Revision 5e62dbac
Added by osmith about 4 years ago
| README.md | ||
|---|---|---|
| 7 | 7 |
|
| 8 | 8 |
## How it works |
| 9 | 9 |
|
| 10 |
The first pseudo IMSI gets allocated, as the SIM card is provisioned. After
|
|
| 11 |
that pseudo IMSI is used for the first time in location update, the HLR decides
|
|
| 12 |
the next pseudo IMSI and sends it as SMS to the SIM. The SIM applet overwrites
|
|
| 13 |
its current IMSI with the new one, and uses it in the next location update.
|
|
| 14 |
Afterwards, the HLR will generate the next IMSI and so on.
|
|
| 15 |
|
|
| 16 |
**FIXME:** details below need updating, see [OS#4400](https://osmocom.org/issues/4400).
|
|
| 10 |
The first pseudo IMSI gets allocated in the HLR, as the SIM card is
|
|
| 11 |
provisioned. After that pseudo IMSI is used for the first time in location
|
|
| 12 |
update, the HLR waits for some time, then decides the next pseudo IMSI and
|
|
| 13 |
sends it together with a delay value as SMS to the SIM. The SIM applet receives
|
|
| 14 |
the SMS and waits the specified delay. Then it overwrites its current IMSI with
|
|
| 15 |
the new one, marks the TMSI as invalid, and initiates the next location update. |
|
| 16 |
Afterwards, the process repeats.
|
|
| 17 | 17 |
|
| 18 | 18 |
``` |
| 19 | 19 |
HLR <-> SIM LOCATION UPDATE, imsi_pseudo=200 |
| 20 |
HLR -> SIM NEW PSEUDO IMSI REQ, session_id=1, imsi_pseudo=123 |
|
| 21 |
HLR <- SIM NEW PSEUDO IMSI RESP ACK, session_id=1, imsi_pseudo=123 |
|
| 22 | 20 |
(time passes) |
| 21 |
HLR -> SIM NEW PSEUDO IMSI, imsi_pseudo=123, delay=60 |
|
| 22 |
(time passes until the SMS arrives) |
|
| 23 |
(SIM applet waits 60 seconds) |
|
| 23 | 24 |
HLR <-> SIM LOCATION UPDATE, imsi_pseudo=123 |
| 24 | 25 |
... |
| 25 | 26 |
``` |
| 26 | 27 |
|
| 27 | 28 |
## In Detail |
| 28 | 29 |
|
| 29 |
1. The HLR has a table of allocated pseudo IMSIs. When provisioning a new SIM, |
|
| 30 |
it randomly decides a new pseudo IMSI. There must be no existing entry in the |
|
| 31 |
table with the same pseudo IMSI in the imsi_pseudo column, but the pseudo IMSI |
|
| 32 |
may be the real IMSI of an existing entry. |
|
| 33 |
|
|
| 34 |
| id | imsi | imsi_pseudo | session_id | |
|
| 35 |
|------|--------|---------------|--------------| |
|
| 36 |
| 1 | 100 | 200 | 0 | |
|
| 30 |
1. Provisioning the SIM |
|
| 37 | 31 |
|
| 38 |
(Other interesting fields to store in the table may be a boolean for
|
|
| 39 |
"provisioned", the allocation date and usage count. The usage count would
|
|
| 40 |
increase whenever the SIM does a successful Location Update with that pseudo
|
|
| 41 |
IMSI.)
|
|
| 32 |
The HLR allocates a new pseudo IMSI as random choice from the pool of available
|
|
| 33 |
IMSIs. The pseudo IMSI must not be used by any other subscriber as pseudo IMSI,
|
|
| 34 |
but may be the real IMSI of another subscriber. The subscriber-specific counter
|
|
| 35 |
imsi_pseudo_i is 0 for the first allocated IMSI for that subscriber.
