Project

General

Profile

Download (12.5 KB) Statistics
| Branch: | Revision:
1 5c95bc9c Oliver Smith
= Specification for IMSI Pseudonymization on the Radio Interface for 2G and Above
2
3
== Introduction
4
5 bf33c75a Oliver Smith
=== Protecting the IMSI on the Radio Interface is Desirable
6
7 5c95bc9c Oliver Smith
A long-standing issue in the 3GPP specifications is, that mobile phones and
8
other mobile equipment (ME) have to send the International Mobile Subscriber
9
Identity (IMSI) unencrypted over the air. Each IMSI is uniquely identifying the
10
person who bought the associated Subscriber Identity Module (SIM) used in the
11
ME. Therefore most people can be uniquely identified by recording the IMSI that
12
their ME is sending. Efforts are made in the 2G and above specifications to
13 7afd7010 Oliver Smith
send the IMSI less often, by using the Temporary Mobile Subscriber Identity
14
(TMSI) where possible.
15 5c95bc9c Oliver Smith
16
But this is not enough. So-called IMSI catchers were invented and are used to
17
not only record IMSIs when they have to be sent. But also to force ME to send
18
their IMSI by immitating a Base Transceiver Station (BTS). IMSI catchers have
19
become small and affordable, even criminals actors without much budget can use
20
them to track anybody with a mobile phone.
21
22 bf33c75a Oliver Smith
=== Summary of Proposed Solution
23
24 5c95bc9c Oliver Smith
The solution presented in this document is to periodically change the IMSI of
25
the ME to a new pseudonymous IMSI allocated by the Home Location Register (HLR)
26 bf33c75a Oliver Smith
or Home Subscriber Service (HSS). The next pseudonymous IMSI is sent to the SIM
27
via Short Message Service (SMS), then a SIM applet overwrites the IMSI of the
28
SIM with the new value. The only component that needs to be changed in the
29
network besides the SIM is the HLR/HSS, therefore it should be possible even
30
for a Mobile Virtual Network Operator (MVNO) to deploy this privacy
31 5c95bc9c Oliver Smith
enhancement.
32
33 bf33c75a Oliver Smith
=== Summary of Existing Location Updating Procedures in RAN and CN
34 5c95bc9c Oliver Smith
35 6f9f2186 Oliver Smith
The subscriber's SIM is provisioned with the IMSI and cryptographic keys of a
36
subscriber, after the subscriber was added with the same data to the HLR/HSS.
37
In the Remote Access Network (RAN), the IMSI is sent over the air interface and
38
then transmitted to the Core Network (CN), where it is validated by the
39
HLR/HSS. The involved components vary by the generation of the network and
40
whether the SIM is attempting a Circuit Switched (CS) or Packet Switched (PS)
41
connection, but the principle is the same. This document uses 2G CS Location
42
Updating for reference, as in <<figure-imsi-regular>>.
43 7afd7010 Oliver Smith
44
The IMSI is transmitted in the Location Updating Request from ME. The VLR
45
needs an authentication challenge specific to the secret keys on the SIM to
46
authenticate the SIM, and looks the authentication challenges up by the IMSI.
47
If the VLR does not have any more authentication challenges for the IMSI (as it
48
happens when the VLR sees the IMSI for the first time), the VLR requests new
49
authentication challenges from the HLR. Then the HLR verifies that the IMSI is
50
known and, if it is unknown, sends back an error that will terminate the
51
Location Updating procedure.
52
53
After the VLR found the authentication challenge, it authenticates the SIM, and
54
performs a Classmark Enquiry and Physical Channel Reconfiguration. Then the VLR
55
has the required information to finish the Location Updating, and continues
56 206a0fa9 Oliver Smith
with Process Update_Location_HLR (3GPP TS 29.002). Afterwards, the VLR assigns
57
a new TMSI with the Location Updating Accept, which is acknowledged by the TMSI
58
Reallocation Complete. In following Location Updates with the same MSC, the ME
59
sends the TMSI instead of the IMSI in the Location Updating Request.
