3G UMTS Security: User Identity Confidentiality (IMSI, TMSI & P-TMSI)

UMTS system uses the same old concept used in GSM and GPRS to protect the user identity over the service link. This is achieved by providing temporary identity to mask the true identity. There are two types of temporary identity used:

TMSI: Temporary mobile subscriber identity (for CS domain)
P-TMSI: Packet – Temporary Mobile Subscriber Identity (for PS Domain)

The IMSI is the permanent identity of the USIM/Subscriber in the UMTS network.

The UMTS network provides the following features in terms of user confidentiality:

Subscriber’s IMSI should not be compromised on the radio link.
The presence or arrival of a subscriber in a specific area can not be determined by eavesdropping on the radio access link.
The intruder should not know whether different services are provided to the same user.

To achieve these:

The user is normally identified by temporary identities:
1. TMSI or
2. P-TMSI

The user should not be identified by the same identity for longer period of time.
The signaling and user data that might reveal the user’s real identity should always be ciphered.

IMSI: International Mobile Subscriber Identity

The IMSI is defined as follows:

MCC: Mobile Country Code

MCC defines the home country where the subscriber is registered.

Example: 240 is MCC for Sweden

Complete list of MCC can be found here:

http://en.wikipedia.org/wiki/List_of_mobile_country_codes

MNC: Mobile Network Code

MNC code defines the home GSM PLMN of the mobile subscriber.

Example: 01 is the MNC for Telia Sweden

The complete list of MNC for all countries can be found here:

http://en.wikipedia.org/wiki/Mobile_Network_Code

MSIN: Mobile Subscriber Identity Number

This number is used to identify a subscriber within the PLMN.

The NMSI (National Mobile Subscriber Identity Code) = MNC + MSIN

Procedures for management of TMSIs

TMSI changes when user changes the location area. TMSI is a local number and has a meaning only in a certain location area. TMSI is always accompanied by a LAI (Location area Identity) to avoid ambiguities.

In the core network the VLR keeps the relation between IMSIs and TMSIs in a database. There are number of different instances when TMSI is changed or recalculated.

Location updating in the same MSC area

In this case both the old location area and the new location area are part of the same MSC.

TMSIo: Old TMSI

TMSIn: New TMSI

Step 1: UE starts the location area procedure with content set for LAI and old TMSI (TMSIo).

Step 2: MSC/VLR calculates the new TMSI (TMSIn).

Step 3: TMSIn is transferred to UE in ciphered text to maintain the confidentiality.

Step 4: UE acknowledges the change of TMSI.

Step 5: Old TMSI (TMSIo) will be de-allocated from the VLR database.

Location Updating to a new MSC but the VLR is same

In this case the VLR of the old location area is same as that of the old location area but the MSC changes.

Step 1: UE starts the location area procedure with content set for LAI and old TMSI (TMSIo).

Step 2: MSC/VLR calculates the new TMSI (TMSIn).

Step 3: TMSIn is transferred to UE in ciphered text to maintain the confidentiality. HPLMN is also informed about the change of location area.

Step 4: UE acknowledges the change of TMSI. HPLMN also acknowledges the changes.

Step 5: Old TMSI (TMSIo) will be de-allocated from the VLR database.

Location updating in new VLR, old VLR reachable

Step 1: UE request location update request with old TMSI (TMSIo) and old LAI set.

Step 2: The new MSC/VLR send the TMSIo to the old MSC/VLR.

Step 3: Old MSC/VLR responds with sending back IMSI of the UE.

Step 4: The new MSC/VLRn calculates the new TMSI (TMSIn).

Step 5: MSC/VLRn sends TMSIn to UE in ciphered text and inform the HPLMN of the UE.

Step 6: Both UE and HPLMN acknowledges the new MSC/VLRn.

Step 7: The old MSC/VLRo deallocates the TMSIo from its database.

Location updating in a new VLR; old VLR not reachable

This is the case when the old VLR of the UE is not reachable by the new VLR.

Step 1: UE request location update request with old TMSI (TMSIo) and old LAI set.