|
|
| 42 | 36 |
|
| 43 |
2. The SIM does a successful Location Update with its current pseudo IMSI. |
|
| 37 |
| id | imsi | imsi_pseudo | imsi_pseudo_i | |
|
| 38 |
|------|--------|---------------|---------------| |
|
| 39 |
| 1 | 100 | 200 | 0 | |
|
| 44 | 40 |
|
| 45 |
(Clean up: if the ACK from the SIM card in step 4 did not arrive in a previous |
|
| 46 |
provisioning of a new pseudo IMSI, and the SIM has connected with the newer |
|
| 47 |
pseudo IMSI entry, the old pseudo IMSI entry gets deleted now.) |
|
| 41 |
The pseudo IMSI is saved to the SIM as IMSI, instead of the real IMSI. The SIM |
|
| 42 |
is also provisioned with the IMSI pseudonymization applet. |
|
| 48 | 43 |
|
| 49 |
Then the HLR creates a new entry with a new pseudo IMSI (generated as described |
|
| 50 |
in 1.), and with the session_id increased by one. |
|
| 44 |
2. Successful Location Update with pseudo IMSI |
|
| 51 | 45 |
|
| 52 |
| id | imsi | imsi_pseudo | session_id | |
|
| 53 |
|------|--------|---------------|--------------| |
|
| 54 |
| 1 | 100 | 200 | 0 | |
|
| 55 |
| 2 | 100 | 123 | 1 | |
|
| 46 |
a) If this was the first Location Update after provisioning the SIM, the |
|
| 47 |
subscriber has only one pseudo IMSI allocated. The HLR waits for some time. |
|
| 48 |
Then it allocates the next pseudo IMSI from the pool of available IMSIs (as in |
|
| 49 |
1., but with imsi_pseudo_i increased by one). The HLR sends the new |
|
| 50 |
pseudo IMSI, the imsi_pseudo_i and a random delay value in one SMS to the SIM. |
|
| 56 | 51 |
|
| 57 |
The new information is encoded in an SMS and sent to the SIM.
|
|
| 58 |
|
|
| 59 |
```
|
|
| 60 |
HLR -> SIM NEW PSEUDO IMSI REQ, session_id=1, imsi_pseudo=123
|
|
| 61 |
```
|
|
| 52 |
The random delay is how long the SIM applet should wait before changing the
|
|
| 53 |
IMSI. This delay prevents easy correlation of the arrival of the SMS with the |
|
| 54 |
Location Update that will follow in 3. by the SIM. Due to other latencies in
|
|
| 55 |
the network, this is a minimum delay. At this point, the subscriber has two
|
|
| 56 |
allocated pseudo IMSIs:
|
|
| 62 | 57 |
|
| 63 |
3. The SIM applet verifies, that the session_id is higher than the last |
|
| 64 |
session_id it has seen (initially: 0). If that is not the case, it discards the |
|
| 65 |
message. |
|
| 58 |
| id | imsi | imsi_pseudo | imsi_pseudo_i | |
|
| 59 |
|------|--------|---------------|---------------| |
|
| 60 |
| 1 | 100 | 200 | 0 | |
|
| 61 |
| 2 | 100 | 123 | 1 | |
|
| 66 | 62 |
|
| 67 |
The SIM applet writes the new pseudo IMSI and session_id to the SIM card, |
|
| 68 |
overwriting the old data. It acknowledges the new data with a SMS back to the |
|
| 69 |
HLR: |
|
| 63 |
b) If this was not the first Location Update after provisioning a new SIM, the |
|
| 64 |
subscriber already has two pseudo IMSIs allocated when doing the Location |
|
| 65 |
Update. The HLR compares imsi_pseudo_i to find out if the Location Update was |
|
| 66 |
done with the newer or older pseudo IMSI. |
|
| 70 | 67 |
|
| 71 |
``` |
|
| 72 |
HLR <- SIM NEW PSEUDO IMSI RESP ACK, session_id=1, imsi_pseudo=123 |
|
| 73 |
``` |
|
| 68 |
If the older pseudo IMSI was used, then the SIM applet was not able to set the |
|
| 69 |
new IMSI. This may be caused by an SMS arriving late, possibly even months |
|
| 70 |
after it was sent in case the UE was without power for a long period of time. |
|
| 71 |
Therefore the HLR cannot deallocate the newer pseudo IMSI without risking that |
|
| 72 |
the SIM would configure that IMSI and then be locked out (unable to do any |
|
| 73 |
further location updates). Instead, the HLR proceeds like in a), but sends the |
|
| 74 |
same unused new pseudo IMSI again instead of allocating a new one. |
|
| 74 | 75 |
|
| 75 |
4. The HLR verifies, that an entry with the session_id and imsi_pseudo from the
|
|
| 76 |
NEW PSEUDO IMSI RESP ACK message exists in the table. If not, it discards the
|
|
| 77 |
message.
|
|
| 76 |
If the newer pseudo IMSI was used, the SIM applet has successfully set the new
|
|
| 77 |
IMSI. The HLR deallocates the old pseudo IMSI and sends a Purge MS request to
|
|
| 78 |
the VLR with the old pseudo IMSI. Then the HLR proceeds like in a).
|
|
| 78 | 79 |
|
| 79 |
HLR it deletes the old entry with the same IMSI (in the example: the one with |
|
| 80 |
imsi_pseudo=200). |
|
| 80 |
3. Arrival of the SMS |
|
| 81 | 81 |
|
| 82 |
| id | imsi | imsi_pseudo | session_id |
|
|
| 83 |
|------|--------|---------------|--------------|
|
|
| 84 |
| 2 | 100 | 123 | 1 |
|
|
| 82 |
The SIM applet verifies, that imsi_pseudo_i is higher than the last
|
|
| 83 |
imsi_pseudo_i it has seen (initially: 0). If that is not the case, it discards
|
|
| 84 |
the message.
