication data calculation module 22 is specifically configured to store the correspondence between the IMEI identifier of the user terminal and the device key.

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.

Similar technology patents

Trusted computing platform chip applicable to mobile communication equipment and authentication method thereof

InactiveCN101986641Aimprove securityachieve security
Owner:HANGZHOU SYNOCHIP DATA SECURITY TECH CO LTD

Hidden frame glass curtain wall structure and method for mounting same

InactiveCN107829513AImprove decorationimprove security
Owner:XINCHANG SICHUANG DESIGN CONSULTING CO LTD

Classification and recommendation of technical efficacy words

  • ensure safety
  • improve security

High accuracy non-contact tri-dimensional facial type measuring device

InactiveCN101105389Aensure safetylow cost
Owner:中国人民解放军第二炮兵装备研究院第四研究所

Intelligent charger with output voltage changing function

Owner:SHENZHEN SIECOM COMM TECH DEV CO LTD

Pesticide micro-capsule granules and preparation method thereof

InactiveCN102100229Alow toxicityimprove security
Owner:联合国南通农药剂型开发中心 +1

Method for achieving user authentication by utilizing camera

InactiveCN103678984Aimprove securityGuaranteed picture quality
Owner:湖北微模式科技发展有限公司
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products