02.093GPPRelease 1999Security aspectsTS
The following security features are considered:
‑ subscriber identity (IMSI) confidentiality;
‑ subscriber identity (IMSI) authentication;
‑ user data confidentiality on physical connections;
‑ connectionless user data confidentiality;
‑ signalling information element confidentiality.
The implementation of these five security features is mandatory on both the fixed infrastructure side and the MS side. This means that all GSM PLMNs and all MSs shall be able to support every security feature. Use of these five security features is at the discretion of the operator for its own subscribers while on the HPLMN. For roaming subscribers, use of these five security features is mandatory unless otherwise agreed by all the affected PLMN operators (see also clause 3.3.3).
3.1 Subscriber identity confidentiality
The subscriber identity confidentiality feature is the property that the IMSI is not made available or disclosed to unauthorized individuals, entities or processes.
This feature provides for the privacy of the identities of the subscribers who are using GSM PLMN resources (e.g. a traffic channel or any signalling means). It allows for the improvement of all other security features (e.g. user data confidentiality) and provides for the protection against tracing the location of a mobile subscriber by listening to the signalling exchanges on the radio path.
3.1.3 Functional requirements
This feature necessitates the confidentiality of the subscriber identity (IMSI) when it is transferred in signalling messages (see clause 3.5) together with specific measures to preclude the possibility to derive it indirectly from listening to specific information, such as addresses, at the radio path.
The means used to identify a mobile subscriber on the radio path consists of a local number called Temporary Mobile Subscriber Identity (TMSI), described in GSM 03.20.
When used, the subscriber identity confidentiality feature shall apply for all signalling sequences on the radio path. However, in the case of location register failure, or in case the MS has no TMSI available, open identification is allowed on the radio path.
3.2 Subscriber identity authentication
International Mobile Subscriber identity (IMSI) authentication is the corroboration by the land‑based part of the system that the subscriber identity (IMSI or TMSI), transferred by the mobile subscriber within the identification procedure at the radio path, is the one claimed.
The purpose of this authentication security feature is to protect the network against unauthorized use. It enables also the protection of the GSM PLMN subscribers by denying the possibility for intruders to impersonate authorized users.
3.2.3 Functional requirements
The authentication of the GSM PLMN subscriber identity may be triggered by the network when the subscriber applies for:
‑ a change of subscriber‑related information element in the VLR or HLR (including some or all of: location updating involving change of VLR, registration or erasure of a supplementary service); or
‑ an access to a service (including some or all of: set‑up of mobile originating or terminated calls, activation or deactivation of a supplementary service); or
‑ first network access after restart of MSC/VLR;
or in the event of cipher key sequence number mismatch.
Physical security means must be provided to preclude the possibility to obtain sufficient information to impersonate or duplicate a subscriber in a GSM PLMN, in particular by deriving sensitive information from the mobile station equipment.
If, on an access request to the GSM PLMN, the subscriber identity authentication procedure fails and this failure is not due to network malfunction, then the access to the GSM PLMN shall be denied to the requesting party.
3.2.4 Authentication during a malfunction of the network
If an MS is registered and has been successfully authenticated, whether active or not active on a call, calls are permitted (including continuation and hand‑over).
If an MS has already been registered (and therefore been already authenticated) and can not be successfully reauthenticated due to the network malfunction (e.g. the HPLMN was not able to provide authentication pairs RAND, SRES), calls are permitted.
If an MS attempts to register and can not be successfully authenticated due to the network malfunction, calls are not permitted.
If the MS is not registered, or ceases to be registered, a new registration need to be performed, and the preceding cases apply.
3.3 User data confidentiality on physical connections (Voice and Non‑voice)
The user data confidentiality feature on physical connections is the property that the user information exchanged on traffic channels is not made available or disclosed to unauthorized individuals, entities or processes.
The purpose of this feature is to ensure the privacy of the user information on traffic channels.
3.3.3 Functional requirements
Encryption will normally be applied to all voice and non‑voice communications. Although a standard algorithm will normally be employed, it is permissible for the mobile station and/or PLMN infrastructure to support more than one algorithm. In this case, the infrastructure is responsible for deciding which algorithm to use (including the possibility not to use encryption, in which case confidentiality is not applied).
When necessary, the MS shall signal to the network indicating which of up to seven ciphering algorithms it supports. The serving network then selects one of these that it can support (based on an order of priority preset in the network), and signals this to the MS. The selected algorithm is then used by the MS and network.
The ME has to check if the user data confidentiality is switched on using one of the seven algorithms. In the event that the ME detects that this is not the case, or ceases to be the case (e.g. during handover), then an indication is given to the user.
This ciphering indicator feature may be disabled by the SIM (see GSM 11.11).
In case the SIM does not support the feature that disables the ciphering indicator, then the ciphering indicator feature in the ME shall be enabled by default.
The nature of the indicator and the trigger points for its activation are for the ME manufacturer to decide.
During the establishment of a call the trigger point shall be at call initiation at the latest. In the case of handover the trigger point shall be the completion of handover at the latest.
The manufacturer may provide the means to enable the user to temporarily disable the feature. This should be done in such a way that the user can protect it from misuse.
3.4 Connectionless user data confidentiality
The connectionless user data confidentiality feature is the property that the user information which is transferred in a connectionless packet mode over a signalling channel is not made available or disclosed to unauthorized individuals, entities or processes.
The purpose of this feature is to ensure the privacy of the user information on signalling channels (e.g. short messages).
3.4.3 Functional requirements
NOTE: Protection of connectionless user data is not applicable to SMS Cell Broadcast.
3.5 Signalling information element confidentiality
The signalling information element confidentiality feature is the property that a given piece of signalling information which is exchanged between MSs and base stations is not made available or disclosed to unauthorized individuals, entities or processes.
The purpose of this feature is to ensure the privacy of users related signalling elements.
3.5.3 Functional requirements
When used, this feature applies on selected fields of signalling messages which are exchanged between MSs and base stations.
The signalling information elements included in the message used to establish the connection (protocol discriminator, connection reference, message type and MS identity (IMSI, TMSI or IMEI according to the circumstance)) are not protected.
The following signalling information elements related to the user are protected whenever used after connection establishment:
‑ International Mobile Equipment Identity (IMEI);
‑ International Mobile Subscriber Identity (IMSI);
‑ Calling subscriber directory number (mobile terminating calls);
‑ Called subscriber directory number (mobile originated calls).
The IMSI is stored securely within the SIM.
The IMEI shall not be changed after the ME’s final production process. It shall resist tampering, i.e. manipulation and change, by any means (e.g. physical, electrical and software).
NOTE: This requirement is valid for new GSM Phase 2 and Release 96, 97, 98 and 99 MEs type approved after 1st June 2002.
The security policy for the Software Version Number (SVN) is such that it cannot be readily changed by the user, but can be updated with changes to the software. The security of the SVN shall be separate from that of the IMEI.
Annex A (informative):
Control of encryption
Security policy for SVN
Correction of User data confidentiality feature
Correction of User data confidentiality feature
Upgrade to Phase 2+ version 5.0.0
Upgrade to Release 1997 version 6.0.0
Upgrade to Release 1998 version 7.0.0
Version update to 7.0.1 for publication
Modification of section 3.5.3 to enhance IMEI security
Upgrade to Release 1999, no technical change.
Change format to ETSI TS.
Support of ciphering algorithms