|
|
| 85 | 85 |
|
| 86 |
## Messages getting lost |
|
| 86 |
The SIM applet registers a timer to wait the specified delay. When the timer |
|
| 87 |
expires, the applet updates the last imsi_pseudo_i value that it has seen. Then |
|
| 88 |
it overwrites the IMSI with the next pseudo IMSI and invalidates the TMSI and |
|
| 89 |
Kc. The applet triggers a refresh, which causes the SIM to do a new Location |
|
| 90 |
Update with the new IMSI. |
|
| 87 | 91 |
|
| 88 |
### What if "NEW PSEUDO IMSI REQ" gets lost?
|
|
| 92 |
### What if the SMS gets lost?
|
|
| 89 | 93 |
|
| 90 | 94 |
Both the old and the new pseudo IMSI entry exist in the HLR. |
| 91 | 95 |
|
| 92 |
The SIM will use the old pseudo IMSI in the next location update. The HLR will
|
|
| 93 |
try to send _the same_ new pseudo IMSI with the same new session_id, as soon
|
|
| 94 |
as the next location update is complete.
|
|
| 96 |
The SIM will use the old pseudo IMSI in the next Location Update. The HLR will
|
|
| 97 |
try to send _the same_ new pseudo IMSI with the same new imsi_pseudo_i, as soon
|
|
| 98 |
as the next Location Update is complete.
|
|
| 95 | 99 |
|
| 96 |
### What if "NEW PSEUDO IMSI RESP" gets lost?
|
|
| 100 |
### What if the SMS arrives late?
|
|
| 97 | 101 |
|
| 98 |
Both the old and the new pseudo IMSI entry exist in the HLR. |
|
| 99 |
|
|
| 100 |
The SIM will use the new pseudo IMSI in the next location update. The HLR will |
|
| 101 |
then clean up the old pseudo IMSI entry, and proceed with generating a new |
|
| 102 |
pseudo IMSI entry and sending it to the SIM, as usually. |
|
| 103 |
|
|
| 104 |
## Messages arriving late |
|
| 105 |
|
|
| 106 |
### What if "NEW PSEUDO IMSI REQ" arrives late? |
|
| 107 |
|
|
| 108 |
The session_id will not be higher than the session_id, which the SIM card |
|
| 102 |
The imsi_pseudo_i counter will not be higher than the value the SIM applet |
|
| 109 | 103 |
already knows. Therefore, the applet will discard the message. |
| 110 | 104 |
|
| 111 |
### What if "NEW PSEUDO IMSI RESP" arrives late? |
|
| 112 |
|
|
| 113 |
Session_id and imsi_pseudo from the message will not match what's in the HLR |
|
| 114 |
database, so HLR will discard the message. |
|
| 115 |
|
|
| 116 | 105 |
## Warning the user if SMS don't arrive |
| 117 | 106 |
|
| 118 |
An attacker could possibly block the SMS with NEW PSEUDO IMSI REQ from arriving |
|
| 119 |
at the SIM applet. In that case, the SIM would continue using the old pseudo |
|
| 120 |
IMSI indefinitely. |
|
| 121 |
|
|
| 122 |
We could possibly count the location updates done with the same pseudo IMSI in |
|
| 123 |
the SIM applet, and warn the user if the same pseudo IMSI has been used more |
|
| 124 |
than N (e.g. 5) times. |
|
| 107 |
An attacker could possibly block the SMS from arriving at the SIM applet. In |
|
| 108 |
that case, the SIM would continue using the old pseudo IMSI indefinitely. |
|
| 125 | 109 |
|
| 126 |
(Could be possible by listening to EVENT_DOWNLOAD_LOCATION_STATUS?) |
|
| 110 |
We can count the location updates done with the same pseudo IMSI in the SIM |
|
| 111 |
applet, and warn the user if the same pseudo IMSI has been used more than N |
|
| 112 |
(e.g. 5) times. |
|
| 127 | 113 |
|
| 128 | 114 |
## End2end encryption |
| 129 | 115 |
|
| ... | ... | |
| 141 | 127 |
pseudonymized IMSIs on top, but this is out-of-scope for this project. For |
| 142 | 128 |
reference, once could pre-provision a random "imsi_pseudo_key" with the SIM |
| 143 | 129 |
card, store it in the pseudo IMSI table in the HLR, and deploy a new encryption |
| 144 |
key together with each new pseudo IMSI, attached to the NEW PSEUDO IMSI REQ. |
|
| 130 |
key together with each new pseudo IMSI, attached to the SMS. |
|
Also available in: Unified diff
docs: update to feedback from Neels
Most importantly, there is no ACK SMS anymore, because the next LU is
the implicit ACK. While at it, I've filled in the first TS we probably
need to update.
Related: OS#440