|
1
|
= Specification for IMSI Pseudonymization on the Radio Interface for 2G and Above
|
|
2
|
|
|
3
|
== Introduction
|
|
4
|
|
|
5
|
=== Protecting the IMSI on the Radio Interface is Desirable
|
|
6
|
|
|
7
|
A long-standing issue in the 3GPP specifications is, that mobile phones and
|
|
8
|
other mobile equipment (ME) have to send the International Mobile Subscriber
|
|
9
|
Identity (IMSI) unencrypted over the air. Each IMSI is uniquely identifying the
|
|
10
|
person who bought the associated Subscriber Identity Module (SIM) used in the
|
|
11
|
ME. Therefore most people can be uniquely identified by recording the IMSI that
|
|
12
|
their ME is sending. Efforts are made in the 2G and above specifications to
|
|
13
|
send the IMSI less often, by using the Temporary Mobile Subscriber Identity
|
|
14
|
(TMSI) where possible.
|
|
15
|
|
|
16
|
But this is not enough. So-called IMSI catchers were invented and are used to
|
|
17
|
not only record IMSIs when they have to be sent. But also to force ME to send
|
|
18
|
their IMSI by immitating a Base Transceiver Station (BTS). IMSI catchers have
|
|
19
|
become small and affordable, even criminals actors without much budget can use
|
|
20
|
them to track anybody with a mobile phone.
|
|
21
|
|
|
22
|
=== Summary of Proposed Solution
|
|
23
|
|
|
24
|
The solution presented in this document is to periodically change the IMSI of
|
|
25
|
the ME to a new pseudonymous IMSI allocated by the Home Location Register (HLR)
|
|
26
|
or Home Subscriber Service (HSS). The next pseudonymous IMSI is sent to the SIM
|
|
27
|
via Short Message Service (SMS), then a SIM applet overwrites the IMSI of the
|
|
28
|
SIM with the new value. The only component that needs to be changed in the
|
|
29
|
network besides the SIM is the HLR/HSS, therefore it should be possible even
|
|
30
|
for a Mobile Virtual Network Operator (MVNO) to deploy this privacy
|
|
31
|
enhancement.
|
|
32
|
|
|
33
|
=== Summary of Existing Location Updating Procedures in RAN and CN
|
|
34
|
|
|
35
|
The subscriber's SIM is provisioned with the IMSI and cryptographic keys of a
|
|
36
|
subscriber, after the subscriber was added with the same data to the HLR/HSS.
|
|
37
|
In the Remote Access Network (RAN), the IMSI is sent over the air interface and
|
|
38
|
then transmitted to the Core Network (CN), where it is validated by the
|
|
39
|
HLR/HSS. The involved components vary by the generation of the network and
|
|
40
|
whether the SIM is attempting a Circuit Switched (CS) or Packet Switched (PS)
|
|
41
|
connection, but the principle is the same. This document uses 2G CS Location
|
|
42
|
Updating for reference, as in <<figure-imsi-regular>>.
|
|
43
|
|
|
44
|
The IMSI is transmitted in the Location Updating Request from ME. The VLR
|
|
45
|
needs an authentication challenge specific to the secret keys on the SIM to
|
|
46
|
authenticate the SIM, and looks the authentication challenges up by the IMSI.
|
|
47
|
If the VLR does not have any more authentication challenges for the IMSI (as it
|
|
48
|
happens when the VLR sees the IMSI for the first time), the VLR requests new
|
|
49
|
authentication challenges from the HLR. Then the HLR verifies that the IMSI is
|
|
50
|
known and, if it is unknown, sends back an error that will terminate the
|
|
51
|
Location Updating procedure.
|
|
52
|
|
|
53
|
After the VLR found the authentication challenge, it authenticates the SIM, and
|
|
54
|
performs a Classmark Enquiry and Physical Channel Reconfiguration. Then the VLR
|
|
55
|
has the required information to finish the Location Updating, and continues
|
|
56
|
with Process Update_Location_HLR (3GPP TS 29.002). Afterwards, the VLR assigns
|
|
57
|
a new TMSI with the Location Updating Accept, which is acknowledged by the TMSI
|
|
58
|
Reallocation Complete. In following Location Updates with the same MSC, the ME
|
|
59
|
sends the TMSI instead of the IMSI in the Location Updating Request.
