[0047] Example one:
[0048] Such as figure 2 Shown is a flowchart of an emergency call-based authentication method according to Embodiment 1 of the present invention, and the method includes:
[0049] Step 101: The MME receives the emergency call request message carrying the access network identifier sent by the user terminal, and carries the received access network identifier in the query request and sends it to the HSS.
[0050] Wherein, the access network identifier is the IMEI identifier of the user terminal.
[0051] In step 101, when the user terminal is under call restriction or the SIM card/USIM card is not inserted, and needs to initiate an emergency call request, the user terminal carries its IMEI identifier as the access network identifier in the emergency call request message and sends it to the MME .
[0052] Preferably, when the MME receives the emergency call request message sent by the user, it instructs the user terminal to report the access network identification to facilitate the identification of the user terminal.
[0053] When the MME receives that the access network identifier reported by the user terminal is GUIT or P_TMSI, it instructs the user terminal to report the IMSI identifier of the user terminal; when the MME receives that the access network identifier reported by the user terminal is the IMSI identifier, it instructs the user terminal to report the user terminal IMEI logo.
[0054] It should be noted that when the user terminal is in the state where the SIM card is not inserted, there is no IMSI identification, and only the IMEI identification can be provided to the MME.
[0055] Preferably, after the MME receives the emergency call request message, before sending the query request to the HSS, the method further includes:
[0056] First, the MME searches for the number of emergency call requests sent by the user terminal to the MME within a set time period according to the correspondence between the access network identifier of the user terminal and the number of emergency call requests.
[0057] Specifically, the MME itself has a counter for counting the number of emergency calls made by the user terminal. Whenever the user terminal sends an emergency call request message, the MME increases the number of emergency calls for the user terminal by one, and records the time and the user terminal. The corresponding relationship between the access network identifier and the number of emergency calls.
[0058] Secondly, the MME determines whether the number of call requests found is greater than the set threshold, and if so, it refuses to respond to the emergency call request of the user terminal; otherwise, it executes the operation of sending a query request to the HSS.
[0059] The threshold is set to limit the number of emergency calls sent by a user terminal to the MME within a unit time, which is generally determined according to actual needs, and no specific limitation is made here.
[0060] Step 102: The MME receives the query result that carries the verification information and the first authentication data returned by the HSS.
[0061] Wherein: the first authentication data is obtained by HSS calculating the searched security key and randomly generated verification information, wherein the security key contains the device key, and the device key is the HSS according to the locally stored access key. The corresponding relationship between the incoming network identifier and the device key is determined.
[0062] In step 102, the MME includes the access network identifier carried in the received emergency call request message in the query request and sends it to the HSS.
[0063] After HSS receives the query request sent by the MME, it performs the following operations:
[0064] Step 1: Determine the device key corresponding to the access network identifier contained in the query request according to the correspondence between the locally stored access network identifier and the device key.
[0065] Step 2: Use the security key containing the device key and randomly generated verification information to calculate the first authentication data.
[0066] It should be noted that the calculation method may be to use a set algorithm, or to perform calculation in accordance with the protocol rules in the 3GPP protocol, which is not specifically limited here.
[0067] Step 3: Send the randomly generated verification information and the obtained first authentication data to the MME as the query result.
[0068] Wherein: the verification information may be verification information in 3GPP format, for example, RAND; the first verification data is device-challenge, the query result is RAND||device-challenge, or other forms of information, according to The actual need to be determined, there is no limitation here.
[0069] Step 103: The MME receives the second authentication data sent by the user terminal.
[0070] Wherein, the second authentication data is calculated by the user terminal after receiving the authentication information sent by the MME, using a locally stored security key and the authentication information.
[0071] In step 103, the MME receives the query result returned by the HSS, which contains random verification information, and the MME sends the random verification information to the user terminal.
[0072] After receiving the verification information, the user terminal performs the following operations:
[0073] Step 1: Determine the device key corresponding to the IMEI logo.
[0074] Step 2: Use the security key containing the determined device key to calculate the received verification information to obtain the second authentication data.
[0075] Step 3: Send the obtained second authentication data to the MME.
[0076] Step 104: The MME compares the first authentication data with the second authentication data, and when the comparison result is the same, determines that the authentication is passed and the user terminal is allowed to access the communication network.
[0077] In step 104, the MME judges whether the received first authentication data and the second authentication data are the same. If they are the same, the authentication is passed and the network access operation is allowed; otherwise, the authentication is not passed and the network access operation is denied .
[0078] Step 105: After allowing the user terminal to access the communication network, the MME receives the emergency call message carrying the emergency call content sent by the user terminal, where the emergency call content is obtained after the user terminal is encrypted using a security key.
[0079] In order to ensure that the emergency call message sent by the user terminal is not tampered with, when the user terminal sends the emergency call message to the MME, the carried emergency call content is encrypted, which ensures the security of the transmitted message.
[0080] Step 106: The MME sends the received emergency call message to the HSS for analysis, and returns a response message to the user terminal according to the analysis result.
[0081] Since the HSS stores the device key and the security key is determined by the device key, when the MME receives the encrypted emergency call message, it needs to decrypt the received encrypted emergency call message through the HSS.
[0082] In the solution of the first embodiment of the present invention, by storing the corresponding relationship between the IMEI identifier of the user terminal and the device key locally in the user terminal and the HSS locally, when the user terminal sends an emergency call request message to the MME, the MME slave The HSS obtains the security key containing the device key, and calculates the first authentication data with the random verification information, and receives the first authentication data calculated from the locally stored security key and the received verification message sent by the user terminal. The second authentication data, and the first authentication data is compared with the second authentication data. When the comparison result is the same, the authentication is determined to be passed, and the user terminal is allowed to access the communication network. This prevents illegal user terminals from maliciously using communication by emergency calling The network improves the security of emergency calls and ensures the security of the application of the communication network.