60 7afd7010 Oliver Smith
61
[[figure-imsi-regular]]
62
.Location Updating in 2G CS with IMSI
63
["mscgen"]
64
----
65
msc {
66
  hscale="1.75";
67
  ME [label="ME"], BTS [label="BTS"], BSC [label="BSC"], MSC [label="MSC/VLR"],
68
  HLR [label="HLR"];
69
70
  // BTS <=> BSC: RSL
71
  // BSC <=> MSC: BSSAP, RNSAP
72
  // MSC <=> HLR: MAP (process Update_Location_HLR, 3GPP TS 29.002)
73
74
  ME   => BTS [label="Location Updating Request"];
75
  BTS  => BSC [label="Location Updating Request"];
76
  BSC  => MSC [label="Location Updating Request"];
77
78 7e33ef5e Oliver Smith
  --- [label="If necessary: VLR requests new authentication challenges for this IMSI"];
79 7afd7010 Oliver Smith
  MSC  => HLR [label="Send Auth Info Request"];
80
  MSC <=  HLR [label="Send Auth Info Result"];
81
  ---;
82
83
  BSC <=  MSC [label="Authentication Request"];
84
  BTS <=  BSC [label="Authentication Request"];
85
  ME  <=  BTS [label="Authentication Request"];
86
  ME   => BTS [label="Authentication Response"];
87
  BTS  => BSC [label="Authentication Response"];
88
  BSC  => MSC [label="Authentication Response"];
89
  BSC <=  MSC [label="Classmark Enquiry"];
90
  BTS <=  BSC [label="Classmark Enquiry"];
91
  ME  <=  BTS [label="Classmark Enquiry"];
92
  ME   => BTS [label="Classmark Change"];
93
  BTS  => BSC [label="Classmark Change"];
94
  BSC  => MSC [label="Classmark Update"];
95
  BSC <=  MSC [label="Physical Channel Reconfiguration"];
96
  BTS <=  BSC [label="Ciphering Mode Command"];
97
  ME  <=  BTS [label="Ciphering Mode Command"];
98 8c81b556 Oliver Smith
  ME   => BTS [label="Ciphering Mode Complete"];
99 7afd7010 Oliver Smith
  BTS  => BSC [label="Ciphering Mode Complete"];
100
  BSC  => MSC [label="Ciphering Mode Complete"];
101
102 206a0fa9 Oliver Smith
  --- [label="Process Update_Location_HLR (3GPP TS 29.002)"];
103 7afd7010 Oliver Smith
  MSC  => HLR [label="Update Location Request"];
104
  MSC <=  HLR [label="Insert Subscriber Data Request"];
105
  MSC  => HLR [label="Insert Subscriber Data Result"];
106
  MSC <=  HLR [label="Update Location Result"];
107 206a0fa9 Oliver Smith
  ---;
108 7afd7010 Oliver Smith
109
  BSC <=  MSC [label="Location Updating Accept"];
110
  BTS <=  BSC [label="Location Updating Accept"];
111
  ME  <=  BTS [label="Location Updating Accept"];
112
  ME   => BTS [label="TMSI Reallocation Complete"];
113
  BTS  => BSC [label="TMSI Reallocation Complete"];
114 2c8a19c1 Oliver Smith
  BSC  => MSC [label="TMSI Reallocation Complete"];
115 7afd7010 Oliver Smith
}
116
----
117
118 bf33c75a Oliver Smith
<<<
119 2c8a19c1 Oliver Smith
== Required Changes
120 6f9f2186 Oliver Smith
121 64d154ce Oliver Smith
[[hlr-imsi-pseudo-storage]]
122 bf33c75a Oliver Smith
=== Pseudonymous IMSI Storage in the HLR
123
124
The HLR must store up to two pseudonymous IMSIs (imsi_pseudo) and their related
125
counters (imsi_pseudo_i) per subscriber. Each subscriber initially has one
126
pseudonymous IMSI allocated. A subscriber has two valid pseudonymous IMSIs
127
only during the transition phase from the old pseudonymous IMSI to the new one.
128
The amount of available IMSIs must be higher than the amount of subscribers
129
registered with the HLR. If the amount of available IMSIs is too short, the HLR
130
can delay assigning new pseudonymous IMSIs until new IMSIs are available again.
131
132
.Examples for additional subscriber data in HLR
133
|===
134
| Subscriber ID | imsi_pseudo | imsi_pseudo_i
135
// example IMSIs taken from Wikipedia
136
| 123
137
| 310150123456789
138
| 1
139
140
| 234
141
| 502130123456789
142
| 1
143 6f9f2186 Oliver Smith
144 bf33c75a Oliver Smith
| 234
145
| 460001357924680
146
| 2
147
|===
148 6f9f2186 Oliver Smith
149 bf33c75a Oliver Smith
==== imsi_pseudo
150 6f9f2186 Oliver Smith
151 bf33c75a Oliver Smith
The value for imsi_pseudo is a random choice from the pool of available IMSIs
152
that the HLR controls. The pseudonymous IMSI must not be used by any subscriber
153
as pseudonymous IMSI yet, but may be the real IMSI of a subscriber.