|
|
60
|
|
|
61
|
[[figure-imsi-regular]]
|
|
62
|
.Location Updating in 2G CS with IMSI
|
|
63
|
["mscgen"]
|
|
64
|
----
|
|
65
|
msc {
|
|
66
|
hscale="1.75";
|
|
67
|
ME [label="ME"], BTS [label="BTS"], BSC [label="BSC"], MSC [label="MSC/VLR"],
|
|
68
|
HLR [label="HLR"];
|
|
69
|
|
|
70
|
// BTS <=> BSC: RSL
|
|
71
|
// BSC <=> MSC: BSSAP, RNSAP
|
|
72
|
// MSC <=> HLR: MAP (process Update_Location_HLR, 3GPP TS 29.002)
|
|
73
|
|
|
74
|
ME => BTS [label="Location Updating Request"];
|
|
75
|
BTS => BSC [label="Location Updating Request"];
|
|
76
|
BSC => MSC [label="Location Updating Request"];
|
|
77
|
|
|
78
|
--- [label="VLR requests new authentication challenges for this IMSI if necessary"];
|
|
79
|
MSC => HLR [label="Send Auth Info Request"];
|
|
80
|
MSC <= HLR [label="Send Auth Info Result"];
|
|
81
|
---;
|
|
82
|
|
|
83
|
BSC <= MSC [label="Authentication Request"];
|
|
84
|
BTS <= BSC [label="Authentication Request"];
|
|
85
|
ME <= BTS [label="Authentication Request"];
|
|
86
|
ME => BTS [label="Authentication Response"];
|
|
87
|
BTS => BSC [label="Authentication Response"];
|
|
88
|
BSC => MSC [label="Authentication Response"];
|
|
89
|
BSC <= MSC [label="Classmark Enquiry"];
|
|
90
|
BTS <= BSC [label="Classmark Enquiry"];
|
|
91
|
ME <= BTS [label="Classmark Enquiry"];
|
|
92
|
ME => BTS [label="Classmark Change"];
|
|
93
|
BTS => BSC [label="Classmark Change"];
|
|
94
|
BSC => MSC [label="Classmark Update"];
|
|
95
|
BSC <= MSC [label="Physical Channel Reconfiguration"];
|
|
96
|
BTS <= BSC [label="Ciphering Mode Command"];
|
|
97
|
ME <= BTS [label="Ciphering Mode Command"];
|
|
98
|
ME => BTS [label="Ciphering Mode Complete"];
|
|
99
|
BTS => BSC [label="Ciphering Mode Complete"];
|
|
100
|
BSC => MSC [label="Ciphering Mode Complete"];
|
|
101
|
|
|
102
|
--- [label="Process Update_Location_HLR (3GPP TS 29.002)"];
|
|
103
|
MSC => HLR [label="Update Location Request"];
|
|
104
|
MSC <= HLR [label="Insert Subscriber Data Request"];
|
|
105
|
MSC => HLR [label="Insert Subscriber Data Result"];
|
|
106
|
MSC <= HLR [label="Update Location Result"];
|
|
107
|
---;
|
|
108
|
|
|
109
|
BSC <= MSC [label="Location Updating Accept"];
|
|
110
|
BTS <= BSC [label="Location Updating Accept"];
|
|
111
|
ME <= BTS [label="Location Updating Accept"];
|
|
112
|
ME => BTS [label="TMSI Reallocation Complete"];
|
|
113
|
BTS => BSC [label="TMSI Reallocation Complete"];
|
|
114
|
BSC => MSC [label="TMSI Reallocation Complete"];
|
|
115
|
}
|
|
116
|
----
|
|
117
|
|
|
118
|
<<<
|
|
119
|
== Required Changes
|
|
120
|
|
|
121
|
=== Pseudonymous IMSI Storage in the HLR
|
|
122
|
|
|
123
|
The HLR must store up to two pseudonymous IMSIs (imsi_pseudo) and their related
|
|
124
|
counters (imsi_pseudo_i) per subscriber. Each subscriber initially has one
|
|
125
|
pseudonymous IMSI allocated. A subscriber has two valid pseudonymous IMSIs
|
|
126
|
only during the transition phase from the old pseudonymous IMSI to the new one.
