Defeating the Downgrade Attack on Identity Privacy in 5G

by   Mohsin Khan, et al.
HUAWEI Technologies Co., Ltd.

3GPP Release 15, the first 5G standard, includes protection of user identity privacy against IMSI catchers. These protection mechanisms are based on public key encryption. Despite this protection, IMSI catching is still possible in LTE networks which opens the possibility of a downgrade attack on user identity privacy, where a fake LTE base station obtains the identity of a 5G user equipment. We propose (i) to use an existing pseudonym-based solution to protect user identity privacy of 5G user equipment against IMSI catchers in LTE and (ii) to include a mechanism for updating LTE pseudonyms in the public key encryption based 5G identity privacy procedure. The latter helps to recover from a loss of synchronization of LTE pseudonyms. Using this mechanism, pseudonyms in the user equipment and home network are automatically synchronized when the user equipment connects to 5G. Our mechanisms utilize existing LTE and 3GPP Release 15 messages and require modifications only in the user equipment and home network in order to provide identity privacy. Additionally, lawful interception requires minor patching in the serving network.



page 1

page 2

page 3

page 4


Anonymous Identity-Based Encryption with Identity Recovery

Anonymous Identity-Based Encryption can protect privacy of the receiver....

A Survey on Patients Privacy Protection with Stganography and Visual Encryption

In this survey, thirty models for steganography and visual encryption me...

Managing NymBoxes for Identity and Tracking Protection

Despite the attempts of well-designed anonymous communication tools to p...

Uplink Channel Impulse Response Based Secondary Carrier Prediction

A typical handover problem requires sequence of complex signaling betwee...

A Fair Model of Identity Information Exchange Leveraging Zero-Knowledge

Many companies use identity information for different goals. There are a...

Identification for Accountability vs Privacy

This document considers the counteracting requirements of privacy and ac...

AdaptOver : Adaptive Overshadowing of LTE signals

We introduce AdaptOver, a new LTE signal overshadowing attack that allow...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

A generic mobile network has three main parts: (i) user equipment (UE); (ii) home network (HN), i.e. the mobile network where the user has a subscription; and (iii) serving network (SN), i.e. a mobile network that the UE connects to in order to avail services.111The notation used in this paper is summarized in Appendix A. The UE includes mobile equipment (ME) and a universal integrated circuit card (UICC). The UE is said to be roaming when the SN and HN are different. When both the UE and HN are made to 5G specifications, it is possible that the 5G UE connects to a legacy serving network, e.g., the LTE (long term evolution, or 4G) serving network. It is important to allow such a “downgraded” connection, because – especially in the early phases of 5G adoption – 5G coverage will be spotty compared to LTE.

International mobile subscriber identity (IMSI) is a globally unique identity of a mobile user. Identity privacy means that long-term user identities remain unknown to everyone else besides UE, SN, and HN. IMSI catchers, i.e. malicious devices that steal IMSIs in order to track and monitor the mobile users, are a threat to users’ identity privacy [1, 2, 3, 4]. Passive IMSI catchers attack by eavesdropping; active IMSI catchers attack by impersonating an SN. Mobile networks had protection against passive IMSI catchers since GSM, but until 5G they did not protect users against active IMSI catchers.

Third generation partnership project (3GPP) Release 15, the first 5G standard, includes protection against active IMSI catchers [5]. This protection is implemented so that the UE encrypts its identity using public key encryption with the public key of the HN [6]. The concealed identity is called subscription concealed identifier . This protection works only when the SN is also a 5G entity because an SN from LTE, 3G or GSM networks would not know how to process the SUCI. This implies that an active IMSI catcher can mount a downgrade attack against a 5G UE so that it impersonates an LTE SN and exploits LTE’s weakness in order to steal the IMSI of the 5G UE. In this paper, we propose mechanisms to prevent this downgrade attack.

Our solution uses pseudonyms that have the same format as IMSI for LTE communication to defeat the downgrade attack. The idea of using pseudonyms in IMSI format to confound IMSI catchers in mobile networks has been studied in several works during the recent years [7, 8, 9, 10, 11, 12]. We take a similar approach as proposed in these papers. A pseudonym looks like a normal IMSI, but its last nine to ten digits are randomized and frequently changing.222The first five to six digits of the IMSI identify the country and the home network of the mobile user. Even though these digits allow linkability in certain cases, (e.g., if in a visited network there is only one roaming UE from a specific country), these digits are not randomized, because they are needed to route initial requests for authentication data for roaming UE to the correct home network. The UE is provisioned with two pseudonyms in the beginning and it gets fresh pseudonyms during AKA runs. It uses these pseudonyms instead of IMSI to identify itself when connecting to an LTE SN. The UE uses the SUCI instead of IMSI to connect to a 5G SN. Our solution piggybacks on existing messages involved in the LTE and 5G authentication and key agreement (AKA) protocols to deliver new pseudonyms to the UE and does not require additional messages.

Since the space of pseudonym having IMSI format is limited, pseudonyms need to be reused, i.e., disassociated from one user and reallocated to another. On the other hand, a 5G UE may connect to multiple SNs simultaneously [6]; causing the UE to use different pseudonyms to connect to different SNs. Hence, it is a challenge for the HN to know when it can disassociate a pseudonym from a current user and reallocate it to a new user. In our solution the UE embeds information about its LTE pseudonyms into the SUCI. This enables efficient reuse of pseudonyms in the HN and accurate billing. The UE does not need a pseudonym to connect to a 5G SN. Hence, even in the unlikely event, where the UE and HN lose synchronization of pseudonyms, the synchronization can be restored because the UE obtains a new LTE pseudonym from the HN simply by connecting to a 5G SN.

This paper advances protocol design, beyond what is described in papers [7, 8, 9, 10, 11, 12], as follows:

  • The HN can reuse pseudonyms even when a UE has simultaneous connections to multiple SNs.

  • The states of pseudonyms in UE and HN will remain synchronized, given that the HN and the UE function correctly.

  • For the case where UE and HN get desynchronized due to some unlikely errors, we have detailed a re-synchronization mechanism for pseudonyms’ state in UE and HN. The mechanism is based on running a 5G AKA with a 5G SN.

