IOPS allows to provide network service to Public Safety users even in the case the network has no or only limited backhaul connectivity. One of the main issues in such cases is the missing backhaul to perform authentication. A solution has been defined by using local HSSs which take over the responsibility for authentication in IOPS mode.
A problem identified for IOPS security when making use of local HSS is the higher probability of a compromise of a local HSS. Therefore the security solution described in TS 33.401
uses a local HSS with different authentication credentials than the standard HSS in normal operation. Additionally there might be several local HSSs and to further reduce the impact of possible compromised local HSSs, each local HSS should use different authentication credentials.
The security solution described in TS 33.401
is based on a USIM application dedicated for IOPS and using derived individual keys per local HSS.
3GPP TS 23.401
Annex K specifies a PLMN identity dedicated for IOPS mode of operation. Additionally a USIM dedicated for IOPS uses an Access Control Class of '11' or '15'.
The USIM dedicated for IOPS may be implemented as a single USIM on a UICC or as a secondary USIM application together with a normal USIM on one UICC. The USIM for IOPS is a regular USIM application and contains all mandatory EFs for a USIM and may also include any of the optional EFs defined for a USIM.
The USIM dedicated for IOPS nevertheless has some specifics:
As specified in TS 23.401 Annex K, the Access Control Class in EF ACC is set to either '11' or '15'. The specific values for the Access Control Class prevent UEs with different Access Control Classes from trying to attach to the IOPS network.
The entry for the USIM dedicated for IOPS in EFDIR has a label starting with 'USIM-IOPS'.
In case multiple local HSSs are to be supported, The USIM should also support:
The AMF (Authentication Management Field) mechanism as described in TS 33.401 Annex F.4.1 is supported.
An Operator specific mechanism to derive local HSS individual keys is supported (see TS 33.401 Annex F.4).
The method for selecting a USIM dedicated for IOPS is left to ME implementation.