|
|
127
|
The amount of available IMSIs must be higher than the amount of subscribers
|
|
128
|
registered with the HLR. If the amount of available IMSIs is too short, the HLR
|
|
129
|
can delay assigning new pseudonymous IMSIs until new IMSIs are available again.
|
|
130
|
|
|
131
|
.Examples for additional subscriber data in HLR
|
|
132
|
|===
|
|
133
|
| Subscriber ID | imsi_pseudo | imsi_pseudo_i
|
|
134
|
// example IMSIs taken from Wikipedia
|
|
135
|
| 123
|
|
136
|
| 310150123456789
|
|
137
|
| 1
|
|
138
|
|
|
139
|
| 234
|
|
140
|
| 502130123456789
|
|
141
|
| 1
|
|
142
|
|
|
143
|
| 234
|
|
144
|
| 460001357924680
|
|
145
|
| 2
|
|
146
|
|===
|
|
147
|
|
|
148
|
==== imsi_pseudo
|
|
149
|
|
|
150
|
The value for imsi_pseudo is a random choice from the pool of available IMSIs
|
|
151
|
that the HLR controls. The pseudonymous IMSI must not be used by any subscriber
|
|
152
|
as pseudonymous IMSI yet, but may be the real IMSI of a subscriber.
|
|
153
|
|
|
154
|
[[hlr-imsi-pseudo-i]]
|
|
155
|
==== imsi_pseudo_i
|
|
156
|
|
|
157
|
The counter imsi_pseudo_i indicates how often a subscriber's pseudonymous IMSI
|
|
158
|
was changed. The value is 1 for the first allocated pseudonymous IMSI of a
|
|
159
|
subscriber. When allocating a new pseudonymous IMSI for the same subscriber,
|
|
160
|
the new imsi_pseudo_i value is increased by 1. The counter is used by the SIM
|
|
161
|
applet to detect and ignore outdated requests related to changing the
|
|
162
|
pseudonymous IMSI.
|
|
163
|
|
|
164
|
=== SIM Provisioning
|
|
165
|
|
|
166
|
The HLR is allocating a pseudonymous IMSI for the subscriber. This pseudonymous
|
|
167
|
IMSI is stored as IMSI on the subscriber's SIM instead of the real IMSI.
|
|
168
|
|
|
169
|
==== SIM applet
|
|
170
|
|
|
171
|
The SIM is provisioned with a SIM applet, which is able to change the IMSI once
|
|
172
|
the next pseudonymous IMSI arrives from the HLR. A reference implementation is
|
|
173
|
provided in <<reference-src>>.
|
|
174
|
|
|
175
|
The SIM applet registers to a suitable SMS trigger (3GPP TS 03.19, Section
|
|
176
|
6.2). When an SMS from the HLR in the format of <<sms-format>> arrives, the
|
|
177
|
applet must verify that the SMS is not outdated by comparing imsi_pseudo_i from
|
|
178
|
the SMS with the last imsi_pseudo_i that was used when changing the IMSI
|
|
179
|
(initially 1 as in <<hlr-imsi-pseudo-i>>). The new value must be higher,
|
|
180
|
otherwise the SMS should not be processed further.
|
|
181
|
|
|
182
|
The SIM applet registers a timer with min_sleep_time from the SMS. When the
|
|
183
|
timer triggers, the IMSI of the SIM is overwritten with the new pseudonymous
|
|
184
|
IMSI, the TMSI and GSM Ciphering key Kc (3GPP TS 31.102, Section 4.4.3.1) are
|
|
185
|
invalidated. The current imsi_pseudo_i value is stored to compare it with the
|
|
186
|
next SMS. Afterwards, the EF~IMSI~ changing procedure in 3GPP TS 11.14, Section
|
|
187
|
6.4.7.1 is executed to apply the new IMSI.