154
155 8b68e4ec Oliver Smith
[[hlr-imsi-pseudo-i]]
156 bf33c75a Oliver Smith
==== imsi_pseudo_i
157
158
The counter imsi_pseudo_i indicates how often a subscriber's pseudonymous IMSI
159 8c81b556 Oliver Smith
was changed. The value is 1 for the first allocated pseudonymous IMSI of a
160
subscriber. When allocating a new pseudonymous IMSI for the same subscriber,
161
the new imsi_pseudo_i value is increased by 1. The counter is used by the SIM
162 bf33c75a Oliver Smith
applet to detect and ignore outdated requests related to changing the
163
pseudonymous IMSI.
164
165
=== SIM Provisioning
166 6f9f2186 Oliver Smith
167 8b68e4ec Oliver Smith
The HLR is allocating a pseudonymous IMSI for the subscriber. This pseudonymous
168
IMSI is stored as IMSI on the subscriber's SIM instead of the real IMSI.
169
170
==== SIM applet
171
172
The SIM is provisioned with a SIM applet, which is able to change the IMSI once
173
the next pseudonymous IMSI arrives from the HLR. A reference implementation is
174
provided in <<reference-src>>.
175
176
The SIM applet registers to a suitable SMS trigger (3GPP TS 03.19, Section
177
6.2). When an SMS from the HLR in the format of <<sms-format>> arrives, the
178
applet must verify that the SMS is not outdated by comparing imsi_pseudo_i from
179
the SMS with the last imsi_pseudo_i that was used when changing the IMSI
180
(initially 1 as in <<hlr-imsi-pseudo-i>>). The new value must be higher,
181
otherwise the SMS should not be processed further.
182
183
The SIM applet registers a timer with min_sleep_time from the SMS. When the
184
timer triggers, the IMSI of the SIM is overwritten with the new pseudonymous
185
IMSI, the TMSI and GSM Ciphering key Kc (3GPP TS 31.102, Section 4.4.3.1) are
186
invalidated. The current imsi_pseudo_i value is stored to compare it with the
187
next SMS. Afterwards, the EF~IMSI~ changing procedure in 3GPP TS 11.14, Section
188
6.4.7.1 is executed to apply the new IMSI.
189
190
// FIXME: do we need to enforce the LU now, with an arbitrary CM Service
191
// Request, or would this only be necessary for Osmocom? (OS#4404)
192 206a0fa9 Oliver Smith
=== Process Update_Location_HLR
193
194
All IMSI Pseudonymization related changes to Process Update_Location_HLR
195 64d154ce Oliver Smith
(3GPP TS 29.002) are optional. Deviations from the existing specification that
196
are outlined in this section are expected to be enabled or disabled entirely
197
where IMSI pseudonymization is implemented.
198 206a0fa9 Oliver Smith
199 ef43ac3a Oliver Smith
[[figure-imsi-pseudo]]
200 206a0fa9 Oliver Smith
.Process Update_Location_HLR with IMSI pseudonymization changes
201
["mscgen"]
202
----
203
msc {
204
  hscale="1.75";
205
  MSC [label="MSC/VLR"], SMSC [label="SMS-SC"], HLR [label="HLR"];
206
207
  MSC   => HLR  [label="Update Location Request"];
208 7e33ef5e Oliver Smith
209
  --- [label="If new pseudonymous IMSI was used: deallocate and cancel old pseudonymous IMSI"];
210 64d154ce Oliver Smith
  HLR  box HLR  [label="Deallocate old pseudonymous IMSI"];
211 7e33ef5e Oliver Smith
  MSC  <=  HLR  [label="Cancel Location Request"];
212
  MSC   => HLR  [label="Cancel Location Result"];
213
  ---;
214
215 206a0fa9 Oliver Smith
  MSC  <=  HLR  [label="Insert Subscriber Data Request"];
216
  MSC   => HLR  [label="Insert Subscriber Data Result"];
217 64d154ce Oliver Smith
  HLR  box HLR  [label="Start Next_Pseudo_IMSI_Timer"];
218 206a0fa9 Oliver Smith
  MSC  <=  HLR  [label="Update Location Result"];
219 64d154ce Oliver Smith
  MSC  box MSC  [label="Finish Location Updating with ME"],
220 206a0fa9 Oliver Smith
221 64d154ce Oliver Smith
  HLR  box HLR  [label="Wait for Next_Pseudo_IMSI_Timer expiry"];
222 206a0fa9 Oliver Smith
  |||;
223
  ...;
224
  |||;
225 64d154ce Oliver Smith
  HLR  box HLR  [label="Next_Pseudo_IMSI_Timer expired"];
226 7e33ef5e Oliver Smith
227 64d154ce Oliver Smith
  HLR  box HLR  [label="\nAllocate new pseudonymous IMSI\nif subscriber has only one allocated\n"];
228 206a0fa9 Oliver Smith
  SMSC <=  HLR  [label="Next Pseudonymous IMSI SMS"];
229
  SMSC box SMSC [label="Deliver SMS to ME"];
230
}
231
----
232 5c95bc9c Oliver Smith
233 ef43ac3a Oliver Smith
==== Update Location Request
234 64d154ce Oliver Smith
235 ef43ac3a Oliver Smith
When Update Location Request arrives, the HLR does not look up the subscriber
236
by the IMSI, but by the pseudonymous IMSI instead. Unless the subscriber has
237
two pseudonymous IMSI allocated and used the old pseudonymous IMSI in the
238
Update Location Request, this is followed by the existing logic to continue with
239
Insert Subscriber Data Request.
