This section is intended to provide a background or context to the invention that is recited in the claims. The description herein may include concepts that could be pursued, but are not necessarily ones that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, what is described in this section is not prior art to the description and claims in this application and is not admitted to be prior art by inclusion in this section.
In order to gain access to emergency services through a wireless user device, such as a portable telephone, the user device needs to authenticate itself with proper credentials to the network and vice versa. In an IEEE 802.11 system, this is typically done with the user device providing user identity in extensible authentication protocol (EAP) messages enveloped in 802.1x protocol messages to a network access point (AP) and then from AP to an authentication server via a any of a variety of protocols, such as the Remote Authentication Dial-In User Service (RADIUS), for authentication purposes. After a successful EAP exchange, the user device is authenticated, and a pair-wise master key (PMK) is generated by the user device and the AP. A 4-way handshake between the user device and the AP generates session keys (pair-wise transient keys, or PTK). At the end of the EAP exchange and 4-way handshake, entity authentication is completed to allow opening of the 802.1x controlled ports on the AP. Further, key management for confidentiality, data origin authenticity and replay detection services is made available.
The user device is then able to use the wireless network to initiate any services, including emergency calls that provides link confidentiality, using the keys generated. A similar mechanism is realized for authentication and key management in other wireless link technologies (e.g., IEEE 802.16e).
Issues with the above-described mechanism arise in light of a U.S. Federal Communications Commission ruling which indicates that the user must be able to make emergency calls and connected to local public safety answering points (PSAP) regardless of the validity of the user security credentials. In order to allow emergency calls from clients with incorrect or no credentials, the wireless network may choose to operate an open authentication system service identification (SSID) that requires no credentials. However, in this case, there is no involvement of session key derivations and thus, no security features offered due to the key management mechanism as indicated above.
Alternatively, the wireless network may choose operate a security-enabled SSID, such as Wifi Protected Access (WPA) or WAP2 or any other future security certifications from WiFi Alliance, that requires authentication by use of some well known identifiers for clients to use to gain emergency access which will be used for EAP exchange for an emergency-aware authentication mechanism. In this case, however, it may not be possible to standardize the identifiers due to lack of this responsibility in any particular standards body. However, use of the identifiers alone does not provide all the security features but only a dummy authentication. Further, it is undesirable to provide an identifier to the user devices for emergency use before attachment or association to the network that would be used for an emergency-aware authentication. For example, there may be no link security available, but only authentication to access the network. Additionally, in order for derivation of keys for link security, one of the specific authentication mechanisms as determined by the authentication server must be exchanged. However, there is the possibility that the mobile device may not support the mechanism determined by the authentication server.