Project

General

Profile

Feature #4398

Updated by osmith about 4 years ago

Similar to approach A in #4397, but without any collisions and problems with timestamps. Since timestamps are not used, so this is more similar to "An HMAC-Based One-Time Password Algorithm" (HOTP, "RFC 4226":https://tools.ietf.org/html/rfc4226). 

 h3. Overview 

 The IMSI_PSEUDO is still calculated by both the HLR and SIM: 
 <pre> 
 IMSI_PSEUDO_CUR = distribute(IMSI_RANGE_START, IMSI_RANGE_END, hash(IMSI_PSEUDO_SECRET + IMSI_PSEUDO_COUNTER_CUR)) IMSI_PSEUDO_COUNTER)) 
 </pre> 

 The HLR tells the SIM when to increase IMSI_PSEUDO_COUNTER and by how much. This means, the HLR can skip colliding results. The IMSI that is initially configured for a new SIM must be stored in the HLR. 


 h3. In Detail 

 Relevant information in the HLR per subscriber: 
 * IMSI 
 * IMSI_PSEUDO_CUR (current) 
 * IMSI_PSEUDO_OLD (default: NULL) 
 * IMSI_PSEUDO_SECRET 
 * IMSI_PSEUDO_COUNTER_CUR (current, default: IMSI_PSEUDO_COUNTER (default: 0) 
 * IMSI_PSEUDO_COUNTER_OLD (default: NULL) 
 * IMSI_PSEUDO_COUNTER_SECRET 

 Relevant information in the SIM: 
 * IMSI (= IMSI_PSEUDO_CUR) 
 * IMSI_PSEUDO_SECRET 
 * IMSI_PSEUDO_COUNTER (= IMSI_PSEUDO_COUNTER_CUR) 
 * IMSI_PSEUDO_COUNTER_SECRET 

 New subscriber generation in the HLR: 
 * HLR assigns new IMSI in [IMSI_RANGE_START, IMSI_RANGE_END]. The new IMSI must be unique (not be used by other subscribers as real IMSI), but another subscriber may use it as IMSI_PSEUDO_CUR or IMSI_PSEUDO_OLD. 
 * HLR generates IMSI_PSEUDO_SECRET, IMSI_PSEUDO_COUNTER_SECRET with random data 
 * HLR sets IMSI_PSEUDO_OLD = NULL, IMSI_PSEUDO_COUNTER = 0 
 * HLR generates IMSI_PSEUDO_CUR (on failure provisioning the new subscriber fails!) 

 Generating IMSI_PSEUDO_CUR in HLR: IMSI_PSEUDO_CUR. 
 * If this ** Until there is not the first time generating the pseudo IMSI, set the old values to the current values: 
 ** IMSI_PSEUDO_OLD = IMSI_PSEUDO_CUR 
 ** IMSI_PSEUDO_COUNTER_OLD = IMSI_PSEUDO_COUNTER_CUR 
 * Find new no collision with any existing IMSI_PSEUDO_CUR/IMSI_PSEUDO_OLD, it increases IMSI_PSEUDO_COUNTER and unique IMSI_PSEUDO_CUR: tries again. 
 ** IMSI_PSEUDO_COUNTER_CUR++ 
 ** IMSI_PSEUDO_CUR = distribute(IMSI_RANGE_START, IMSI_RANGE_END, hash(IMSI_PSEUDO_SECRET + IMSI_PSEUDO_COUNTER_CUR)) 
 ** Try again if: IMSI_PSEUDO_CUR matches IMSI_PSEUDO_CUR of any other subscriber, or IMSI_PSEUDO_OLD of this or any other subscriber 
 ** Try It tries up to MAX (e.g. 10) times (on failure: times. 
 ** On failure provisioning the new subscriber fails: the range of available IMSIs is too small) small. 

 SIM card provisioning: 
 * Usual data (auth stuff for AKA etc.) 
 * IMSI_PSEUDO_CUR instead of the IMSI. The real IMSI is not written to the SIM card. 
 * IMSI_PSEUDO_SECRET, IMSI_PSEUDO_COUNTER_CUR, IMSI_PSEUDO_COUNTER, IMSI_PSEUDO_COUNTER_SECRET 
 * SIM applet 

 Location Update: 
 * SIM uses the IMSI (which is actually the IMSI_PSEUDO) to perform location update 
 * HLR finds the subscriber by comparing with IMSI_PSEUDO_CUR / IMSI_PSEUDO_OLD 
 * If Usual LU fails: logic; if it fails, stop here 
 * If LU succeeds: 
 ** LU succeeded with IMSI_PSEUDO_OLD, then HLR writes old values back: 
 *** IMSI_PSEUDO_CUR = HLR: IMSI_PSEUDO_OLD 
 *** IMSI_PSEUDO_COUNTER_CUR = IMSI_PSEUDO_COUNTER_OLD IMSI_PSEUDO_CUR 
 ** * HLR generates new IMSI_PSEUDO_CUR, IMSI_PSEUDO_CUR (like above, with retries to skip collisions until MAX), on failure it stops here 
 ** * HLR sends an SMS to the SIM, something like: <code>HASH(IMSI_PSEUDO_COUNTER_SECRET + IMSI_PSEUDO_COUNTER_DELTA + OLD_HASH_OR_SOMETHING)</code> 
 ** * SIM applet finds out the value of IMSI_PSEUDO_COUNTER_DELTA, by trying the hash with values in the range [1, MAX]. 
 ** * SIM applet overwrites the current IMSI of the SIM with the new pseudo IMSI 

 The purpose of the hashed counter is to prevent MITM attacks. Without IMSI_PSEUDO_COUNTER_SECRET, it is not possible to generate new messages that will be accepted by the SIM. OLD_HASH_OR_SOMETHING makes sure that the messages don't repeat (maybe store the hash of the previous SMS and put it there?). I have also thought about using asymmetric cryptography, to verify that the message was sent from the HLR. But it seems to me, that this would require much more processing power and storage space, which we don't have in the SIM applet. 

 If the SMS with the counter update does not reach the SIM (e.g. because an attacker is blocking it), the old pseudo IMSI can still be used. Maybe we could increase another counter in the SIM applet whenever using the same pseudo IMSI, and display a warning message to the user if no new pseudo IMSI has been provisioned, that somebody is tampering with the network? 


 h3. Problems 

 * Still needs a high range of IMSIs that can be used for pseudonymization: to make sure that the previous pseudo IMSI is still working in case the counter SMS did not arrive, each real IMSI must get two pseudo IMSIs (old, current). We also need additional space so we don't run into too many collisions. 
 * How to detect in the SIM that a message arrived late (see below)? 


 CC: @laforge, @neels

Back

Add picture from clipboard (Maximum size: 48.8 MB)