2 Subscriber identity confidentiality

03.203GPPRelease 1999Security related network functionsTS

2.1 Generality

The purpose of this function is to avoid the possibility for an intruder to identify which subscriber is using a given resource on the radio path (e.g. TCH (Traffic Channel) or signalling resources) by listening to the signalling exchanges on the radio path. This allows both a high level of confidentiality for user data and signalling and protection against the tracing of a user’s location.

The provision of this function implies that the IMSI (International Mobile Subscriber Identity), or any information allowing a listener to derive the IMSI easily, should not normally be transmitted in clear text in any signalling message on the radio path.

Consequently, to obtain the required level of protection, it is necessary that:

– a protected identifying method is normally used instead of the IMSI on the radio path; and

– the IMSI is not normally used as addressing means on the radio path (see GSM 02.09);

– when the signalling procedures permit it, signalling information elements that convey information about the mobile subscriber identity must be ciphered for transmission on the radio path.

The identifying method is specified in the following subclause. The ciphering of communication over the radio path is specified in clause 4.

2.2 Identifying method

The means used to identify a mobile subscriber on the radio path consists of a TMSI (Temporary Mobile Subscriber Identity). This TMSI is a local number, having a meaning only in a given location area; the TMSI must be accompanied by the LAI (Location Area Identification) to avoid ambiguities. The maximum length and guidance for defining the format of a TMSI are specified in GSM 03.03.

The network (e.g. a VLR) manages suitable data bases to keep the relation between TMSIs and IMSIs. When a TMSI is received with an LAI that does not correspond to the current VLR, the IMSI of the MS must be requested from the VLR in charge of the indicated location area if its address is known; otherwise the IMSI is requested from the MS.

A new TMSI must be allocated at least in each location updating procedure. The allocation of a new TMSI corresponds implicitly for the MS to the de-allocation of the previous one. In the fixed part of the network, the cancellation of the record for an MS in a VLR implies the de-allocation of the corresponding TMSI.

To cope with some malfunctioning, e.g. arising from a software failure, the fixed part of the network can require the identification of the MS in clear. This procedure is a breach in the provision of the service, and should be used only when necessary.

When a new TMSI is allocated to an MS, it is transmitted to the MS in a ciphered mode. This ciphered mode is the same as defined in clause 4.

The MS must store its current TMSI in a non volatile memory, together with the LAI, so that these data are not lost when the MS is switched off.

2.3 Procedures

This subclause presents the procedures, or elements of procedures, pertaining to the management of TMSIs.

2.3.1 Location updating in the same MSC area

This procedure is part of the location updating procedure which takes place when the original location area and the new location area depend on the same MSC. The part of this procedure relative to TMSI management is reduced to a TMSI re-allocation (from TMSIo with "o" for "old" to TMSIn with "n" for "new").

The MS sends TMSIo as an identifying field at the beginning of the location updating procedure.

The procedure is schematized in figure 2.1.

Figure 2.1: Location updating in the same MSC area

Signalling Functionalities:

Management of means for new ciphering:

The MS and BSS/MSC/VLR agree on means for ciphering signalling information elements, in particular to transmit TMSIn.

2.3.2 Location updating in a new MSCs area, within the same VLR area

This procedure is part of the location updating procedure which takes place when the original location area and the new location area depend on different MSCs, but on the same VLR.

The procedure is schematized on figure 2.2.

NOTE: From a security point of view, the order of the procedures is irrelevant.

Figure 2.2: Location updating in a new MSCs area, within the same VLR area

Signalling functionalities:

Loc.Updating:

stands for Location Updating

The BSS/MSC/VLR indicates that the location of the MS must be updated.

2.3.3 Location updating in a new VLR; old VLR reachable

This procedure is part of the normal location updating procedure, using TMSI and LAI, when the original location area and the new location area depend on different VLRs.

The MS is still registered in VLRo ("o" for old or original) and requests registration in VLRn ("n" for new). LAI and TMSIo are sent by MS as identifying fields during the location updating procedure.

The procedure is schematized in figure 2.3.

NOTE: From a security point of view, the order of the procedures is irrelevant.

Figure 2.3: Location updating in a new VLR; old VLR reachable

Signalling functionalities:

Sec.Rel.Info.:

Stands for Security Related information

The MSC/VLRn needs some information for authentication and ciphering; this information is obtained from MSC/VLRo.

Cancellation:

The HLR indicates to VLRo that the MS is now under control of another VLR. The "old" TMSI is free for allocation.

2.3.4 Location Updating in a new VLR; old VLR not reachable

This variant of the procedure in subclause 2.3.3 arises when the VLR receiving the LAI and TMSIo cannot identify the VLRo. In that case the relation between TMSIo and IMSI is lost, and the identification of the MS in clear is necessary.

The procedure is schematized in figure 2.4.

NOTE: From a security point of view, the order of the procedures is irrelevant.

Figure 2.4: Location Updating in a new VLR; old VLR not reachable

2.3.5 Reallocation of a new TMSI

This function can be initiated by the network whenever a radio connection exists. The procedure can be included in other procedures, e.g. through the means of optional parameters. The execution of this function is left to the network operator.

When a new TMSI is allocated to an MS the network must prevent the old TMSI from being allocated again until the MS has acknowledged the allocation of the new TMSI.

