1 |
5c95bc9c
|
Oliver Smith
|
= Specification for IMSI Pseudonymization on the Radio Interface for 2G and Above
|
2 |
|
|
|
3 |
|
|
== Introduction
|
4 |
|
|
|
5 |
bf33c75a
|
Oliver Smith
|
=== Protecting the IMSI on the Radio Interface is Desirable
|
6 |
|
|
|
7 |
5c95bc9c
|
Oliver Smith
|
A long-standing issue in the 3GPP specifications is, that mobile phones and
|
8 |
|
|
other mobile equipment (ME) have to send the International Mobile Subscriber
|
9 |
|
|
Identity (IMSI) unencrypted over the air. Each IMSI is uniquely identifying the
|
10 |
|
|
person who bought the associated Subscriber Identity Module (SIM) used in the
|
11 |
|
|
ME. Therefore most people can be uniquely identified by recording the IMSI that
|
12 |
|
|
their ME is sending. Efforts are made in the 2G and above specifications to
|
13 |
7afd7010
|
Oliver Smith
|
send the IMSI less often, by using the Temporary Mobile Subscriber Identity
|
14 |
|
|
(TMSI) where possible.
|
15 |
5c95bc9c
|
Oliver Smith
|
|
16 |
|
|
But this is not enough. So-called IMSI catchers were invented and are used to
|
17 |
|
|
not only record IMSIs when they have to be sent. But also to force ME to send
|
18 |
|
|
their IMSI by immitating a Base Transceiver Station (BTS). IMSI catchers have
|
19 |
|
|
become small and affordable, even criminals actors without much budget can use
|
20 |
|
|
them to track anybody with a mobile phone.
|
21 |
|
|
|
22 |
bf33c75a
|
Oliver Smith
|
=== Summary of Proposed Solution
|
23 |
|
|
|
24 |
5c95bc9c
|
Oliver Smith
|
The solution presented in this document is to periodically change the IMSI of
|
25 |
|
|
the ME to a new pseudonymous IMSI allocated by the Home Location Register (HLR)
|
26 |
bf33c75a
|
Oliver Smith
|
or Home Subscriber Service (HSS). The next pseudonymous IMSI is sent to the SIM
|
27 |
|
|
via Short Message Service (SMS), then a SIM applet overwrites the IMSI of the
|
28 |
|
|
SIM with the new value. The only component that needs to be changed in the
|
29 |
|
|
network besides the SIM is the HLR/HSS, therefore it should be possible even
|
30 |
|
|
for a Mobile Virtual Network Operator (MVNO) to deploy this privacy
|
31 |
5c95bc9c
|
Oliver Smith
|
enhancement.
|
32 |
|
|
|
33 |
bf33c75a
|
Oliver Smith
|
=== Summary of Existing Location Updating Procedures in RAN and CN
|
34 |
5c95bc9c
|
Oliver Smith
|
|
35 |
6f9f2186
|
Oliver Smith
|
The subscriber's SIM is provisioned with the IMSI and cryptographic keys of a
|
36 |
|
|
subscriber, after the subscriber was added with the same data to the HLR/HSS.
|
37 |
|
|
In the Remote Access Network (RAN), the IMSI is sent over the air interface and
|
38 |
|
|
then transmitted to the Core Network (CN), where it is validated by the
|
39 |
|
|
HLR/HSS. The involved components vary by the generation of the network and
|
40 |
|
|
whether the SIM is attempting a Circuit Switched (CS) or Packet Switched (PS)
|
41 |
|
|
connection, but the principle is the same. This document uses 2G CS Location
|
42 |
|
|
Updating for reference, as in <<figure-imsi-regular>>.
|
43 |
7afd7010
|
Oliver Smith
|
|
44 |
|
|
The IMSI is transmitted in the Location Updating Request from ME. The VLR
|
45 |
|
|
needs an authentication challenge specific to the secret keys on the SIM to
|
46 |
|
|
authenticate the SIM, and looks the authentication challenges up by the IMSI.
