Revision bf33c75a
Added by osmith about 4 years ago
docs/imsi-pseudo-spec.adoc | ||
---|---|---|
2 | 2 |
|
3 | 3 |
== Introduction |
4 | 4 |
|
5 |
=== Protecting the IMSI on the Radio Interface is Desirable |
|
6 |
|
|
5 | 7 |
A long-standing issue in the 3GPP specifications is, that mobile phones and |
6 | 8 |
other mobile equipment (ME) have to send the International Mobile Subscriber |
7 | 9 |
Identity (IMSI) unencrypted over the air. Each IMSI is uniquely identifying the |
... | ... | |
17 | 19 |
become small and affordable, even criminals actors without much budget can use |
18 | 20 |
them to track anybody with a mobile phone. |
19 | 21 |
|
22 |
=== Summary of Proposed Solution |
|
23 |
|
|
20 | 24 |
The solution presented in this document is to periodically change the IMSI of |
21 | 25 |
the ME to a new pseudonymous IMSI allocated by the Home Location Register (HLR) |
22 |
or Home Subscriber Service (HSS). The only component that needs to be changed |
|
23 |
in the network besides the SIM is the HLR/HSS, therefore it should be possible |
|
24 |
even for a Mobile Virtual Network Operator (MVNO) to deploy this privacy |
|
26 |
or Home Subscriber Service (HSS). The next pseudonymous IMSI is sent to the SIM |
|
27 |
via Short Message Service (SMS), then a SIM applet overwrites the IMSI of the |
|
28 |
SIM with the new value. The only component that needs to be changed in the |
|
29 |
network besides the SIM is the HLR/HSS, therefore it should be possible even |
|
30 |
for a Mobile Virtual Network Operator (MVNO) to deploy this privacy |
|
25 | 31 |
enhancement. |
26 | 32 |
|
27 |
== Summary of Existing Location Updating Procedures in RAN and CN |
|
33 |
=== Summary of Existing Location Updating Procedures in RAN and CN
|
|
28 | 34 |
|
29 | 35 |
The subscriber's SIM is provisioned with the IMSI and cryptographic keys of a |
30 | 36 |
subscriber, after the subscriber was added with the same data to the HLR/HSS. |
... | ... | |
108 | 114 |
} |
109 | 115 |
---- |
110 | 116 |
|
117 |
<<< |
|
111 | 118 |
== Required Changes |
112 | 119 |
|
113 |
=== SIM Provisioning |
|
120 |
=== Pseudonymous IMSI Storage in the HLR |
|
121 |
|
|
122 |
The HLR must store up to two pseudonymous IMSIs (imsi_pseudo) and their related |
|
123 |
counters (imsi_pseudo_i) per subscriber. Each subscriber initially has one |
|
124 |
pseudonymous IMSI allocated. A subscriber has two valid pseudonymous IMSIs |
|
125 |
only during the transition phase from the old pseudonymous IMSI to the new one. |
|
126 |
The amount of available IMSIs must be higher than the amount of subscribers |
|
127 |
registered with the HLR. If the amount of available IMSIs is too short, the HLR |
|
128 |
can delay assigning new pseudonymous IMSIs until new IMSIs are available again. |
|
129 |
|
|
130 |
.Examples for additional subscriber data in HLR |
|
131 |
|=== |
|
132 |
| Subscriber ID | imsi_pseudo | imsi_pseudo_i |
|
133 |
// example IMSIs taken from Wikipedia |
|
134 |
| 123 |
|
135 |
| 310150123456789 |
|
136 |
| 1 |
|
137 |
|
|
138 |
| 234 |
|
139 |
| 502130123456789 |
|
140 |
| 1 |
|
114 | 141 |
|
142 |
| 234 |
|
143 |
| 460001357924680 |
|
144 |
| 2 |
|
145 |
|=== |
|
115 | 146 |
|
147 |
==== imsi_pseudo |
|
116 | 148 |
|
149 |
The value for imsi_pseudo is a random choice from the pool of available IMSIs |
|
150 |
that the HLR controls. The pseudonymous IMSI must not be used by any subscriber |
|
151 |
as pseudonymous IMSI yet, but may be the real IMSI of a subscriber. |
|
152 |
|
|
153 |
==== imsi_pseudo_i |
|
154 |
|
|
155 |
The counter imsi_pseudo_i indicates how often a subscriber's pseudonymous IMSI |
|
156 |
was changed. The value is one for the first allocated pseudonymous IMSI of |
|
157 |
a subscriber. When allocating a new pseudonymous IMSI for the same subscriber, |
|
158 |
the new imsi_pseudo_i value is increased by one. The counter is used by the SIM |
|
159 |
applet to detect and ignore outdated requests related to changing the |
|
160 |
pseudonymous IMSI. |
|
161 |
|
|
162 |
=== SIM Provisioning |
|
117 | 163 |
|
118 | 164 |
=== Successful Location Update With Pseudonymous IMSI |
165 |
|
|
166 |
// HLR may choose not to give out next IMSI if it is short on available IMSIS |
|
167 |
|
|
119 | 168 |
=== Next Pseudonymous IMSI Arrives Via SMS |
120 | 169 |
|
121 | 170 |
== Error Scenarios |
Also available in: Unified diff
spec: Pseudonymous IMSI Storage in the HLR