| 1 |
65b41130
|
Oliver Smith
|
# Osmocom IMSI Pseudonymization Project
|
| 2 |
|
|
|
| 3 |
|
|
Specification and reference SIM applet implementation to conceal the IMSI of a
|
| 4 |
|
|
mobile subscriber on the radio interface in a 2G, 3G, 4G network.
|
| 5 |
|
|
|
| 6 |
|
|
Homepage: https://osmocom.org/projects/imsi-pseudo/wiki
|
| 7 |
|
|
|
| 8 |
|
|
## How it works
|
| 9 |
|
|
|
| 10 |
5e62dbac
|
Oliver Smith
|
The first pseudo IMSI gets allocated in the HLR, as the SIM card is
|
| 11 |
|
|
provisioned. After that pseudo IMSI is used for the first time in location
|
| 12 |
|
|
update, the HLR waits for some time, then decides the next pseudo IMSI and
|
| 13 |
|
|
sends it together with a delay value as SMS to the SIM. The SIM applet receives
|
| 14 |
|
|
the SMS and waits the specified delay. Then it overwrites its current IMSI with
|
| 15 |
|
|
the new one, marks the TMSI as invalid, and initiates the next location update.
|
| 16 |
|
|
Afterwards, the process repeats.
|
| 17 |
5380e95a
|
Oliver Smith
|
|
| 18 |
65b41130
|
Oliver Smith
|
```
|
| 19 |
|
|
HLR <-> SIM LOCATION UPDATE, imsi_pseudo=200
|
| 20 |
|
|
(time passes)
|
| 21 |
5e62dbac
|
Oliver Smith
|
HLR -> SIM NEW PSEUDO IMSI, imsi_pseudo=123, delay=60
|
| 22 |
|
|
(time passes until the SMS arrives)
|
| 23 |
|
|
(SIM applet waits 60 seconds)
|
| 24 |
65b41130
|
Oliver Smith
|
HLR <-> SIM LOCATION UPDATE, imsi_pseudo=123
|
| 25 |
|
|
...
|
| 26 |
|
|
```
|
| 27 |
|
|
|
| 28 |
c4206534
|
Oliver Smith
|
## In detail
|
| 29 |
65b41130
|
Oliver Smith
|
|
| 30 |
0ee12879
|
Oliver Smith
|
### 1. Provisioning the SIM
|
| 31 |
65b41130
|
Oliver Smith
|
|
| 32 |
5e62dbac
|
Oliver Smith
|
The HLR allocates a new pseudo IMSI as random choice from the pool of available
|
| 33 |
|
|
IMSIs. The pseudo IMSI must not be used by any other subscriber as pseudo IMSI,
|
| 34 |
|
|
but may be the real IMSI of another subscriber. The subscriber-specific counter
|
| 35 |
|
|
imsi_pseudo_i is 0 for the first allocated IMSI for that subscriber.
|
| 36 |
65b41130
|
Oliver Smith
|
|
| 37 |
5e62dbac
|
Oliver Smith
|
| id | imsi | imsi_pseudo | imsi_pseudo_i |
|
| 38 |
|
|
|------|--------|---------------|---------------|
|
| 39 |
|
|
| 1 | 100 | 200 | 0 |
|
| 40 |
65b41130
|
Oliver Smith
|
|
| 41 |
5e62dbac
|
Oliver Smith
|
The pseudo IMSI is saved to the SIM as IMSI, instead of the real IMSI. The SIM
|
| 42 |
|
|
is also provisioned with the IMSI pseudonymization applet.
|
| 43 |
65b41130
|
Oliver Smith
|
|
| 44 |
0ee12879
|
Oliver Smith
|
### 2. Successful Location Update with pseudo IMSI
|
| 45 |
65b41130
|
Oliver Smith
|
|
| 46 |
5e62dbac
|
Oliver Smith
|
a) If this was the first Location Update after provisioning the SIM, the
|
| 47 |
|
|
subscriber has only one pseudo IMSI allocated. The HLR waits for some time.
|
| 48 |
|
|
Then it allocates the next pseudo IMSI from the pool of available IMSIs (as in
|
| 49 |
|
|
1., but with imsi_pseudo_i increased by one). The HLR sends the new
|
| 50 |
|
|
pseudo IMSI, the imsi_pseudo_i and a random delay value in one SMS to the SIM.
