Top   in Index   None   Next

TS 42.009
Security Aspects

V4.1.0 (PDF)  2006/06  12 p.
GSM Rel-99 v8.1.0  2006/06  11 p.
GSM Rel-98 v7.1.1  2000/08  11 p.
GSM Rel-97 v6.1.1  2000/08  11 p.
GSM Rel-96 v5.2.1  2000/08  13 p.
GSM Phase-2 v4.5.1  2000/08  13 p.
GSM Phase-1 v3.1.0  1993/06  10 p.
Mr. Sahlin, Bengt

Content for  TS 42.009  Word version:  4.1.0

Here   Top

1  ScopeWord‑p. 5

Bearer and Teleservices, as respectively defined in GSM 02.02 and GSM 02.03, are the objects which the GSM PLMN operators offer to their customers. Besides these basic telecommunications services, features which aim at up grading these basic services need also to be offered. Due to the use of radiocommunications in a PLMN, which are of a special nature compared to classical distribution transmission techniques used in the fixed networks, such a category of features is related to security aspects.
In a GSM PLMN, both the users and the network operator have to be protected against undesirable intrusion of third parties. However, measures should be provided for in order to insure maximum protection of the rights of the individuals concerns. As a consequence, a security feature is either a supplementary service to Tele or Bearer services, which can be selected by the subscriber, or a network function involved in the provision of one or several telecommunication services.
The purpose of the present document is to define the security features which are to be available in a GSM PLMN, together with the associated levels of protection. The present document is only concerned with those security features which aim at the up grading of the security in a GSM PLMN. In particular, end to end security is outside the scope of the present document.
The implementation aspects of security features are described in GSM 03.20.

1.1  References

The following documents contain provisions which, through reference in this text, constitute provisions of the present document.
  • References are either specific (identified by date of publication, edition number, version number, etc.) or non specific.
  • For a specific reference, subsequent revisions do not apply.
  • For a non-specific reference, the latest version applies. In the case of a reference to a 3GPP document (including a GSM document), a non-specific reference implicitly refers to the latest version of that document in the same Release as the present document.
GSM 01.04: "Digital cellular telecommunications system (Phase 2+); Abbreviations and acronyms".
GSM 02.02: "Digital cellular telecommunications system (Phase 2+); Bearer Services (BS) supported by a GSM Public Land Mobile Network (PLMN)".
GSM 02.03: "Digital cellular telecommunications system (Phase 2+); Teleservices supported by a GSM Public Land Mobile Network (PLMN)".
GSM 03.20: "Digital cellular telecommunications system (Phase 2+); Security related network functions".
GSM 11.11: "Digital cellular telecommunications system (Phase 2+); Specification of the Subscriber Identity Module - Mobile Equipment (SIM - ME) interface".

1.2  Abbreviations

Abbreviations used in the present document are listed in GSM 01.04.

2  General

The use of radiocommunications for transmission to the mobile subscribers makes PLMNs particularly sensitive to:
  • misuse of their resources by unauthorized persons using manipulated Mobile Stations, who try to impersonate authorized subscribers; and
  • eavesdropping of the various information which are exchanged on the radio path.
It can be seen that PLMNs intrinsically do not provide the same level of protection to their operators and subscribers as the traditional telecommunication networks provide. This fact leads to the need to implement security features in a GSM PLMN in order to protect:
  1. the access to the mobile services;
  2. any relevant item from being disclosed at the radio path, mainly in order to ensure the privacy of user related information.
Two levels of protection are therefore assumed:
  • where security features are provided, as defined in clause 3, the level of protection at the radio path of the corresponding items is as good as the level of protection provided in the fixed networks;
  • where no special provision is made, the level of protection at the radio path is null. All items which are not dealt with in clause 3 are therefore considered to need no protection.

3  Security features provided in a GSM PLMNWord‑p. 6

The following security features are considered:
  • subscriber identity (IMSI) confidentiality;
  • subscriber identity (IMSI) authentication;
  • user data confidentiality on physical connections;
  • connectionless user data confidentiality;
  • signalling information element confidentiality.
The implementation of these five security features is mandatory on both the fixed infrastructure side and the MS side. This means that all GSM PLMNs and all MSs shall be able to support every security feature. Use of these five security features is at the discretion of the operator for its own subscribers while on the HPLMN. For roaming subscribers, use of these five security features is mandatory unless otherwise agreed by all the affected PLMN operators (see also subclause 3.3.3).

3.1  Subscriber identity confidentiality

3.1.1  Definition

The subscriber identity confidentiality feature is the property that the IMSI is not made available or disclosed to unauthorized individuals, entities or processes.

3.1.2  Purpose

This feature provides for the privacy of the identities of the subscribers who are using GSM PLMN resources (e.g. a traffic channel or any signalling means). It allows for the improvement of all other security features (e.g. user data confidentiality) and provides for the protection against tracing the location of a mobile subscriber by listening to the signalling exchanges on the radio path.

3.1.3  Functional requirementsWord‑p. 7

This feature necessitates the confidentiality of the subscriber identity (IMSI) when it is transferred in signalling messages (see subclause 3.5) together with specific measures to preclude the possibility to derive it indirectly from listening to specific information, such as addresses, at the radio path.
The means used to identify a mobile subscriber on the radio path consists of a local number called Temporary Mobile Subscriber Identity (TMSI), described in GSM 03.20.
When used, the subscriber identity confidentiality feature shall apply for all signalling sequences on the radio path. However, in the case of location register failure, or in case the MS has no TMSI available, open identification is allowed on the radio path.