Any enhancement of user identity privacy must support Lawful Interception (LI), i.e. selective interception of individual subscribers by legally authorized agencies. In Section 5.2 we describe how LI is supported in the Release 15 enhancement to user identity privacy (where UE encrypts its identity) and propose to supplement pseudonym-based solution with similar features. Adding support for LI into our pseudonym-based solution requires software update (patching) in the core network elements of the LTE SN; it does not require patching in the radio access network elements (base stations).

In this paper we consider the LTE SN in detail. Same solution can be adapted for 3G SNs in a straightforward manner. Its adaptation to GSM would require additional measures because GSM lacks means to authenticate any message received by a mobile device. An example of such a measure has been described in [7].

2 Preliminaries

An IMSI is a globally unique number, usually of 15 decimal digits, identifying a subscriber in GSM, UMTS and LTE systems. The first 3 digits of an IMSI represent the mobile country code (MCC); the second 2 or 3 digits represent the mobile network code (MNC); and the last 10 or 9 digits represent the mobile subscription identification number (MSIN) [13]. The long-term subscriber identifier in 5G system is called Subscription Permanent Identifier (SUPI) [14]. It may contain an IMSI, or a network-specific identifier for private networks.

Figure 1 illustrates a high-level architecture of mobile networks. The UE of a user, which has a subscription with the HN (home network), connects with the SN (serving network) to get services. If the SN and the HN are different networks, we say that the UE is roaming. In that case, the SN and the HN connect with each other over the IP Exchange (IPX) network. The link between the UE and the SN is initially unprotected in LTE, 3G and GSM networks. In 5G, some information sent over this initial link may be confidentiality protected using the public key of the HN. Information needed for routing in IPX cannot be confidentiality protected (otherwise, routing would not work) [15].

The HN stores the pairs of all its subscribers in the subscription database. The 5G HN also has a public/private key pair . The UE includes an ME and a UICC. The UICC is tamper resistant: a malicious entity can not read its content without sophisticated instruments. The universal subscriber identity module (USIM) is an application that runs in the UICC.

In LTE, the USIM stores the IMSI and the subscriber-specific master key K of the user. Please note that if a UE conceals the IMSI using K, the HN would not know which K to use to decrypt the message. Moreover, the UE is not provisioned with any SN-specific keys. Thus, the IMSI is initially sent unprotected over the link between the UE and the SN in LTE. Also in 3G and 2G the IMSI is initially sent unprotected over the link between the UE and the SN. But in 5G the USIM may also store the public key of the HN; and then the UE, before identifying itself, can send encrypted (by the key ) message to the HN.

Active IMSI Catcher

Passive IMSI Catcher





- Initially unprotected link

- IMSI may be in cleartext

in 2G, 3G and 4G (LTE)


IMSI Inquiry


Figure 1: Schematic illustration of mobile network.

When a UE wants to connect to a SN, the SN wants to know the identity of the user so that the user can be billed. The SN sends an IMSI inquiry to the UE. Since the link between the UE and the LTE (also 3G and 2G) SN is initially unprotected, the UE has to respond with its IMSI in cleartext. A passive IMSI catcher listens to the radio channel and waits for IMSIs sent in cleartext. An active IMSI catcher impersonates a legitimate SN and makes an IMSI inquiry. The UE has no way to distinguish an active IMSI catcher from a legitimate SN before authenticating the SN. Hence, the UE invariably sends the IMSI to the attacker in cleartext.

The identification is followed by mutual authentication based on challenge and response. We will now outline the basic principle of the authentication protocol. The SN provides the identity of the user to the HN. The HN (i) prepares a random challenge; (ii) computes the expected response to the challenge, an authentication token, and an anchor key; (iii) may compute some other required information. The response, authentication token and anchor key are computed using the master key K

. An authentication token includes information that protects the integrity of the challenge and defeats replay attack. The challenge, response, authentication token, anchor key and also some other relevant information are collectively known as an authentication vector (AV). The HN sends the AV to the SN.

The SN sends the challenge and the authentication token to the UE. The UE verifies the integrity and freshness of the challenge using the master key K. If the verification result is positive, the UE computes the expected response to the challenge using the master key Kand sends the response to the SN. If the expected response that the SN received from the HN matches with the response that the UE sent, the authentication is successful.

The authentication and key agreement protocols of LTE and 5G networks – known as LTE AKA [16] and 5G AKA [6] – are based on the above principle. In LTE AKA, if the authentication is successful, and if the UE that participated in the AKA is attaching with the SN for the first time, then the SN sends a location update (LU) message to the HN [12, 17]. Once a UE is authenticated, the SN gives it a temporary identity – known as globally unique temporary UE identity (GUTI) – with confidentiality and integrity protection over a secure channel that has been established based on the authentication. Since then, the UE uses GUTI to identify itself to the SN. The use of GUTI defeats the passive IMSI catchers. However, the use of GUTI does not defeat active IMSI catchers. This is because the UE or the SN may have lost the GUTI, or the UE may visit a new SN. In either case, the SN would make an IMSI inquiry towards the UE. The UE would have to respond with IMSI in cleartext, otherwise it would be locked out of the network.

Once a UE is attached to an SN, the UE may go to idle mode. When there is downlink data available for an idle UE, the SN would page the UE to wake it up, using the IMSI or the GUTI (of that UE) in the paging message. It is worth mentioning that a new authentication may be in initiated by the SN after UE responds to a paging message.

3 Related Work

The attack on user identity privacy by active IMSI catchers has been known since GSM, and numerous defence mechanisms against this attack have been proposed in the literature. We identified two major trends in these mechanisms: the first is based on pseudonyms and the second on public key cryptography. Below, we list works that we consider to be the most relevant to this paper.

In Herzberg et al. [18], one-time pseudonyms are created by probabilistic encryption of the user’s identity using a key that is known only by the HN. The HN sends a set of pseudonyms to the UE when the UE and the HN have a secure communication channel.

Publications proposing cellular network pseudonyms in the same format as IMSI, but with randomized, frequently changing MSIN, include [7, 8, 10, 9]. In Broek et al. [7] and Khan and Mitchell [8] the pseudonym’s update is embedded in a random challenge, RAND, of AKA. Khan and Mitchell [11] identified a weakness in solutions proposing cellular network pseudonyms in the same format as IMSI, which could be exploited to desynchronize pseudonyms in the UE and the HN. They also proposed a fix. Khan et al. [12] found a weakness in [11] and proposed a solution. We will refer to the solution in [12] as the KJGN scheme.