|
| 51 |
65b41130
|
Oliver Smith
|
|
| 52 |
5e62dbac
|
Oliver Smith
|
The random delay is how long the SIM applet should wait before changing the
|
| 53 |
|
|
IMSI. This delay prevents easy correlation of the arrival of the SMS with the
|
| 54 |
|
|
Location Update that will follow in 3. by the SIM. Due to other latencies in
|
| 55 |
|
|
the network, this is a minimum delay. At this point, the subscriber has two
|
| 56 |
|
|
allocated pseudo IMSIs:
|
| 57 |
65b41130
|
Oliver Smith
|
|
| 58 |
5e62dbac
|
Oliver Smith
|
| id | imsi | imsi_pseudo | imsi_pseudo_i |
|
| 59 |
|
|
|------|--------|---------------|---------------|
|
| 60 |
|
|
| 1 | 100 | 200 | 0 |
|
| 61 |
|
|
| 2 | 100 | 123 | 1 |
|
| 62 |
65b41130
|
Oliver Smith
|
|
| 63 |
5e62dbac
|
Oliver Smith
|
b) If this was not the first Location Update after provisioning a new SIM, the
|
| 64 |
|
|
subscriber already has two pseudo IMSIs allocated when doing the Location
|
| 65 |
|
|
Update. The HLR compares imsi_pseudo_i to find out if the Location Update was
|
| 66 |
|
|
done with the newer or older pseudo IMSI.
|
| 67 |
65b41130
|
Oliver Smith
|
|
| 68 |
5e62dbac
|
Oliver Smith
|
If the older pseudo IMSI was used, then the SIM applet was not able to set the
|
| 69 |
|
|
new IMSI. This may be caused by an SMS arriving late, possibly even months
|
| 70 |
|
|
after it was sent in case the UE was without power for a long period of time.
|
| 71 |
|
|
Therefore the HLR cannot deallocate the newer pseudo IMSI without risking that
|
| 72 |
|
|
the SIM would configure that IMSI and then be locked out (unable to do any
|
| 73 |
|
|
further location updates). Instead, the HLR proceeds like in a), but sends the
|
| 74 |
|
|
same unused new pseudo IMSI again instead of allocating a new one.
|
| 75 |
65b41130
|
Oliver Smith
|
|
| 76 |
5e62dbac
|
Oliver Smith
|
If the newer pseudo IMSI was used, the SIM applet has successfully set the new
|
| 77 |
|
|
IMSI. The HLR deallocates the old pseudo IMSI and sends a Purge MS request to
|
| 78 |
|
|
the VLR with the old pseudo IMSI. Then the HLR proceeds like in a).
|
| 79 |
65b41130
|
Oliver Smith
|
|
| 80 |
0ee12879
|
Oliver Smith
|
### 3. Arrival of the SMS
|
| 81 |
65b41130
|
Oliver Smith
|
|
| 82 |
5e62dbac
|
Oliver Smith
|
The SIM applet verifies, that imsi_pseudo_i is higher than the last
|
| 83 |
|
|
imsi_pseudo_i it has seen (initially: 0). If that is not the case, it discards
|
| 84 |
|
|
the message.
|
| 85 |
65b41130
|
Oliver Smith
|
|
| 86 |
5e62dbac
|
Oliver Smith
|
The SIM applet registers a timer to wait the specified delay. When the timer
|
| 87 |
|
|
expires, the applet updates the last imsi_pseudo_i value that it has seen. Then
|
| 88 |
|
|
it overwrites the IMSI with the next pseudo IMSI and invalidates the TMSI and
|
| 89 |
|
|
Kc. The applet triggers a refresh, which causes the SIM to do a new Location
|
| 90 |
|
|
Update with the new IMSI.
|
| 91 |
65b41130
|
Oliver Smith
|
|
| 92 |
1acc89b8
|
Oliver Smith
|
It is important, that the SIM does not invoke the IMSI detach procedure (TS
|
| 93 |
|
|
04.08 Section 4.3.4). This is controlled by the network. Otherwise it becomes
|
| 94 |
|
|
trivial to correlate the detach of the old IMSI with the attach or Location
|
| 95 |
|
|
Update of the new IMSI.
|
| 96 |
|
|
|
| 97 |
c4206534
|
Oliver Smith
|
## Notes
|
| 98 |
|
|
|
| 99 |
5e62dbac
|
Oliver Smith
|
### What if the SMS gets lost?
|
| 100 |
65b41130
|
Oliver Smith
|
|
| 101 |
|
|
Both the old and the new pseudo IMSI entry exist in the HLR.
