1
|
# [WIP] Make IMSI Pseudonymization an optional extension of 3GPP TS
|
2
|
|
3
|
**FIXME:** needs to be updated, see [OS#4400](https://osmocom.org/issues/4400).
|
4
|
|
5
|
Optional additions we need to make, and where to make them:
|
6
|
|
7
|
* Initial provisioning of the SIM: can optionally have a pseudo IMSI
|
8
|
* During location update, the HLR uses the pseudo IMSI for all communication
|
9
|
with the VLR / MSC
|
10
|
* After successful location update:
|
11
|
* HLR deallocates a subscriber's previous pseudo IMSI, if it exists, and the
|
12
|
subscriber has done the location update with the newer pseudo IMSI entry.
|
13
|
This is the case, if the SIM applet acknowledged the new pseudo IMSI, but
|
14
|
its ACK SMS did not arrive at the HLR. There are at most two pseudo IMSIs
|
15
|
allocated for one subscriber.
|
16
|
* If there is just one pseudo IMSI for the subscriber (no new pseudo IMSI to
|
17
|
switch to), the HLR allocates a new pseudo IMSI, and increases the
|
18
|
session_id by one for that new pseudo IMSI, compared to the last pseudo
|
19
|
IMSI.
|
20
|
* The HLR sends the new pseudo IMSI, and the associated session_id, to the
|
21
|
SIM via SMS. No matter, if the new pseudo IMSI was just created, or if it
|
22
|
existed already.
|
23
|
* The SIM applet checks, if the session_id is greater than the one that it
|
24
|
has stored, and rejects the SMS otherwise. If the session_id is fine, it
|
25
|
overwrites the SIM's IMSI and session_id with the new data. Then the SIM
|
26
|
sends an ACK packet back to the HLR, containing both the new session_id and
|
27
|
the new pseudo IMSI.
|
28
|
* The HLR verifies the session_id and pseudo IMSI in the ACK packet, discards
|
29
|
the packet if it doesn't know both. If it was not discarded, the HLR
|
30
|
deallocates the old pseudo IMSI.
|
31
|
* When allocating and deallocating pseudo IMSIs, the HLR flushes information in
|
32
|
the VLR related to them, so an old TMSI does not point to the wrong pseudo
|
33
|
IMSI.
|
34
|
* The SIM applet registers EVENT_DOWNLOAD_LOCATION_STATUS, uses it to count the
|
35
|
location updates that were done with the same pseudo IMSI, and warns the user
|
36
|
if the pseudo IMSI did not change over several location updates. This means,
|
37
|
that for some reason, the SMS from the HLR are not arriving (e.g. because an
|
38
|
attacker is blocking them).
|
39
|
|
40
|
TODO:
|
41
|
* extend the list above with the exact sections of the spec, where the new
|
42
|
information should be placed
|
43
|
* Is there a spec for SIM applets, or do we put the SIM applet behaviour in the
|
44
|
regular spec for SIM cards, or mention its behavior in the location update
|
45
|
related change?
|
46
|
* describe everything in detail, fill in the full contents for the SMS etc.
|