Asokan [19] described how public key encryption can be used to achieve identity privacy in mobile environments. In this solution, only the HN has a public/private key pair and the UE is provisioned with the public key of the HN. The UE encrypts identity information using public key before sending it to the HN. Køien [20] suggests using identity based encryption (IBE) to defeat IMSI catchers in LTE. Khan and Niemi [21] propose the use of IBE to defeat IMSI catchers in 5G networks.

5G is the first generation of mobile networks that includes protection against active IMSI-catchers. 3GPP has decided that users’ identities will be protected in 5G by including public key encryption [6]. The idea is similar to Asokan [19]. In addition, the possibility to include IMSI in the paging message has been removed. We will now outline the working of 5G protection mechanism [6].

The UE conceals the 5G user’s long-term identities with Elliptic Curve Integrated Encryption Scheme (ECIES) [22, 23]

before sending them to the SN. ECIES is a hybrid encryption scheme that combines an elliptic curve based public key cryptography with secret key cryptography; it is a semantically secure probabilistic encryption scheme ensuring that successive encryptions of the same plaintext with the same public key result in different ciphertexts with very high probability. Specifically,

[6] includes two ECIES profiles, both for the approximately 128-bit security level. Both profiles use AES-128 [24] in CTR mode [25] for confidentiality and HMAC-SHA-256 [26, 27] for authenticity in the secret key cryptography part but use either Curve25519 [28, 29] or secp256r1 [23] elliptic curves for the public key cryptography part.

A UE that is provisioned with the HN’s public key ,333The standard [6] does not require the HN to provision into every UE. If HN has not provisioned its into a UE, then that UE will not conceal its long-term identity with this mechanism. uses it to construct SUCI by computing —the encryption of MSIN with the HN’s public key —and concatenating it with certain cleartext information. As defined in [6], this cleartext information includes HNID, the home network identifier enabling successful routing to the HN, SUPIPSI for defining the scheme (i.e., either a null scheme or the ECIES profile), and HNPKI for denoting which public key was used in encryption. ECIES guarantees that MSIN can be decrypted from SUCI only by the HN who holds the private key corresponding to . Hence, the users’ identities are protected.

Please note that public-key based solutions, where the IMSI is delivered to the network encrypted by the public key of the network, are conceptually simpler than pseudonym-based solutions, because the latter need a mechanism for changing pseudonyms while keeping the set of pseudonyms in the UE and the HN synchronized. On the other hand, the impact of pseudonyms in IMSI format on legacy network nodes between UE and HN is smaller than of IMSI encrypted by a public key of the network, because the format of IMSI encrypted by a public key of the network is quite different from plaintext IMSI.

4 Our Solution

The 5G standard protects long-term user identity against active IMSI catchers by using SUCI (generated by the public key of the HN) [6], as outlined in Section 3. Despite this protection in 5G, a fake LTE SN can still mount a downgrade attack on the identity privacy of a 5G UE.

We mitigate the downgrade attack as follows: instead of IMSI, a 5G UE in LTE network uses pseudonyms that have the same format as IMSI. In addition, when a 5G UE runs 5G AKA, it also synchronizes its LTE pseudonyms with the HN. In our solution:

  1. a 5G UE uses pseudonyms to connect with LTE SNs and Release-15 SUCI to connect with 5G SNs;

  2. only the HN allocates and releases pseudonyms of mobile users; initially the HN allocates two pseudonyms per 5G user and provisions them into those users’ USIMs;

  3. a 5G UE gets new pseudonyms by participating in authentication protocols: LTE AKA or 5G AKA; the two latest pseudonyms received by the UE during successful AKA are denoted by and ;

  4. in order to support simultaneous connections with several SNs, our solution:

    • uses subscriber-specific counter of pseudonyms maintained by the HN;

    • keeps track of in-use pseudonyms in 5G UE and HN, using sets and , respectively; the elements of these sets are pairs of pseudonyms and their respective counters (see Figure 2);

    • piggybacks information about pseudonyms in 5G UE within the Release-15 SUCI.

UE Side:

HN Side:

Figure 2: Pseudonyms in UE and HN

The 5G UE will use only or when replying to IMSI inquiry from an LTE SN. The set contains pseudonyms that 5G UE received before and . The UE deletes pseudonyms from based on policy provided by the HN that could include, e.g., pseudonyms’ lifetime or the maximum size of . The contains pseudonyms that the HN thinks are in , and it deletes pseudonyms from according to another policy. One objective of these policies is that the HN should not delete a pseudonym which the UE has not deleted yet. Thus, the pseudonyms in the UE constitute a subset of that UE’s pseudonyms in the HN. In short, the UE informs the HN about its oldest pseudonym when it connects with a 5G SN using SUCI, and then the HN is able to reduce the set . Please note that as long as the UE is connecting to LTE SN only, the size of grows. It will be explained later how to avoid that grows too much.

Our solution does not modify the structure and/or length of any existing message. Also, it does not introduce any new messages on top of what 3GPP has standardized; it only introduces changes in the 5G UE and its HN. However, to enable lawful interception in the SN, we would need some changes in the LTE SNs too. This issue is discussed in Section 5.2.

As standardized, a 5G USIM comes with an IMSI, a master key K and the HN’s public key embedded in it. A 5G USIM in our solution also has to include two pseudonyms and a key , shared with HN, for decrypting the pseudonyms. Similarly, along with the user’s IMSI, and master key K, the HN in our solution has to store additional information: the shared key for encrypting pseudonyms and three pseudonyms (where the subscripts stand for “current,” “next” and “future”). Ideally and .

When a pseudonym is allocated to a subscriber, it is associated with a subscriber-specific counter . We require that is a strictly monotonically increasing integer variable that increases each time the HN allocates a new pseudonym to the subscriber.

4.1 LTE AKA Based Solution

This solution is shown in Figure 3. It is built on top of the KJGN scheme, which was built on top of LTE AKA. The differences to LTE AKA are indicated by darker font in the figure. The additions on top of KJGN scheme include the use of the counter , which is associated with pseudonym , and the sets . One major modification is in the condition on which a UE or the HN forget pseudonyms. Supplements for lawful interception are not shown in Figure 3; they will be discussed separately in Section 5.2.