|
47 |
|
|
If the VLR does not have any more authentication challenges for the IMSI (as it
|
48 |
|
|
happens when the VLR sees the IMSI for the first time), the VLR requests new
|
49 |
|
|
authentication challenges from the HLR. Then the HLR verifies that the IMSI is
|
50 |
|
|
known and, if it is unknown, sends back an error that will terminate the
|
51 |
|
|
Location Updating procedure.
|
52 |
|
|
|
53 |
|
|
After the VLR found the authentication challenge, it authenticates the SIM, and
|
54 |
|
|
performs a Classmark Enquiry and Physical Channel Reconfiguration. Then the VLR
|
55 |
|
|
has the required information to finish the Location Updating, and continues
|
56 |
206a0fa9
|
Oliver Smith
|
with Process Update_Location_HLR (3GPP TS 29.002). Afterwards, the VLR assigns
|
57 |
|
|
a new TMSI with the Location Updating Accept, which is acknowledged by the TMSI
|
58 |
|
|
Reallocation Complete. In following Location Updates with the same MSC, the ME
|
59 |
|
|
sends the TMSI instead of the IMSI in the Location Updating Request.
|
60 |
7afd7010
|
Oliver Smith
|
|
61 |
|
|
[[figure-imsi-regular]]
|
62 |
|
|
.Location Updating in 2G CS with IMSI
|
63 |
|
|
["mscgen"]
|
64 |
|
|
----
|
65 |
|
|
msc {
|
66 |
|
|
hscale="1.75";
|
67 |
|
|
ME [label="ME"], BTS [label="BTS"], BSC [label="BSC"], MSC [label="MSC/VLR"],
|
68 |
|
|
HLR [label="HLR"];
|
69 |
|
|
|
70 |
|
|
// BTS <=> BSC: RSL
|
71 |
|
|
// BSC <=> MSC: BSSAP, RNSAP
|
72 |
|
|
// MSC <=> HLR: MAP (process Update_Location_HLR, 3GPP TS 29.002)
|
73 |
|
|
|
74 |
|
|
ME => BTS [label="Location Updating Request"];
|
75 |
|
|
BTS => BSC [label="Location Updating Request"];
|
76 |
|
|
BSC => MSC [label="Location Updating Request"];
|
77 |
|
|
|
78 |
7e33ef5e
|
Oliver Smith
|
--- [label="If necessary: VLR requests new authentication challenges for this IMSI"];
|
79 |
7afd7010
|
Oliver Smith
|
MSC => HLR [label="Send Auth Info Request"];
|
80 |
|
|
MSC <= HLR [label="Send Auth Info Result"];
|
81 |
|
|
---;
|
82 |
|
|
|
83 |
|
|
BSC <= MSC [label="Authentication Request"];
|
84 |
|
|
BTS <= BSC [label="Authentication Request"];
|
85 |
|
|
ME <= BTS [label="Authentication Request"];
|
86 |
|
|
ME => BTS [label="Authentication Response"];
|
87 |
|
|
BTS => BSC [label="Authentication Response"];
|
88 |
|
|
BSC => MSC [label="Authentication Response"];
|
89 |
|
|
BSC <= MSC [label="Classmark Enquiry"];
|
90 |
|
|
BTS <= BSC [label="Classmark Enquiry"];
|
91 |
|
|
ME <= BTS [label="Classmark Enquiry"];
|
92 |
|
|
ME => BTS [label="Classmark Change"];
|
93 |
|
|
BTS => BSC [label="Classmark Change"];
|
94 |
|
|
BSC => MSC [label="Classmark Update"];
|
95 |
|
|
BSC <= MSC [label="Physical Channel Reconfiguration"];
|
96 |
|
|
BTS <= BSC [label="Ciphering Mode Command"];
|
97 |
|
|
ME <= BTS [label="Ciphering Mode Command"];
|
98 |
8c81b556
|
Oliver Smith
|