3.2  Subscriber identity authentication

3.2.1  Definition

International Mobile Subscriber identity (IMSI) authentication is the corroboration by the land based part of the system that the subscriber identity (IMSI or TMSI), transferred by the mobile subscriber within the identification procedure at the radio path, is the one claimed.

3.2.2  Purpose

The purpose of this authentication security feature is to protect the network against unauthorized use. It enables also the protection of the GSM PLMN subscribers by denying the possibility for intruders to impersonate authorized users.

3.2.3  Functional requirements

The authentication of the GSM PLMN subscriber identity may be triggered by the network when the subscriber applies for:
  • a change of subscriber related information element in the VLR or HLR (including some or all of: location updating involving change of VLR, registration or erasure of a supplementary service); or
  • an access to a service (including some or all of: set up of mobile originating or terminated calls, activation or deactivation of a supplementary service); or
  • first network access after restart of MSC/VLR;
or in the event of cipher key sequence number mismatch.
Physical security means must be provided to preclude the possibility to obtain sufficient information to impersonate or duplicate a subscriber in a GSM PLMN, in particular by deriving sensitive information from the mobile station equipment.
If, on an access request to the GSM PLMN, the subscriber identity authentication procedure fails and this failure is not due to network malfunction, then the access to the GSM PLMN shall be denied to the requesting party.

3.2.4  Authentication during a malfunction of the network

If an MS is registered and has been successfully authenticated, whether active or not active on a call, calls are permitted (including continuation and hand over).
If an MS has already been registered (and therefore been already authenticated) and can not be successfully reauthenticated due to the network malfunction (e.g. the HPLMN was not able to provide authentication pairs RAND, SRES), calls are permitted.
If an MS attempts to register and can not be successfully authenticated due to the network malfunction, calls are not permitted.
If the MS is not registered, or ceases to be registered, a new registration need to be performed, and the preceding cases apply.

3.3  User data confidentiality on physical connections (Voice and Non voice)Word‑p. 8

3.3.1  Definition

The user data confidentiality feature on physical connections is the property that the user information exchanged on traffic channels is not made available or disclosed to unauthorized individuals, entities or processes.

3.3.2  Purpose

The purpose of this feature is to ensure the privacy of the user information on traffic channels.

3.3.3  Functional requirements

Encryption will normally be applied to all voice and non voice communications. Although a standard algorithm will normally be employed, it is permissible for the mobile station and/or PLMN infrastructure to support more than one algorithm. In this case, the infrastructure is responsible for deciding which algorithm to use (including the possibility not to use encryption, in which case confidentiality is not applied).
When necessary, the MS shall signal to the network indicating which of up to seven ciphering algorithms it supports. The serving network then selects one of these that it can support (based on an order of priority preset in the network), and signals this to the MS. The selected algorithm is then used by the MS and network.
The ME has to check if the user data confidentiality is switched on using one of the seven algorithms. In the event that the ME detects that this is not the case, or ceases to be the case (e.g. during handover), then an indication is given to the user.
This ciphering indicator feature may be disabled by the SIM (see GSM 11.11).
In case the SIM does not support the feature that disables the ciphering indicator, then the ciphering indicator feature in the ME shall be enabled by default.
The nature of the indicator and the trigger points for its activation are for the ME manufacturer to decide.
During the establishment of a call the trigger point shall be at call initiation at the latest. In the case of handover the trigger point shall be the completion of handover at the latest.
The manufacturer may provide the means to enable the user to temporarily disable the feature. This should be done in such a way that the user can protect it from misuse.

3.4  Connectionless user data confidentiality

3.4.1  Definition

The connectionless user data confidentiality feature is the property that the user information which is transferred in a connectionless packet mode over a signalling channel is not made available or disclosed to unauthorized individuals, entities or processes.

3.4.2  Purpose

The purpose of this feature is to ensure the privacy of the user information on signalling channels (e.g. short messages).

3.4.3  Functional requirementsWord‑p. 9

3.5  Signalling information element confidentiality

3.5.1  Definition

The signalling information element confidentiality feature is the property that a given piece of signalling information which is exchanged between MSs and base stations is not made available or disclosed to unauthorized individuals, entities or processes.

3.5.2  Purpose

The purpose of this feature is to ensure the privacy of users related signalling elements.

3.5.3  Functional requirements

When used, this feature applies on selected fields of signalling messages which are exchanged between MSs and base stations.
The signalling information elements included in the message used to establish the connection (protocol discriminator, connection reference, message type and MS identity (IMSI, TMSI or IMEI according to the circumstance)) are not protected.
The following signalling information elements related to the user are protected whenever used after connection establishment:
  • International Mobile Equipment Identity (IMEI).
  • International Mobile Subscriber Identity (IMSI).
  • Calling subscriber directory number (mobile terminating calls).
  • Called subscriber directory number (mobile originated calls).
The IMSI is stored securely within the SIM.
The IMEI shall not be changed after the ME's final production process. It shall resist tampering, i.e. manipulation and change, by any means (e.g. physical, electrical and software).
The security policy for the Software Version Number (SVN) is such that it cannot be readily changed by the user, but can be updated with changes to the software. The security of the SVN shall be separate from that of the IMEI.

$  Change HistoryWord‑p. 10

Up   Top