(1) IMSI Inquiry

(2) or


(4) AV request with

(5) Identify the user and then construct

RAND by encrypting a pseudonym.

See Algorithm 1 in Appendix B

(6) Other LTE AKA operations [16].



(9) LTE AKA operations [16].

(10) RES

(12) verify

(13) LU for pseudonym

(14) Identify the user with

. Update pseudonyms. See

Algorithm 3 in Appendix B.

(11) Update Pseudonyms.

See Algorithm 2

in Appendix B.
Figure 3: Solution, when the SN is from an LTE network.

4.1.1 Description.

  • An LTE SN inquires the UE about the IMSI.

  • The UE chooses one of the pseudonyms and assigns it to .

  • The UE sends to the SN.

  • The SN sends an AV request for the pseudonym to the HN. It is worth mentioning here that in most of the times the user identifies itself with GUTI. Sometimes the user would implicitly identify itself by responding to a paging message. In either case, if the SN wants to perform an LTE AKA, the SN requests an AV to the HN for the pseudonym/IMSI that was associated with the GUTI or was used in the paging message.

  • The HN checks if the pseudonym is in use for any subscriber. If yes, the HN starts to prepare the AV. It first constructs the random challenge RAND. A new pseudonym is embedded (encrypted with key ) in the RAND. Detail of how RAND is constructed is presented in Algorithm 1 in Appendix B. We also describe it in the following.

    • The 128-bit long random challenge RAND is created by encrypting (using key that can be generated from the master key K) the pseudonym , its counter , an error correction flag () and a randomly chosen -bit long . If the pseudonym is null, a new -bit long is chosen randomly from the pool of unused pseudonyms. Then is set to the current value of the counter , which is a strictly monotonically increasing counter maintained by the HN. It increases each time the HN generates a new pseudonym. The flag is by default set to but a 5G HN may set it to some other values to notify the UE about an error in the UE’s pseudonym state.

    • The value of is equal to . The value of depends on how many digits of the IMSI are randomized. Since the number of randomized digits can be at most 10, . The length of and depends on implementation; and bits should be enough. This implies .

  • The HN computes other parts of authentication vector AV (in addition to the RAND), e.g., the expected response XRES to the challenge RAND, anchoring key , and authentication token AUTN [16, 12].

  • The HN sends RAND, AUTN, XRES and to the SN.

  • The SN forwards RAND and AUTN to the UE.

  • The UE performs LTE AKA related operations, e.g., verifying MAC in AUTN, computing response [16, 12].

  • If everything is fine in Step (9), the UE sends RES to the SN.

  • The UE decrypts RAND to extract embedded pseudonym , and the counter ; and updates the pseudonyms if is new. These operations are presented in Algorithm 2 in Appendix B, and also described in the following.

    • UE decrypts RAND using key and gets and (Line 3).

    • In an LTE AKA, the bit is always set to 0.

    • If the pseudonym is a new pseudonym i.e., , then the UE inserts into and sets . See lines through 9-12.

    • If , then is considered as an old pseudonym and the UE does not update pseudonyms.

      • If somehow the value of (in the UE) gets corrupted and becomes larger than (in the HN), the UE would never be able to accept new pseudonyms anymore just by running LTE AKA. But even then the UE can still obtain a new pseudonym by running a 5G AKA.

  • The SN compares RES and XRES; the SN stops if .

  • The SN sends an LU message to the HN for the pseudonym .

  • The HN searches for a user s.t., . If found, and is not null, then the HN inserts into and sets . See Algorithm 3 in Appendix B.

4.2 5G AKA Based Solution

This solution is used for: (i) delivering a new pseudonym to a 5G UE using 5G AKA; (ii) notifying the HN about pseudonyms that the UE is not using anymore; so that those pseudonyms can be reused in HN; and (iii) re-synchronization of pseudonym states in the (rather unlikely) erroneous situation where becomes greater than . It is required to deliver new pseudonyms to a 5G UE even when the UE has not used the existing pseudonyms to connect with a legitimate LTE SN. This is because, the UE may have used those pseudonyms with an active IMSI catcher. If a 5G UE always connects with a 5G SN, and does not get new pseudonyms by participating in 5G AKA, then the 5G UE will have the same pseudonym for long time. So, if an active IMSI catcher makes many IMSI inquiries over this long time, then the UE would respond to each of those IMSI inquiries with the same pseudonym. Thus, an active IMSI catcher would be able to track and monitor the user with this long-lived pseudonym.

This solution is built on the 5G AKA protocol of Release 15 [6]; with changes only in the 5G UE and the HN. Thus, the solution is transparent to the 5G SNs of release 15. The solution requires the HN and the USIM to contain all the information the LTE AKA based solution (see Section 4.1) requires. Moreover, it requires the HN to have a public/private key pair and the USIM to be provisioned with the HN’s public key . The solution is presented in Figure 4. The changes in 5G AKA are marked by darker texts.




(1) IMSI Inquiry

(2) Generate SUCI. See Algorithm 4 in

in Appendix B

(3) SUCI

(4) AV request with SUCI

(5) Generate RAND. See Algorithm 5 in

Appendix B

(6) Purge .

(7) Other 5G AKA operations [6].




(10) 5G AKA related operations.


(12) Update Pseudonyms.

See Algorithm 2 in

Appendix B.

(13) compute from



(15) verify

(16) If verification is successful, and the

AV request came with a SUCI, not IMSI,

Update Pseudonyms. See Algorithm 6 in

in Appendix B
Figure 4: Solution when the SN is from a 5G network.

4.2.1 Description.

  • A 5G SN inquires the UE about the IMSI.

  • The UE generates a SUCI. Construction of SUCI by encrypting MSIN using the HN’s public key is discussed in Section 3 and in [6]. We bring changes in the plaintext that is encrypted into SUCI. Along with MSIN, we also encrypt two counters: and . Here, is the smallest counter of all the pseudonyms in the UE. Thus, the HN can know, which pseudonyms the UE is not using anymore; consequently they can be allocated to other UEs. The value of the counter is always set to . Our construction of SUCI is presented in Appendix B, Algorithm 4, and also described in the following.

    • UE computes MAC of message with master key K (Line 3).

    • UE encrypts with HN’s public key .