ME => BTS [label="Ciphering Mode Complete"];
|
99 |
7afd7010
|
Oliver Smith
|
BTS => BSC [label="Ciphering Mode Complete"];
|
100 |
|
|
BSC => MSC [label="Ciphering Mode Complete"];
|
101 |
|
|
|
102 |
206a0fa9
|
Oliver Smith
|
--- [label="Process Update_Location_HLR (3GPP TS 29.002)"];
|
103 |
7afd7010
|
Oliver Smith
|
MSC => HLR [label="Update Location Request"];
|
104 |
|
|
MSC <= HLR [label="Insert Subscriber Data Request"];
|
105 |
|
|
MSC => HLR [label="Insert Subscriber Data Result"];
|
106 |
|
|
MSC <= HLR [label="Update Location Result"];
|
107 |
206a0fa9
|
Oliver Smith
|
---;
|
108 |
7afd7010
|
Oliver Smith
|
|
109 |
|
|
BSC <= MSC [label="Location Updating Accept"];
|
110 |
|
|
BTS <= BSC [label="Location Updating Accept"];
|
111 |
|
|
ME <= BTS [label="Location Updating Accept"];
|
112 |
|
|
ME => BTS [label="TMSI Reallocation Complete"];
|
113 |
|
|
BTS => BSC [label="TMSI Reallocation Complete"];
|
114 |
2c8a19c1
|
Oliver Smith
|
BSC => MSC [label="TMSI Reallocation Complete"];
|
115 |
7afd7010
|
Oliver Smith
|
}
|
116 |
|
|
----
|
117 |
|
|
|
118 |
bf33c75a
|
Oliver Smith
|
<<<
|
119 |
2c8a19c1
|
Oliver Smith
|
== Required Changes
|
120 |
6f9f2186
|
Oliver Smith
|
|
121 |
64d154ce
|
Oliver Smith
|
[[hlr-imsi-pseudo-storage]]
|
122 |
bf33c75a
|
Oliver Smith
|
=== Pseudonymous IMSI Storage in the HLR
|
123 |
|
|
|
124 |
|
|
The HLR must store up to two pseudonymous IMSIs (imsi_pseudo) and their related
|
125 |
|
|
counters (imsi_pseudo_i) per subscriber. Each subscriber initially has one
|
126 |
|
|
pseudonymous IMSI allocated. A subscriber has two valid pseudonymous IMSIs
|
127 |
|
|
only during the transition phase from the old pseudonymous IMSI to the new one.
|
128 |
|
|
The amount of available IMSIs must be higher than the amount of subscribers
|
129 |
|
|
registered with the HLR. If the amount of available IMSIs is too short, the HLR
|
130 |
|
|
can delay assigning new pseudonymous IMSIs until new IMSIs are available again.
|
131 |
|
|
|
132 |
|
|
.Examples for additional subscriber data in HLR
|
133 |
|
|
|===
|
134 |
|
|
| Subscriber ID | imsi_pseudo | imsi_pseudo_i
|
135 |
|
|
// example IMSIs taken from Wikipedia
|
136 |
|
|
| 123
|
137 |
|
|
| 310150123456789
|
138 |
|
|
| 1
|
139 |
|
|
|
140 |
|
|
| 234
|
141 |
|
|
| 502130123456789
|
142 |
|
|
| 1
|
143 |
6f9f2186
|
Oliver Smith
|
|
144 |
bf33c75a
|
Oliver Smith
|
| 234
|
145 |
|
|
| 460001357924680
|
146 |
|
|
| 2
|
147 |
|
|
|===
|
148 |
6f9f2186
|
Oliver Smith
|
|
149 |
bf33c75a
|
Oliver Smith
|
==== imsi_pseudo
|
150 |
6f9f2186
|
Oliver Smith
|
|
151 |
bf33c75a
|
Oliver Smith
|
The value for imsi_pseudo is a random choice from the pool of available IMSIs
|
152 |
|
|
that the HLR controls. The pseudonymous IMSI must not be used by any subscriber
|
153 |
|
|
as pseudonymous IMSI yet, but may be the real IMSI of a subscriber.