|
|
188
|
|
|
189
|
// FIXME: do we need to enforce the LU now, with an arbitrary CM Service
|
|
190
|
// Request, or would this only be necessary for Osmocom? (OS#4404)
|
|
191
|
|
|
192
|
=== Process Update_Location_HLR
|
|
193
|
|
|
194
|
All IMSI Pseudonymization related changes to Process Update_Location_HLR
|
|
195
|
(3GPP TS 29.002) are optional. All deviations from the existing specification
|
|
196
|
that are outlined in this section are expected to be enabled or disabled
|
|
197
|
entirely where IMSI pseudonymization is implemented.
|
|
198
|
|
|
199
|
* HLR looks up subscriber by pseudonymous imsi in Update Location Request
|
|
200
|
* if two pseudo imsi found, and connected with new one: dealloc old entry
|
|
201
|
* if two pseudo imsi found and connected with old one: do not dealloc!
|
|
202
|
|
|
203
|
* after update location result: set new timer for sending next IMSI to random delay
|
|
204
|
|
|
205
|
==== Send Next Pseudonymous IMSI
|
|
206
|
|
|
207
|
* if subscriber has two pseudo IMSI, send the new one
|
|
208
|
* if subscriber has only one pseudo IMSI:
|
|
209
|
* abort if not enough IMSIs available
|
|
210
|
* generate new pseudo IMSI as described earlier
|
|
211
|
* set imsi_pseudo_i like last one + 1
|
|
212
|
* send SMS to subscriber's SIM
|
|
213
|
|
|
214
|
[[sms-format]]
|
|
215
|
==== SMS Format
|
|
216
|
|
|
217
|
* min_sleep_time
|
|
218
|
* imsi_pseudo
|
|
219
|
* imsi_pseudo_i
|
|
220
|
|
|
221
|
[[figure-]]
|
|
222
|
.Process Update_Location_HLR with IMSI pseudonymization changes
|
|
223
|
["mscgen"]
|
|
224
|
----
|
|
225
|
msc {
|
|
226
|
hscale="1.75";
|
|
227
|
MSC [label="MSC/VLR"], SMSC [label="SMS-SC"], HLR [label="HLR"];
|
|
228
|
|
|
229
|
MSC => HLR [label="Update Location Request"];
|
|
230
|
HLR box HLR [label="\nDeallocate old Pseudonymous IMSI,\n if new Pseudonymous IMSI was used\n"];
|
|
231
|
MSC <= HLR [label="Insert Subscriber Data Request"];
|
|
232
|
MSC => HLR [label="Insert Subscriber Data Result"];
|
|
233
|
HLR box HLR [label="Start Next_Pseudo_IMSI_Timer"];
|
|
234
|
MSC <= HLR [label="Update Location Result"];
|
|
235
|
|
|
236
|
MSC box MSC [label="Finish Location Updating with ME"],
|
|
237
|
HLR box HLR [label="Wait for Next_Pseudo_IMSI_Timer expiry"];
|
|
238
|
|||;
|
|
239
|
...;
|
|
240
|
|||;
|
|
241
|
HLR box HLR [label="Next_Pseudo_IMSI_Timer expired"];
|
|
242
|
HLR box HLR [label="\nAllocate new Pseudonymous IMSI\nif subscriber only has one allocated\n"];
|
|
243
|
SMSC <= HLR [label="Next Pseudonymous IMSI SMS"];
|
|
244
|
SMSC box SMSC [label="Deliver SMS to ME"];
|
|
245
|
}
|
|
246
|
----
|
|
247
|
|
|
248
|
== Error Scenarios
|
|
249
|
=== Next Pseudonymous IMSI SMS is Lost
|
|
250
|
=== SMS Arrives Late
|
|
251
|
|
|
252
|
// === SMS Arrives Before Timer Expires
|
|
253
|
// FIXME: OS#4486
|
|
254
|
|
|
255
|
[[reference-src]]
|
|
256
|
== Reference Implementation with Source Code
|
|
257
|
|
|
258
|
== Recommendations for Real-World Implementations
|
|
259
|
=== ATT = 0
|
|
260
|
=== End to End Encryption of SMS
|
|
261
|
=== Warning the User if the IMSI Does Not Change
|
|
262
|
=== User-configurable Minimum Duration Between IMSI Changes
|
|
263
|
|
|
264
|
<<<
|
|
265
|
include::./common/chapters/gfdl.adoc[]
|