    • The ciphertext is concatenated with other information that are in plaintext: HN identifier, the public key identifier of the HN, and the SUPI protection scheme identifier (Line 4). The outcome is returned as SUCI.

  • The UE sends SUCI.

  • The SN forwards the SUCI to the HN, requesting an AV. Note that, in most of the times the user identifies itself with GUTI. Sometimes the user would implicitly identify itself by responding to a paging message. In either case, if the SN wants to perform a 5G AKA, the SN requests an AV to the HN with the IMSI that was associated with the GUTI or in the paging.

  • The HN constructs the RAND by embedding a pseudonym in it. The detail is presented in Algorithm 5 as described in the following.

    • The HN extracts and from the encrypted part of the SUCI using the private key of the HN (Line 3).

    • Verifies the MAC using master key K (Line 4). If the verification is unsuccessful, the algorithm stops. If the verification is successful, the algorithm continues as following.

    • Checks if is . If yes, an -bit long is randomly allocated (from the pool of free pseudonyms) and is set to (Lines 6, 7). is a subscriber-specific counter maintained by the HN. It increases every time the HN generates a new pseudonym.

    • Sets to 0. Then checks if is greater than . If yes, it sets to 1. See Lines from 9 to 12.

    • An -bit long random is chosen (Line 13).

    • is set into i.e., . See line 14.

    • is encrypted with key . The ciphertext is RAND. (Line 15). It is worth mentioning that the key can be derived from the master key.

    • The value of and is discussed in Section 4.1.

  • HN removes pseudonyms from which have counter smaller than .

  • HN performs other operations of 5G AKA except constructing RAND [6].

  • HN sends an AV () to the SN.

  • SN forwards the RAND and AUTN to the UE.

  • UE performs 5G AKA related operations e.g., verifying AUTN and computing the response to the challenge [6].

  • UE sends the response to he SN.

  • UE decrypts RAND; extract the embedded pseudonym from the RAND; and updates the pseudonyms in the UE. Algorithm 2 presents the details. This algorithm is partially described in Section 4.1. In 5G AKA the might be set to by the HN. In this case the UE would empty the set , set and terminates the algorithm at this step. This is needed to recover from a very unlikely error situation where gets corrupted in the UE. We explain the details in the end of Section 5.1.

  • SN computes as a function of ; compares with .

  • If the comparison in last step matches, SN forwards the to the HN.

  • The HN compares and XRES.

  • If the comparison in previous step matches, HN checks whether the AV (associated with the current current 5G AKA run) came with a SUCI or an IMSI. If with a SUCI, HN checks if the pseudonym that was embedded in the RAND is still . If yes, the HN moves to and sets . Consequently, the HN would embed a new pseudonym in the RAND while responding to the next AV request. Details are presented in Algorithm 6 in Appendix B. On the other hand, if the UE identified itself with GUTI or responded to a paging message, then the subsequent AV request sent by the SN would be with an IMSI, not with a SUCI. Consequently the pseudonyms would not be updated in HN. This means, in response to the next AV request, the HN will embed the same pseudonym in the RAND.

Step (16) helps the system to avoid generating unnecessary pseudonyms. If a 5G UE attempts to connect with an LTE SN using a pseudonym, but the subsequent LTE AKA fails or no LTE AKA follows (possibly because the SN is an active IMSI catcher), then the next time the UE tries to connect with a 5G SN, it uses SUCI instead of GUTI. In this way the UE can notify the HN that it needs new pseudonym, and it would receive a new pseudonym in the next AKA. Thus, the solution avoids generating unnecessary pseudonyms.

4.3 Allocation of Pseudonyms

In our solution, the pseudonyms are allocated to users by the HN. A pseudonym must not be allocated to two different users at the same time, because such double allocation would hinder correct call routing and billing; e.g,. a user could receive the bill for services used by another user. As new pseudonyms are generated for a user, the older pseudonyms are stored in the sets and . A pseudonym should not be allocated to a new user as long as it is in and of any other user. If pseudonyms are never removed from and , the system will eventually run out of free pseudonyms. Hence, policies are needed for removing pseudonyms from these sets. One objective of these policies is that, a pseudonym should not be deleted from of a user that is not yet deleted from the set of that user.

The HN randomly allocates a new pseudonym for a user from a pool of free pseudonyms, maintained by the HN. A pseudonym can be in the pool of free pseudonyms only if it is not in the set (or used as , , or ) for any user. To keep the pool of free pseudonyms large enough, the HN needs to remove old pseudonyms that are not anymore used by a UE from . Before removing a pseudonym from , the HN needs to know that the UE is no longer using it and has removed it from the corresponding .

In our solution, a UE removes pseudonyms from according to the policies provisioned in the UE by the HN. The UE notifies the HN about the pseudonyms that the HN can remove from the . The UE sends (encrypted in the SUCI message) the smallest counter value of all the pseudonyms available in the UE. The HN then removes (from ) all pseudonyms that have smaller counter values than . The UE sends with both integrity and confidentiality protection within the encrypted part of SUCI, as discussed in Section 4.2.

As mentioned earlier, as long as the UE is connecting to LTE SN only, the size of grows. We will explain next how to avoid that grows too much. The HN needs to have a cap for the size of . If the cap is reached, the HN would not generate any future pseudonym for the user — but will always embed the same pseudonym in the RAND. As a consequence, the user does not enjoy full identity privacy before it connects to a 5G SN using SUCI; the SUCI would include and the HN would be able to reduce . The details of using this cap are left for further study. The cap should be large enough so that it takes a reasonably long time for a UE to reach the cap; on the other hand the cap should be small enough so that a set of legitimate but malicious UE can not exhaust the pseudonym space by connecting to LTE SNs many times. Another topic for future work is how to maximize the chance that the UE would connect with a 5G SN using SUCI. For example, the UE may connect to 5G in order to reduce the size of , even if the user is not paying for 5G services. Another way to recover is to send a message to the user about the situation; suggesting to connect to a 5G SN to enjoy better privacy. Other, more sophisticated techniques than capping the size of can also be in the scope for further study.

It is important to define when the UE can decide that it no longer uses a pseudonym and it can be removed from . The pseudonyms in are stored because the UE should be able to respond to paging messages sent by the SN. Therefore, if a UE has a pseudonym (and the associated GUTI) that has not been used for a reasonably long time (as defined in the policy) and the UE is currently connected to a different SN, the pseudonym can be removed.