|
154 |
|
|
|
155 |
8b68e4ec
|
Oliver Smith
|
[[hlr-imsi-pseudo-i]]
|
156 |
bf33c75a
|
Oliver Smith
|
==== imsi_pseudo_i
|
157 |
|
|
|
158 |
|
|
The counter imsi_pseudo_i indicates how often a subscriber's pseudonymous IMSI
|
159 |
8c81b556
|
Oliver Smith
|
was changed. The value is 1 for the first allocated pseudonymous IMSI of a
|
160 |
|
|
subscriber. When allocating a new pseudonymous IMSI for the same subscriber,
|
161 |
|
|
the new imsi_pseudo_i value is increased by 1. The counter is used by the SIM
|
162 |
bf33c75a
|
Oliver Smith
|
applet to detect and ignore outdated requests related to changing the
|
163 |
|
|
pseudonymous IMSI.
|
164 |
|
|
|
165 |
|
|
=== SIM Provisioning
|
166 |
6f9f2186
|
Oliver Smith
|
|
167 |
8b68e4ec
|
Oliver Smith
|
The HLR is allocating a pseudonymous IMSI for the subscriber. This pseudonymous
|
168 |
|
|
IMSI is stored as IMSI on the subscriber's SIM instead of the real IMSI.
|
169 |
|
|
|
170 |
|
|
==== SIM applet
|
171 |
|
|
|
172 |
|
|
The SIM is provisioned with a SIM applet, which is able to change the IMSI once
|
173 |
|
|
the next pseudonymous IMSI arrives from the HLR. A reference implementation is
|
174 |
|
|
provided in <<reference-src>>.
|
175 |
|
|
|
176 |
|
|
The SIM applet registers to a suitable SMS trigger (3GPP TS 03.19, Section
|
177 |
|
|
6.2). When an SMS from the HLR in the format of <<sms-format>> arrives, the
|
178 |
|
|
applet must verify that the SMS is not outdated by comparing imsi_pseudo_i from
|
179 |
|
|
the SMS with the last imsi_pseudo_i that was used when changing the IMSI
|
180 |
|
|
(initially 1 as in <<hlr-imsi-pseudo-i>>). The new value must be higher,
|
181 |
|
|
otherwise the SMS should not be processed further.
|
182 |
|
|
|
183 |
|
|
The SIM applet registers a timer with min_sleep_time from the SMS. When the
|
184 |
|
|
timer triggers, the IMSI of the SIM is overwritten with the new pseudonymous
|
185 |
|
|
IMSI, the TMSI and GSM Ciphering key Kc (3GPP TS 31.102, Section 4.4.3.1) are
|
186 |
|
|
invalidated. The current imsi_pseudo_i value is stored to compare it with the
|
187 |
|
|
next SMS. Afterwards, the EF~IMSI~ changing procedure in 3GPP TS 11.14, Section
|
188 |
|
|
6.4.7.1 is executed to apply the new IMSI.
|
189 |
|
|
|
190 |
|
|
// FIXME: do we need to enforce the LU now, with an arbitrary CM Service
|
191 |
|
|
// Request, or would this only be necessary for Osmocom? (OS#4404)
|
192 |
206a0fa9
|
Oliver Smith
|
=== Process Update_Location_HLR
|
193 |
|
|
|
194 |
|
|
All IMSI Pseudonymization related changes to Process Update_Location_HLR
|
195 |
64d154ce
|
Oliver Smith
|
(3GPP TS 29.002) are optional. Deviations from the existing specification that
|
196 |
|
|
are outlined in this section are expected to be enabled or disabled entirely
|
197 |
|
|
where IMSI pseudonymization is implemented.