Step 2: The new MSC/VLRn can not reach the old MSC/VLRo.

Step 3: New MSC/VLRn request UE for identity with Identity Request message.

Step 4: UE sends IMSI to the new MSC/VLR in clear text.

Step 5: The new MSC/VLRn calculates the new TMSI (TMSIn).

Step 6: MSC/VLRn sends TMSIn to UE in ciphered text and inform the HPLMN of the UE.

Step 7: Both UE and HPLMN acknowledges the new MSC/VLRn.

Step 8: The old MSC/VLRo deallocates the TMSIo from its database.

Reallocation of TMSI

This procedure is initiated by the NW to change the TMSI of the UE. The initiation of the procedure depends on operator.

The de-allocation of the old TMSI (TMSIo) only happens when UE acknowledges that the new TMSI (TMSIn) is allocated.

Local TMSI Unknown

This procedure happens when there is data loss in the VLR after location update request.

Location updating in a new VLR in case of loss of information

Step 1: UE request location update request with old TMSI (TMSIo) and old LAI set.

Step 2: The new MSC/VLR send the TMSIo to the old MSC/VLR.

Step 3: Old MSC/VLR does not have the TMSI. It responds that the TMSIo is unknown to it.

Step 4: New MSC/VLRn sends Identity request to the UE.

Step 5: UE responds with sending the IMSI in clear text.

Step 6: The new MSC/VLRn calculates the new TMSI (TMSIn).

Step 7: MSC/VLRn sends TMSIn to UE in ciphered text and inform the HPLMN of the UE.

Step 8: Both UE and HPLMN acknowledges the new MSC/VLRn.

Step 9: The old MSC/VLRo deallocates the TMSIo from its database.

Unsuccessful TMSI allocation

If due to some problem the MS/UE does not acknowledge the allocation of new TMSI then the network will maintain the relationship between the old TMSI and IMSI and between the new TMSI and IMSI.

Example: Signalling from UE point of view

Location updating in a new VLR; old VLR not reachable

RRC CONNECTION REQUEST (UE –> NW)
———-TMSI & LAI
————TMSI (32 bit)
—————-LAI (Location Area Identity)
———————–PLMN –ID
—————————MCC
—————————MNC
———————–LAC (16bits)

RRC CONNECTION SETUP (UE <—NW)

RRC CONNECTION SETUP COMPLETE (UE –> NW)

INITIAL DIRECT TRANSFER (UE –> NW)
———–LOCATION AREA UPDATE REQUEST
—————-Location Area Identity
—————-TMSI

DOWNLINK DIRECT TRANSFER (UE <– NW)
———–IDENTITY REQUEST

UPLINK DIRECT TRANSFER (UE –> NW)
———–IDENTITY RESPONSE
—————-IMSI (In Clear Text)

SECURITY MODE COMMAND (UE <– NW)

SECURITY MODE COMPLETE (UE –> NW)

DOWNLINK DIRECT TRANSFER (UE <– NW)
———–LOCATION AREA UPDATE COMPLETE
—————-TMSI

6 Comments

chung nguyen
15 years ago Permalink

it is great tutorial !
chung nguyen
15 years ago Permalink

it is great tutorial !
Prakash Sahoo
14 years ago Permalink

It is a nice article.
Prakash Sahoo
14 years ago Permalink

It is a nice article.
khalifa elreyani
8 years ago Permalink

Thank you
khalifa elreyani
8 years ago Permalink

could you give us the references of this article, thanks

IMSI: International Mobile Subscriber Identity

MCC: Mobile Country Code

MNC: Mobile Network Code

MSIN: Mobile Subscriber Identity Number

Procedures for management of TMSIs

Location updating in the same MSC area

Location Updating to a new MSC but the VLR is same

Location updating in new VLR, old VLR reachable

Location updating in a new VLR; old VLR not reachable

Reallocation of TMSI

Local TMSI Unknown

Location updating in a new VLR in case of loss of information

Unsuccessful TMSI allocation

Example: Signalling from UE point of view

Location updating in a new VLR; old VLR not reachable

6 Comments

Leave a Reply Cancel reply