The UE may have an old pseudonym in that is associated with a GUTI and a security context but has no other pseudonyms associated with the same SN and the UE is currently connected to this SN. In such a case, the UE would initiate a new registration procedure with the SN using pseudonym or . If this registration is successful, the UE can remove the old pseudonym from . The UE may also follow a guideline set by the HN to remove pseudonyms from ; e.g., remove pseudonyms that are older than one day.

4.3.1 How Large the Sets and Can be.

In the HN, if 50 % of MSIN space is used by normal IMSI and pseudonyms, and the allocation of a new pseudonym in HN involves (i) generating a random MSIN, and (ii) checking if that MSIN value has been already allocated, then on the average it would take two tries (each try consisting of (i) and (ii)) for the HN to find a free MSIN. Because of efficiency reasons, we do not want to exceed this number of tries on the average. It follows that the target number of tries and the current level of MSIN space allocation determine the maximum for the average number of pseudonyms per user. Thus, the policy of handling the size of has to be adjusted so that the average size of would not exceed a certain limit, which in the worst case could be in the order of ten.

We estimate that only a small fraction of MSIN’s space, in the order of 1 % or less, is in currently in use in the major mobile networks. The biggest fraction, roughly 3 %, of the MSIN’s space seems to be in use in China Mobile networks, which has three MNC codes

[30] and 910 million subscribers [31]. If the average size of is ten, then for each subscriber, around (also and IMSI) elements from the MSIN space would be allocated on the average. Therefore, the fraction of in use MSIN’s space will grow by a factor of 13, e.g., from 3 % to %.

4.3.2 Alternative Allocation Mechanisms.

In our solution, pseudonyms are allocated to users in the HN. Another approach would be to generate pseudonyms on the UE side. However, in this other approach, the HN has to be able to map a pseudonym with the correct IMSI of the user. Here we briefly present few alternative options and their downsides.

In this option, the UE may perform format preserving encryption (FPE) of the MSIN with a shared symmetric key and use the ciphertext along with MCC and MNC to construct the pseudonym. There may be only one shared key for the whole network, or separate shared keys for each small group of users. Only one key for the whole network is not secure because an attacker can easily know the key. Indeed, the attacker would only need to be be a valid subscriber of the HN and the ability to read the UICC. On the other hand, separate shared keys for each small group do not result into good privacy. If the size of the group is , the subscriber can achieve only -anonymity. This is because the user would need to identify the user’s group in plaintext. In the roaming case, it could be even worse than -anonymity. For instance, it could be the case that only one member of the group is roaming in a certain country at a certain time point.

Another option is that the UE pseudorandomly generates pseudonyms — e.g., by hashing the IMSI and a salt using the shared master key. The UE uses bits of the hash digest along with the MCC and MNC a to construct the pseudonym. Similarly, the HN would need to compute the hash digest (of bits) of all the IMSIs (of all the valids subscribers) with the salt using the respective master keys. If the salt is chosen by the UE based on an agreed scheme (e.g., the salt is the current date), then the HN has to compute hash digest for each subscriber according to that scheme (e.g., once in a day) and store in a hash table. However, since is only around bits, there would have many collisions — mutiple IMSIs will be hashed to the same pseudonym. The HN would consult with the hash table when it receives a pseudonym. Due to many collisions in the hash table, pseudonyms would be ambiguous.

5 Analysis of Our Solution

In our solution, the pseudonyms are delivered to the UE with confidentiality protection using the key . Hence, an IMSI catcher cannot know a pseudonym before the UE uses it. This provides unlinkability across the pseudonyms. Once a UE switches to use a new pseudonym, the UE appears as a new (previously unknown) user in the network. Same pseudonym may be transmitted many times in different RAND. However, the challenge still remains fresh and random because of the randomly chosen -bit long ; the value of can be as long as bits. Since a user keeps using the same pseudonym until it obtains a new pseudonym, the UE is exposed to an active IMSI catcher for the time. This exposure mostly coincides with the already existing exposure of the GUTI. In the rest of this section we analyze our solution from important aspects of using IMSI-like pseudonyms in mobile networks: (i) synchronization of pseudonyms, (ii) LI and patching, (iii) billing and charging, and (iv) performance overheads.

5.1 Synchronization

5.1.1 What is Desynchronization?

We say that a UE is desynchronized with the HN if the pseudonyms and of the user in the UE side are no more associated with the same user in the HN side. In other words, a UE is desynchronized with the HN if the following condition holds.

The UE is not allowed to use any other pseudonyms than in response to an IMSI inquiry from an LTE, 3G or GSM SN. Consequently, when the UE responds to an IMSI inquiry with or , the HN would fail to retrieve the correct IMSI. As a result, the subsequent AKA would fail and the UE will not be able to join the network.

5.1.2 Can Desynchronization Happen?

If both the HN and UE function correctly desynchronization can not happen. We will present our argument in this section. In principle, desynchronization may happen if one of the following cases happen:

  1. If UE accepts a pseudonym that is not generated in the HN

  2. If HN deletes from

  3. If UE accepts a pseudonym that was generated for the user in the HN but the HN has already deleted the pseudonym

First, we discuss Case 1. Since a pseudonym is embedded in the RAND, the integrity of the pseudonym is protected if the integrity of the RAND is protected. The integrity of the RAND with the help of the MAC that is a part of the AUTN. So, the UE would never accept a pseudonym that was not generated in the HN; consequently, Case 1 can never happen.

Second, we discuss Case 2. The HN never deletes . The HN may delete a pseudonym from if the HN has decrypted a from a valid SUCI such that ; see Step 6 of 5G AKA based solution in Section 4.2. Since, the UE would never deletes , the value of would be at most . This implies . Consequently, the HN would not delete from .

Third, we discuss Case 3. As discussed in Case 2, if pseudonym is deleted from , then would be greater than , because . Remember that a UE would accept a pseudonym only if . Thus would never be accepted by the UE.

5.1.3 Resynchronization.

However, if due to some unlikely errors in UE and HN, desynchronization happens, our solution can bring back a desynchronized user into a synchronized state automatically just by connecting to a 5G SN. This is because a 5G UE does not need a valid pseudonym to participate in a 5G AKA, and the UE would get a valid pseudonym if it can participate in a valid 5G AKA. This is a major advantage because, as discussed in [12], such a desynchronized user would otherwise have to go to a mobile network operator’s shop to change the UICC.