|
| 102 |
|
|
|
| 103 |
5e62dbac
|
Oliver Smith
|
The SIM will use the old pseudo IMSI in the next Location Update. The HLR will
|
| 104 |
|
|
try to send _the same_ new pseudo IMSI with the same new imsi_pseudo_i, as soon
|
| 105 |
|
|
as the next Location Update is complete.
|
| 106 |
65b41130
|
Oliver Smith
|
|
| 107 |
5e62dbac
|
Oliver Smith
|
### What if the SMS arrives late?
|
| 108 |
65b41130
|
Oliver Smith
|
|
| 109 |
5e62dbac
|
Oliver Smith
|
The imsi_pseudo_i counter will not be higher than the value the SIM applet
|
| 110 |
65b41130
|
Oliver Smith
|
already knows. Therefore, the applet will discard the message.
|
| 111 |
|
|
|
| 112 |
0ee12879
|
Oliver Smith
|
### Warning the user if SMS don't arrive
|
| 113 |
65b41130
|
Oliver Smith
|
|
| 114 |
5e62dbac
|
Oliver Smith
|
An attacker could possibly block the SMS from arriving at the SIM applet. In
|
| 115 |
|
|
that case, the SIM would continue using the old pseudo IMSI indefinitely.
|
| 116 |
65b41130
|
Oliver Smith
|
|
| 117 |
5e62dbac
|
Oliver Smith
|
We can count the location updates done with the same pseudo IMSI in the SIM
|
| 118 |
|
|
applet, and warn the user if the same pseudo IMSI has been used more than N
|
| 119 |
|
|
(e.g. 5) times.
|
| 120 |
65b41130
|
Oliver Smith
|
|
| 121 |
0ee12879
|
Oliver Smith
|
### End2end encryption
|
| 122 |
65b41130
|
Oliver Smith
|
|
| 123 |
|
|
When deploying the IMSI pseudonymization, the operator should make sure that
|
| 124 |
|
|
the pseudo IMSI related SMS between the HLR and the SIM cannot be read or
|
| 125 |
|
|
modified by third parties. Otherwise, the next pseudonymous IMSI is leaked, and
|
| 126 |
|
|
in case of modifying the IMSI in the SMS, the SIM may be locked out of the
|
| 127 |
|
|
network.
|
| 128 |
|
|
|
| 129 |
|
|
OTA SMS are usually encrypted and authenticated (TS 03.48), with algorithms and
|
| 130 |
|
|
key lengths that the operator chooses (depending on the SIM and how it is
|
| 131 |
|
|
configured).
|
| 132 |
|
|
|
| 133 |
|
|
It was considered to add an additional layer of end2end encryption for the
|
| 134 |
|
|
pseudonymized IMSIs on top, but this is out-of-scope for this project. For
|
| 135 |
6d06adb8
|
Oliver Smith
|
reference, one could pre-provision a random "imsi_pseudo_key" with the SIM
|
| 136 |
65b41130
|
Oliver Smith
|
card, store it in the pseudo IMSI table in the HLR, and deploy a new encryption
|
| 137 |
5e62dbac
|
Oliver Smith
|
key together with each new pseudo IMSI, attached to the SMS.
|
| 138 |
8c3bd0b4
|
Oliver Smith
|
|
| 139 |
|
|
### User-configurable minimum duration between IMSI changes
|
| 140 |
|
|
|
| 141 |
|
|
It may be desirable to let users configure their minimum duration between IMSI
|
| 142 |
|
|
changes. This allows people with a high privacy requirement to switch their
|
| 143 |
|
|
pseudonymous IMSI more often, and it allows the IMSI change to happen less
|
| 144 |
|
|
often if it is distracting to the user. The latter depends on the phone's
|
| 145 |
|
|
software, for example:
|
| 146 |
|
|
* A Samsung GT-I9100 Galaxy SII smartphone with Android 4.0.3 displays a
|
| 147 |
|
|
message at the bottom of the screen for about 5 seconds, but the user
|
| 148 |
|
|
interface remains usable.
|
| 149 |
|
|
* A Samsung GT-E1200 feature phone displays a waiting screen for 16 to 17
|
| 150 |
|
|
seconds and is unusable during that time.
|
