Revision bf33c75a
Added by osmith about 4 years ago
| docs/imsi-pseudo-spec.adoc | ||
|---|---|---|
| 2 | 2 |
|
| 3 | 3 |
== Introduction |
| 4 | 4 |
|
| 5 |
=== Protecting the IMSI on the Radio Interface is Desirable |
|
| 6 |
|
|
| 5 | 7 |
A long-standing issue in the 3GPP specifications is, that mobile phones and |
| 6 | 8 |
other mobile equipment (ME) have to send the International Mobile Subscriber |
| 7 | 9 |
Identity (IMSI) unencrypted over the air. Each IMSI is uniquely identifying the |
| ... | ... | |
| 17 | 19 |
become small and affordable, even criminals actors without much budget can use |
| 18 | 20 |
them to track anybody with a mobile phone. |
| 19 | 21 |
|
| 22 |
=== Summary of Proposed Solution |
|
| 23 |
|
|
| 20 | 24 |
The solution presented in this document is to periodically change the IMSI of |
| 21 | 25 |
the ME to a new pseudonymous IMSI allocated by the Home Location Register (HLR) |
| 22 |
or Home Subscriber Service (HSS). The only component that needs to be changed |
|
| 23 |
in the network besides the SIM is the HLR/HSS, therefore it should be possible |
|
| 24 |
even for a Mobile Virtual Network Operator (MVNO) to deploy this privacy |
|
| 26 |
or Home Subscriber Service (HSS). The next pseudonymous IMSI is sent to the SIM |
|
| 27 |
via Short Message Service (SMS), then a SIM applet overwrites the IMSI of the |
|
| 28 |
SIM with the new value. The only component that needs to be changed in the |
|
| 29 |
network besides the SIM is the HLR/HSS, therefore it should be possible even |
|
| 30 |
for a Mobile Virtual Network Operator (MVNO) to deploy this privacy |
|
| 25 | 31 |
enhancement. |
| 26 | 32 |
|
| 27 |
== Summary of Existing Location Updating Procedures in RAN and CN |
|
| 33 |
=== Summary of Existing Location Updating Procedures in RAN and CN
|
|
| 28 | 34 |
|
| 29 | 35 |
The subscriber's SIM is provisioned with the IMSI and cryptographic keys of a |
| 30 | 36 |
subscriber, after the subscriber was added with the same data to the HLR/HSS. |
| ... | ... | |
| 108 | 114 |
} |
| 109 | 115 |
---- |
| 110 | 116 |
|
| 117 |
<<< |
|
| 111 | 118 |
== Required Changes |
| 112 | 119 |
|
| 113 |
=== SIM Provisioning |
|
| 120 |
=== Pseudonymous IMSI Storage in the HLR |
|
| 121 |
|
|
| 122 |
The HLR must store up to two pseudonymous IMSIs (imsi_pseudo) and their related |
|
| 123 |
counters (imsi_pseudo_i) per subscriber. Each subscriber initially has one |
|
| 124 |
pseudonymous IMSI allocated. A subscriber has two valid pseudonymous IMSIs |
|
| 125 |
only during the transition phase from the old pseudonymous IMSI to the new one. |
|
| 126 |
The amount of available IMSIs must be higher than the amount of subscribers |
|
| 127 |
registered with the HLR. If the amount of available IMSIs is too short, the HLR |
|
| 128 |
can delay assigning new pseudonymous IMSIs until new IMSIs are available again. |
|
| 129 |
|
|
| 130 |
.Examples for additional subscriber data in HLR |
|
| 131 |
|=== |
|
| 132 |
| Subscriber ID | imsi_pseudo | imsi_pseudo_i |
|
| 133 |
// example IMSIs taken from Wikipedia |
|
| 134 |
| 123 |
|
| 135 |
| 310150123456789 |
|
| 136 |
| 1 |
|
| 137 |
|
|
| 138 |
| 234 |
|
| 139 |
| 502130123456789 |
|
| 140 |
| 1 |
|
| 114 | 141 |
|
| 142 |
| 234 |
|
| 143 |
| 460001357924680 |
|
| 144 |
| 2 |
|
| 145 |
|=== |
|
| 115 | 146 |
|
| 147 |
==== imsi_pseudo |
|
| 116 | 148 |
|
| 149 |
The value for imsi_pseudo is a random choice from the pool of available IMSIs |
|
| 150 |
that the HLR controls. The pseudonymous IMSI must not be used by any subscriber |
|
| 151 |
as pseudonymous IMSI yet, but may be the real IMSI of a subscriber. |
|
| 152 |
|
|
| 153 |
==== imsi_pseudo_i |
|
| 154 |
|
|
| 155 |
The counter imsi_pseudo_i indicates how often a subscriber's pseudonymous IMSI |
|
| 156 |
was changed. The value is one for the first allocated pseudonymous IMSI of |
|
| 157 |
a subscriber. When allocating a new pseudonymous IMSI for the same subscriber, |
|
| 158 |
the new imsi_pseudo_i value is increased by one. The counter is used by the SIM |
|
| 159 |
applet to detect and ignore outdated requests related to changing the |
|
| 160 |
pseudonymous IMSI. |
|
| 161 |
|
|
| 162 |
=== SIM Provisioning |
|
| 117 | 163 |
|
| 118 | 164 |
=== Successful Location Update With Pseudonymous IMSI |
| 165 |
|
|
| 166 |
// HLR may choose not to give out next IMSI if it is short on available IMSIS |
|
| 167 |
|
|
| 119 | 168 |
=== Next Pseudonymous IMSI Arrives Via SMS |
| 120 | 169 |
|
| 121 | 170 |
== Error Scenarios |
Also available in: Unified diff
spec: Pseudonymous IMSI Storage in the HLR