Also, if in the UE gets corrupted and becomes larger than , then the UE would not be able to accept a new pseudonym; see Algorithm 1,2 and 5. If becomes a large enough value, then the UE might not accept new pseudonyms anymore. However, the 5G UE is able to resynchronize with HN even if such a corruption happens; just by connecting to a 5G SN using SUCI and running a 5G AKA.

Since the UE would embed (which is equal to ) in the SUCI message, the 5G HN would know (Algorithm 4) if such a corruption has happened, see Algorithm 5. To help the UE fixing the corruption, the 5G HN would set the ECF in the RAND, see Algorithm 5. The UE decrypts the RAND and extracts the pseudonym . If the ECF is set, the UE would accept the pseudonym even though , see Algorithm 2. Since, acceptance of such a pseudonym may break the consistency with other pseudonyms in the UE, the UE deletes all other pseudonyms it has. Pseudonyms holds the same value as ; gets the value and gets . Thus the UE goes back to a state similar to the beginning.

5.2 Lawful Interception and Patching

Lawful Interception (LI) involves selectively intercepting communications of individual subscribers by legally authorized agencies. The agency typically provides the long-term identifier of the target UE or service to the network operator, which must have the means to intercept communications of the correct target based on long-term or permanent identifiers associated with that target. There is a requirement that a network operator is able to intercept without the need to rely on another network operator or jurisdiction. In particular, an SN does not need to share LI target identities of roaming UE with an HN and vice versa [32, 33].

In order to support LI in Release 15, where the UE encrypts its identity using the public key of the HN, (1) the HN provides long-term identifier of the UE to the SN during authentication and key agreement procedure; and (2) both UE and SN use long-term identifier of the UE as one of the inputs to the derivation of master session key. The visited network gets the long-term identifier of the UE as a result of (1), while (2) ensures that the UE and visited network can communicate only if both use the same long-term identifier of the UE.

In order to support LI in our pseudonym-based solution, we propose to add (1), and possibly also (2), into the existing legacy core network elements (MME and HSS in LTE; MSC, SGSN, and HLR in 3G/GSM) by software upgrade. The scope of this software upgrade appears to be much smaller, compared to adapting Release 15 solution into the existing legacy networks. This is mainly because adapting Release 15 solution to legacy networks is likely to impact also the radio access networks: the format of encrypted identifier in Release 15 is quite different from the cleartext IMSI, while in our solution the pseudonym is in the format of IMSI.

The LI feature (1) can be implemented in our solution as follows: in the AV request, the SN informs the HN that it is patched and when the HN returns the AV, it includes the MSIN as part of the AV.

Adding support for (2) is more complicated, especially in the cases of 3G and GSM. In LTE, the SN extracts the MSIN and uses it as an additional input in deriving the master session key and the UE is also informed that the SN is patched by piggybacking on RAND so that the UE also uses the MSIN in computing the master session key. In 3G and GSM there is no concept of master session key. Therefore, the MSIN has to be used directly in derivation of ciphering and integrity keys.

Please note that this complication appears also in the case where Release 15 public-key based solution would be adapted for legacy networks.

Typically, an organization of mobile network operators, like GSMA (GSM Association), could discuss and agree on a deadline in order to provide enough time for operators to patch their networks.

If some legacy network has not completed the patch by the agreed deadline, it is OK for other operators to ignore that failure and start using the pseudonyms-based protection of identity privacy. The LI in the network that is late in patching would not work fully for roaming 5G UEs.

In the case of a public key-based solution, if some mobile operator is late with a patch, then roaming 5G UEs would not be able to join that network.

5.3 Charging and Billing

Mobile users are charged based on CDRs (call detailed records) that are generated in the serving network. A CDR includes IMSI and records chargeable event (like the service used). The home network then adds charges to the bill of subscriber that is associated with the CDR’s IMSI.

After a pseudonym-based solution is adopted, a CDR may contain a pseudonym in place of IMSI. (Indeed, if the UE uses pseudonym in IMSI format when it communicates with SN, and the SN does not get the long-term identifier of that UE – for instance, because it was not patched for LI, then the SN has no other choice but to put the UE’s pseudonym into the CDR.) For this reason the home network has to consult a log of pseudonym allocations when it maps from UE identifiers in received CDRs to the actual subscribers’ data [8, 12]. That log includes the following information: (i) the pseudonym, (ii) the IMSI of the subscriber whom the pseudonym is given to, (iii) the time when HN allocated the pseudonym to the subscriber, (iv) the time when the subscriber started using the pseudonym (i.e., the time of the first successful AKA run of that subscriber with the pseudonym), (v) the time when the UE notified that it is no longer using the pseudonym, and (vi) list of SNs that the user has attached with using this pseudonym. The home network has to maintain the log at least until the billing is settled, and possibly for longer time, to comply with the local authority’s guidelines.

In order to keep the billing accurate, a UE that stops using pseudonym and deletes it, must also stop using the GUTI and the security context associated with . Let us illustrate what may happen otherwise. A UE1 that is visiting SN1, removes a pseudonym from its but keeps the GUTI and the security context. The UE1 also informs the HN (via 5G SUCI) that it has removed the pseudonym . Therefore, the HN sends the pseudonym to the pool of free pseudonyms; subsequently, is allocated to another subscriber and delivered to UE2 in SN2.

If UE1 continues to identify itself in SN1 by the GUTI associated with as it consumes services, then SN1 will generate a CDR that contains the pseudonym , which is at that time is allocated to UE2. As a result, UE2 will be charged for the service consumed by UE1 in SN1. This may continue until there is a new AKA run between UE1 and SN1 or until the GUTI expires. However, the HN has enough information in the pseudonym allocation log to resolve the correct UE who created the CDR.

5.4 Performance Overheads

In our solution the pseudonyms’ delivery protocol between UE and HN is piggybacked on existing AKA messages. The structure of AKA messages remains the same, but parts of those messages are constructed and interpreted differently. We list here the additional tasks that have to be done by HN and UE.

Most of those tasks have to be done in the HN: First, the HN has to store a set of in-use pseudonyms per subscriber, maintain a pool of free pseudonyms, and be able to allocate pseudonyms from this pool uniformly at random.