|
198 |
206a0fa9
|
Oliver Smith
|
|
199 |
ef43ac3a
|
Oliver Smith
|
[[figure-imsi-pseudo]]
|
200 |
206a0fa9
|
Oliver Smith
|
.Process Update_Location_HLR with IMSI pseudonymization changes
|
201 |
|
|
["mscgen"]
|
202 |
|
|
----
|
203 |
|
|
msc {
|
204 |
|
|
hscale="1.75";
|
205 |
|
|
MSC [label="MSC/VLR"], SMSC [label="SMS-SC"], HLR [label="HLR"];
|
206 |
|
|
|
207 |
|
|
MSC => HLR [label="Update Location Request"];
|
208 |
7e33ef5e
|
Oliver Smith
|
|
209 |
|
|
--- [label="If new pseudonymous IMSI was used: deallocate and cancel old pseudonymous IMSI"];
|
210 |
64d154ce
|
Oliver Smith
|
HLR box HLR [label="Deallocate old pseudonymous IMSI"];
|
211 |
7e33ef5e
|
Oliver Smith
|
MSC <= HLR [label="Cancel Location Request"];
|
212 |
|
|
MSC => HLR [label="Cancel Location Result"];
|
213 |
|
|
---;
|
214 |
|
|
|
215 |
206a0fa9
|
Oliver Smith
|
MSC <= HLR [label="Insert Subscriber Data Request"];
|
216 |
|
|
MSC => HLR [label="Insert Subscriber Data Result"];
|
217 |
64d154ce
|
Oliver Smith
|
HLR box HLR [label="Start Next_Pseudo_IMSI_Timer"];
|
218 |
206a0fa9
|
Oliver Smith
|
MSC <= HLR [label="Update Location Result"];
|
219 |
64d154ce
|
Oliver Smith
|
MSC box MSC [label="Finish Location Updating with ME"],
|
220 |
206a0fa9
|
Oliver Smith
|
|
221 |
64d154ce
|
Oliver Smith
|
HLR box HLR [label="Wait for Next_Pseudo_IMSI_Timer expiry"];
|
222 |
206a0fa9
|
Oliver Smith
|
|||;
|
223 |
|
|
...;
|
224 |
|
|
|||;
|
225 |
64d154ce
|
Oliver Smith
|
HLR box HLR [label="Next_Pseudo_IMSI_Timer expired"];
|
226 |
7e33ef5e
|
Oliver Smith
|
|
227 |
64d154ce
|
Oliver Smith
|
HLR box HLR [label="\nAllocate new pseudonymous IMSI\nif subscriber has only one allocated\n"];
|
228 |
206a0fa9
|
Oliver Smith
|
SMSC <= HLR [label="Next Pseudonymous IMSI SMS"];
|
229 |
|
|
SMSC box SMSC [label="Deliver SMS to ME"];
|
230 |
|
|
}
|
231 |
|
|
----
|
232 |
5c95bc9c
|
Oliver Smith
|
|
233 |
ef43ac3a
|
Oliver Smith
|
==== Update Location Request
|
234 |
64d154ce
|
Oliver Smith
|
|
235 |
ef43ac3a
|
Oliver Smith
|
When Update Location Request arrives, the HLR does not look up the subscriber
|
236 |
|
|
by the IMSI, but by the pseudonymous IMSI instead. Unless the subscriber has
|
237 |
|
|
two pseudonymous IMSI allocated and used the old pseudonymous IMSI in the
|
238 |
|
|
Update Location Request, this is followed by the existing logic to continue with
|
239 |
|
|
Insert Subscriber Data Request.
|
240 |
|
|
|
241 |
|
|
===== Update Location Request With New Pseudonymous IMSI
|
242 |
|
|
|
243 |
|
|
If the subscriber has two pseudonymous IMSIs allocated, and the newer entry was
|
244 |
|
|
used (higher imsi_pseudo_i, see <<hlr-imsi-pseudo-i>>), this section applies.
|
245 |
|
|
The older pseudonymous IMSI is deallocated in the HLR. This is done as early
|
246 |
|
|
as possible, so the timeframe where two pseudonymous IMSI are allocated for one
|
247 |
|
|
subscriber is short.
|
248 |
|
|
|
249 |
|
|
A Cancel Location Request with the old pseudonymous IMSI is sent to the VLR, so
|
250 |
|
|
the conflicting subscriber entry with the old pseudonymous IMSI is deleted from
|
251 |
|
|
the VLR. Receiving a Cancel Location Result is followed by the existing logic
|
252 |
|
|
to continue with Insert Subscriber Data Request.