If an IMSI record is deleted in the VLR by O&M action, the network must prevent any TMSI associated with the deleted IMSI record from being allocated again until a new TMSI is successfully allocated to that IMSI.

If an IMSI record is deleted in the HLR by O&M action, it is not possible to prevent any TMSI associated with the IMSI record from being allocated again. However, if the MS whose IMSI record was deleted should attempt to access the network using the TMSI after the TMSI has been allocated to a different IMSI, then authentication or ciphering of the MS whose IMSI was deleted will almost certainly fail, which will cause the TMSI to be deleted from the MS.

The case where allocation of a new TMSI is unsuccessful is described in subclause 2.3.8.

This procedure is schematized in figure 2.5.

Figure 2.5: Reallocation of a new TMSI

2.3.6 Local TMSI unknown

This procedure is a variant of the procedure described in subclauses 2.3.1 and 2.3.2, and happens when a data loss has occurred in a VLR and when a MS uses an unknown TMSI, e.g. for a communication request or for a location updating request in a location area managed by the same VLR.

This procedure is schematized in figure 2.6.

NOTE: Any message in which TMSIo is used as an identifying means in a location area managed by the same VLR.

Figure 2.6: Location updating in the same MSC area; local TMSI unknown

2.3.7 Location updating in a new VLR in case of a loss of information

This variant of the procedure described in 2.3.3 arises when the VLR in charge of the MS has suffered a loss of data. In that case the relation between TMSIo and IMSI is lost, and the identification of the MS in clear is necessary.

The procedure is schematized in figure 2.7.

NOTE: From a security point of view, the order of the procedures is irrelevant.

Figure 2.7: Location updating in a new VLR in case of a loss of information

2.3.8 Unsuccessful TMSI allocation

If the MS does not acknowledge the allocation of a new TMSI, the network shall maintain the association between the old TMSI and the IMSI and between the new TMSI and the IMSI.

For an MS-originated transaction, the network shall allow the MS to identify itself by either the old TMSI or the new TMSI. This will allow the network to determine the TMSI stored in the MS; the association between the other TMSI and the IMSI shall then be deleted, to allow the unused TMSI to be allocated to another MS.

For a network-originated transaction, the network shall identify the MS by its IMSI. When radio contact has been established, the network shall instruct the MS to delete any stored TMSI. When the MS has acknowledged this instruction, the network shall delete the association between the IMSI of the MS and any TMSI; this will allow the released TMSIs to be allocated to another MS.

In either of the cases above, the network may initiate the normal TMSI reallocation procedure.

Repeated failure of TMSI reallocation (passing a limit set by the operator) may be reported for O&M action.

2.3.9 Combined location area updating with the routing area updating

This subclause is only applicable if GPRS is supported.

This procedure is part of the location updating of a General Packet Radio Service (GPRS) class A or B mobile when the Gs-interface (SGSN MSC/VLR signalling interface) is implemented. This procedure is not relevant if the Gs-interface is not implemented.

The location area updating procedure and the routing area updating procedure are combined to one MS Serving GPRS Support Node (SGSN) procedure. The MS includes a Location Area Update (LAU) indication in the Routing Area Update Request message. The SGSN performs the location updating towards the VLR on behalf of the MS.

The procedure described in figure 2.8 shows only the interaction between the SGSN and the VLR. The full procedure including the update to other network element (e.g. HLR, old MSC/VLR) is described in GSM 03.60 .

MS

BSS

SGSN

VLR

RAI, TLLI, LAU indication

>

(note 1)

Security

functions

IMSI,LAI (note 2)

>

Allocation

of TMSIn

TMSIn (note 3)

<

Cipher(TMSIn) (note 4)

<

Acknowledge (note 5)

Acknowledge (note 6)

>

>

Deallocation

of TMSIo

NOTE 1: The Routeing Area Update Request message including the old Routing Area Identifier (RAI), the Temporary Logical Link Identifier (TLLI), and an indication that a combined Location Area Update (LAU) is performed.

NOTE 2: Location Updating message.

NOTE 3: Location Updating Accept message including the new TMSI.

NOTE 4: Routing Area Update Accept message including the new TMSI and the new TLLI (if any).

NOTE 5: Routing Area Update Complete message including the TLLI and TMSI.

NOTE 6: TMSI Reallocation Complete message including the TMSI.

Figure 2.8: Combined routing area and location updating in the same VLR

When the VLR does not change the TMSI, the old TMSI will stay in use and there is no need to send any TMSI to the MS.

In case of combined routing area update and inter-VLR location area updating procedure, the old TMSI will be cancelled and the HLR is updated as described in GSM 03.60.

If the Location Updating message indicates a reject (if for example the MS try to enter a forbidden location area), then this should be indicated to the MS and the MS shall not access non-GPRS service until a successful Location Update is performed.

For the combined location and routing area update and the combined GPRS Attach and IMSI Attach for GPRS class A and B mobiles, the authentication is performed by the SGSN. The authentication procedure for GPRS is described in annex D. The MSC/VLR relies on the SGSN authentication. This authentication procedure generates no ciphering key for circuit switched ciphering.

The ciphering key for circuit switched operation is allocated through an authentication by MSC/VLR when the circuit switched service is requested. Also, the MSC/VLR may use the old ciphering key if existing.