Second, as mentioned in Section 5.3, the HN needs to log pseudonym assignments for charging purposes. Keeping this log adds to the storage overhead in the HN and computational overhead in the charging system.

Third, the HN has to generate a random -bit and encrypt the pseudonym and using the symmetric key . The 5G HN has also to verify the MAC of the message that is encrypted into the SUCI. But the overheads due to these symmetric-key cryptographic operations are negligible.

Fourth, there is one-time, initial provisioning effort into the USIM of: (i) the initial pseudonyms, and (ii) a policy for forgetting pseudonyms.

On the UE side, one extra decryption is needed to extract the pseudonym embedded in RAND. This symmetric-key decryption has negligible overhead. In addition, UE has to maintain a set of pseudonyms based on the policy provisioned by the HN.

6 Conclusion

3GPP Release 15, the first release of 5G system, includes protection of long-term identity of mobile users against active IMSI catching. But in a typical case where 5G UE also supports LTE, it is still vulnerable to LTE IMSI catchers. This threat can be mitigated by adopting pseudonyms in the format of IMSI in LTE.

We propose a solution where the Release 15 mechanism for protecting user identity privacy is used for synchronizing the LTE pseudonyms in the format of IMSI between the UE and HN, thus making the LTE pseudonyms more robust. Our solution can automatically bring a desynchronized user back to synchronized state just by connecting to a 5G network. For LI purpose, the required patching effort in the legacy SNs is reasonable. All in all, pseudonym-based solution is a potential candidate for confounding IMSI catchers in legacy networks.

Questions for future study include the following: (i) Is it a good idea to encrypt the pseudonyms always with the same key? (ii) What data structure can be used to maintain the pool of free pseudonyms? (iii) What part of the solution has to be implemented in the USIM and what part in the ME? Capping the size of the set , when the UE is connecting only with LTE SNs, is also a subject of further study. The resilience of pseudonym-based solution to computational errors in HN, SN, or UE would also be an important area of investigation.


Appendix A Summary of Notation

AUTN authentication token used to verify the integrity of the RAND; computed by the HN; sent to the SN as part of the AV; used in both LTE AKA and 5G AKA
AV authentication vector; a bunch of information that the HN sends to delegate the authentication to the SN
CDR call detailed record
the counter value (time stamp) associated with pseudonym by the HN
the smallest counter of all the pseudonyms available in the UE. The UE embeds it in the SUCI.
it is always set to the current value of . The UE embeds it in the SUCI.
error correction flag, piggybacked on the random challenge RAND. the 5G HN sets this flag to inform the UE that the UE’s pseudonym state is corrupted
5G AKA an authentication protocol used in 5G
GSM Global System for Mobile Communications
HN Home network; the UE is subscribed with this network
IMSI international mobile subscriber identity
a symmetric key shared only between the USIM and the HN
K the symmetric key, also known as master key, shared only by the USIM of a user and the HN
anchoring key – subsequent encryption and integrity protection keys are derive from it; computed by the HN and sent to the SN as part of the AV
bit length of the that is used as a part of the plaintext that is encrypted into RAND
LTE AKA an authentication protocol used in LTE network
LU location update; when a user attaches to an LTE SN for the first time, after the authentication succeeds, the SN send an LU message to the HN
number of bits used to generate the randomized decimal digits to construct pseudonyms;
ME mobile equipment, usually a mobile phone
the pseudonyms in the HN; for the current pseudonym, for new pseudonym and for the future pseudonym; ideally expectation is or
the set of pairs maintained by the HN for a specific UE
the pseudonyms the UE is currently using
the set of pairs maintained by the UE
the pseudonym that a UE uses to identify itself
RAND is the 128-bit long random challenge; chosen/constructed by HN; sent to SN as part of the AV; SN forwards it to the UE; used in both LTE AKA and 5G AKA
RES response sent by the UE to the random challenge RAND in LTE AKA
SN serving network; the UE connects with this network
SQN the sequence number used by the USIM and the HN, both in LTE AKA and 5G AKA to defeat replay attack.
UE user equipment (USIM + ME)
UICC universal integrated circuit card
USIM universal subscriber identity module
XRES expected response (to RAND) from the UE; computed by the HN; sent to the SN as part of the AV; used in LTE AKA
XSQN the sequence number sent by the HN to the UE

Appendix B Algorithms

1:; where is the pseudonym received in the AV request, the vector following contains the relevant records of the user in the subscription database s.t., , and is a non decreasing counter that the HN maintains. increases once in a configured time interval.
3:if   then
4:     allocate randomly from the pool of free pseudonyms
6:end if
7:choose randomly
9: this flag might be set to by a 5G HN to indicate an error
11:return RAND
Algorithm 1 Construct RAND for LTE AKA in HN
2:updated pseudonym states in the UE
3:extract by decrypting RAND using key
4:if  then it means, the UE has unreasonably large
5:     empty the set
7:     return
8:end if
9:if  then
12:end if
Algorithm 2 Update Pseudonyms in UE
1:; where is the pseudonym received in the AV request, the vector following contains the records of the user in the subscription database s.t.,
2:updated pseudonym states in the HN
3:if  then
6:end if
Algorithm 3 Update Pseudonyms in HN after LTE AKA
1:; where is the counter of the earliest pseudonym in ; is ; HNID is the HN ID, usually ; is the public key of the HN; HNPKI is the public key identifier of the HN; SUPIPSI is the SUPI protection scheme identifier
5:return SUCI
Algorithm 4 Generate SUCI
1:; where is the private key of the HN, SUCI is received from the SN in the AV request, is the subscriber-specific key to encrypt pseudonyms, is the subscriber’s pseudonym and its counter that would be embedded in RAND
3:extract by decrypting SUCI using secret key
4:if  then
5:     if  then
6:         allocate randomly from the pool of free pseudonyms
8:     end if
10:     if  then It means the UE has unreasonably large
12:     end if
13:     choose randomly
16:     return RAND
17:end if
Algorithm 5 Construct RAND for 5G AKA
1:; where is the pseudonym that was embedded in the RAND of the 5G AKA in question, the vector following contains the relevant records of the user participated in the AKA.
2:Output: updated pseudonyms in the HN
3:if  then
6:end if
Algorithm 6 Update Pseudonyms in HN after 5G AKA