|
253 |
|
|
|
254 |
|
|
===== Update Location Request With Old Pseudonymous IMSI
|
255 |
|
|
|
256 |
|
|
If the subscriber has two pseudonymous IMSIs allocated, and the older entry was
|
257 |
|
|
used (lower imsi_pseudo_i, see <<hlr-imsi-pseudo-i>>), the newer entry is _not_
|
258 |
|
|
deallocated. This could lock out the subscriber from the network if the SMS
|
259 |
|
|
with the new pseudonymous IMSI arrives with a delay.
|
260 |
|
|
|
261 |
|
|
==== Insert Subscriber Data Result
|
262 |
|
|
|
263 |
64d154ce
|
Oliver Smith
|
When Insert Subscriber Data Result arrives, a subscriber specific
|
264 |
|
|
Next_Pseudo_IMSI_Timer starts.
|
265 |
ef43ac3a
|
Oliver Smith
|
|
266 |
|
|
==== Next_Pseudo_IMSI_Timer Expires
|
267 |
|
|
|
268 |
64d154ce
|
Oliver Smith
|
If the subscriber has only one pseudonymous IMSI allocated, and the amount of
|
269 |
|
|
available IMSIs in the HLR is high enough, a second pseudonymous IMSI and
|
270 |
|
|
related imsi_pseudo_i gets allocated for the subscriber (as described in
|
271 |
|
|
<<hlr-imsi-pseudo-storage>>).
|
272 |
|
|
|
273 |
|
|
If the subscriber still has only one pseudonymous IMSI, because not enough
|
274 |
|
|
IMSIs were available in the HLR, the process is aborted here and no SMS with
|
275 |
|
|
a next pseudonymous IMSI is sent to the subscriber. The subscriber will get a
|
276 |
|
|
new pseudonymous IMSI during the next Location Updating Procedure, if the HLR
|
277 |
|
|
has enough IMSIs available at that point.
|
278 |
|
|
|
279 |
|
|
An SMS is sent to the SMS - Service Centre (SMS-SC) with the newer pseudonymous
|
280 |
|
|
IMSI (higher imsi_pseudo_i, see <<hlr-imsi-pseudo-i>>) and related
|
281 |
|
|
imsi_pseudo_i value.
|
282 |
ef43ac3a
|
Oliver Smith
|
|
283 |
|
|
[[sms-format]]
|
284 |
|
|
==== SMS Format
|
285 |
|
|
|
286 |
|
|
* min_sleep_time
|
287 |
|
|
* imsi_pseudo
|
288 |
|
|
* imsi_pseudo_i
|
289 |
|
|
|
290 |
2c8a19c1
|
Oliver Smith
|
== Error Scenarios
|
291 |
|
|
=== Next Pseudonymous IMSI SMS is Lost
|
292 |
|
|
=== SMS Arrives Late
|
293 |
5c95bc9c
|
Oliver Smith
|
|
294 |
8b68e4ec
|
Oliver Smith
|
// === SMS Arrives Before Timer Expires
|
295 |
|
|
// FIXME: OS#4486
|
296 |
|
|
|
297 |
|
|
[[reference-src]]
|
298 |
2c8a19c1
|
Oliver Smith
|
== Reference Implementation with Source Code
|
299 |
5c95bc9c
|
Oliver Smith
|
|
300 |
2c8a19c1
|
Oliver Smith
|
== Recommendations for Real-World Implementations
|
301 |
|
|
=== ATT = 0
|
302 |
5c95bc9c
|
Oliver Smith
|
=== End to End Encryption of SMS
|
303 |
2c8a19c1
|
Oliver Smith
|
=== Warning the User if the IMSI Does Not Change
|
304 |
5c95bc9c
|
Oliver Smith
|
=== User-configurable Minimum Duration Between IMSI Changes
|
305 |
2c8a19c1
|
Oliver Smith
|
|
306 |
|
|
<<<
|
307 |
|
|
include::./common/chapters/gfdl.adoc[]
|