240
241
===== Update Location Request With New Pseudonymous IMSI
242
243
If the subscriber has two pseudonymous IMSIs allocated, and the newer entry was
244
used (higher imsi_pseudo_i, see <<hlr-imsi-pseudo-i>>), this section applies.
245
The older pseudonymous IMSI is deallocated in the HLR. This is done as early
246
as possible, so the timeframe where two pseudonymous IMSI are allocated for one
247
subscriber is short.
248
249
A Cancel Location Request with the old pseudonymous IMSI is sent to the VLR, so
250
the conflicting subscriber entry with the old pseudonymous IMSI is deleted from
251
the VLR. Receiving a Cancel Location Result is followed by the existing logic
252
to continue with Insert Subscriber Data Request.
253
254
===== Update Location Request With Old Pseudonymous IMSI
255
256
If the subscriber has two pseudonymous IMSIs allocated, and the older entry was
257
used (lower imsi_pseudo_i, see <<hlr-imsi-pseudo-i>>), the newer entry is _not_
258
deallocated. This could lock out the subscriber from the network if the SMS
259
with the new pseudonymous IMSI arrives with a delay.
260
261
==== Insert Subscriber Data Result
262
263 64d154ce Oliver Smith
When Insert Subscriber Data Result arrives, a subscriber specific
264
Next_Pseudo_IMSI_Timer starts.
265 ef43ac3a Oliver Smith
266
==== Next_Pseudo_IMSI_Timer Expires
267
268 64d154ce Oliver Smith
If the subscriber has only one pseudonymous IMSI allocated, and the amount of
269
available IMSIs in the HLR is high enough, a second pseudonymous IMSI and
270
related imsi_pseudo_i gets allocated for the subscriber (as described in
271
<<hlr-imsi-pseudo-storage>>).
272
273
If the subscriber still has only one pseudonymous IMSI, because not enough
274
IMSIs were available in the HLR, the process is aborted here and no SMS with
275
a next pseudonymous IMSI is sent to the subscriber. The subscriber will get a
276
new pseudonymous IMSI during the next Location Updating Procedure, if the HLR
277
has enough IMSIs available at that point.
278
279
An SMS is sent to the SMS - Service Centre (SMS-SC) with the newer pseudonymous
280
IMSI (higher imsi_pseudo_i, see <<hlr-imsi-pseudo-i>>) and related
281
imsi_pseudo_i value.
282 ef43ac3a Oliver Smith
283
[[sms-format]]
284
==== SMS Format
285
286
* min_sleep_time
287
* imsi_pseudo
288
* imsi_pseudo_i
289
290 2c8a19c1 Oliver Smith
== Error Scenarios
291
=== Next Pseudonymous IMSI SMS is Lost
292
=== SMS Arrives Late
293 5c95bc9c Oliver Smith
294 8b68e4ec Oliver Smith
// === SMS Arrives Before Timer Expires
295
// FIXME: OS#4486
296
297
[[reference-src]]
298 2c8a19c1 Oliver Smith
== Reference Implementation with Source Code
299 5c95bc9c Oliver Smith
300 2c8a19c1 Oliver Smith
== Recommendations for Real-World Implementations
301
=== ATT = 0
302 5c95bc9c Oliver Smith
=== End to End Encryption of SMS
303 2c8a19c1 Oliver Smith
=== Warning the User if the IMSI Does Not Change
304 5c95bc9c Oliver Smith
=== User-configurable Minimum Duration Between IMSI Changes
305 2c8a19c1 Oliver Smith
306
<<<
307
include::./common/chapters/gfdl.adoc[]
Add picture from clipboard (Maximum size: 48.8 MB)