5G-TMSI and 5G-GUTI in 5G Networks

Questions and Answers

What are the temporary identifiers used for identification purposes over the radio access link in mobile networks?

MSISDN

IMSI

IMEI

TMSI and GUTI (correct)

In what situation is authentication through the use of temporary identifiers not possible in mobile networks?

When a user is assigned a TMSI or GUTI for the first time

When a user switches between 2G and 3G networks

When the visited network is unable to resolve the IMSI/SUPI from the presented TMSI/GUTI (correct)

When a user is roaming internationally

What type of attack is characterized by an active man-in-the-middle adversary forcing a user to reveal its long-term identity?

IMSI catching attack (correct)

Man-in-the-middle attack

Denial-of-service attack

Phishing attack

What is the primary motivation behind addressing the privacy issue of IMSI catching in 5G networks according to the text?

To improve security by disallowing plain-text transmissions of SUPI over the radio interface

Which organization has decided to address the issue of IMSI catching in 5G networks at the cost of backward compatibility?

3GPP

What was the main reason for IMSI catching still being possible in 3G networks?

Complex possible solutions were deemed too costly.

What security feature in EPS addresses the issue of a security breach in one network affecting others?

Cryptographic network separation of authentication material.

In which location are session keys handled in EPS, making them more vulnerable compared to 3G networks?

eNBs at the edge of the access network.

What was introduced in EPS to ensure forward security in handovers, addressing vulnerabilities in session key handling?

Forward security in handovers.

Which aspect of security mainly covers Authentication, Integrity, and Ciphering of Signalling and data for UE accessing network services?

Network access security.

Why does GSM use a digital air interface?

To enable tighter frequency re-use patterns and minimize interference problems

How is a Mobile Equipment (ME) identified in GSM?

By a unique number coded into it during manufacturing

What is used to authenticate a Mobile Subscriber (MS) in GSM?

Subscriber Identity Module (SIM)

In GSM, what does the Visitor Location Register (VLR) control?

Allocation of Temporary Mobile Subscriber Identity (TMSI) numbers

Why is the Temporary Mobile Subscriber Identity (TMSI) updated frequently in GSM?

To make it difficult for calls to be traced, providing high security for the subscriber

Why is it difficult for a casual hacker to listen in to personal calls in GSM networks?

Due to the use of encryption, authentication processes, and digital encoding of air interface signals.

What is the purpose of frequency hopping in GSM networks?

To make it difficult for an observer to follow or listen to a specific call.

What type of information is stored on a SIM card in GSM networks?

Security-related information (IMSI, Ki, PIN), subscriber data, and encryption algorithms.

How does the use of a Personal Identity Number (PIN) password protect a SIM card in GSM networks?

It prevents unauthorized use of the SIM card.

Why are SIM cards designed to be difficult to duplicate in GSM networks?

To prevent fraudulent access to networks and protect subscriber information.

What is the purpose of the Identity Response sent by the UE in the 5G network?

To provide the SUCI to the AMF

In the 5G network, what is the composition of a 5G-GUTI?

PLMN + AMF ID + TMSI

When does an AMF provide a new 5G-GUTI to a UE in the 5G network?

Upon receiving an Initial Registration message from the UE

In the 5G network, what triggers an AMF to use a UE Configuration Update procedure?

Receiving a Paging message from the network

Which statement is TRUE regarding the re-assignment of 5G-GUTI in the 5G network?

Implementation may re-assign 5G-GUTI more frequently than specified in standards

What does the Globally Unique AMF ID (GUAMI) Structure consist of?

Region ID, Set ID, and Pointer

What is the purpose of the S-TMSI in 5G networks?

To enable efficient radio signaling during Paging

What does the NG-RAN use the 10 Least Significant Bits of the 5G-TMSI for?

To determine the paging time for UEs

What is the purpose of the mapping between 5G-GUTI and 4G-GUTI specified by 3GPP?

For mobility of UEs between 4G and 5G networks

Why does the AMF need to ensure that the 5G-TMSI value within the assigned 5G-GUTI is not already in use by other AMFs sharing the same GUAMI value?

To prevent conflicts in UE identification across AMFs

What cryptographic algorithms are used in the generation of the cipher key Kc for MS in GSM?

A8 and Ki

Which component in GSM is responsible for initiating the ciphering start procedure?

MSC / VLR

In 3G security improvements over GSM, what provides a key freshness guarantee through the use of sequence numbers?

UMTS AKA

What ensures that user traffic on core network interfaces is not protected in a standardized way in 3G?

Network Domain Security

Which security enhancement is added in 3G that provides mandatory integrity protection for signaling over the air?

Encryption termination in protected location (RNC)

What are the sufficiently long encryption and integrity keys CK and IK length in bits in 3G?

128 bits each

Which component informs the MSC / VLR that ciphering has started after receiving and deciphering the message from the MS?

BTS

What is impossible due to enhanced security features in 3G according to the text?

No false base station attacks

UMTS AKA stands for:

Universal Mobile Telecommunication System Authentication and Key Agreement

In GSM, which component removes the Kc from the message before sending it on to the MS?

BTS

Study Notes

Mobile Network Security

• To avoid privacy breaches, SIM cards are assigned temporary identifiers (TMSI or GUTI) by the visited network, which are frequently changed and used for identification purposes over the radio access link.

IMSI Catching Attacks

• IMSI catching attacks are a type of attack where an active man-in-the-middle adversary simulates a scenario where a user is forced to reveal their long-term identity, and this has been a problem in 2G, 3G, and 4G mobile networks.

5G IMSI Catching Solution

• In 5G, the 3GPP has addressed this issue by not allowing plain-text transmissions of the SUPI over the radio interface, even in cases of identification failure via a 5G-GUTI.

GSM Security Features

• GSM security features include:
  • A unique number coded into the Mobile Equipment (ME) for identification
  • A Subscriber Identity Module (SIM) with a smart card for subscriber authentication
  • A digital air interface that is "noise robust", enables error correction, and offers enhanced privacy and security
  • Temporary Mobile Subscriber Identity (TMSI) that is updated frequently to prevent tracing and provide security

5G Security Procedure

• In 5G, security procedures include:
  • Network access security for authentication, integrity, and ciphering of signaling and data
  • Use of a Global Unique Temporary Identifier (GUTI) allocated by the Access and Mobility Management function (AMF)
  • A GUTI that consists of a Public Land Mobile Network (PLMN) ID, an AMF ID, and a TMSI

5G GUTI Structure

• The 5G GUTI structure consists of:
  • A Globally Unique AMF ID (GUAMI) that identifies one or more AMFs
  • A 5G-TMSI that identifies the UE uniquely within the AMF
  • A GUAMI that consists of an AMF Region ID, an AMF Set ID, and an AMF Pointer

Ciphering

• Ciphering is a security function that uses a cipher key (Kc) to encrypt information sent and received by the MS
• The generation of the Kc is based on the cryptographic algorithms A8 and the Ki

3G Security Improvements

• 3G security improvements over GSM include:
  • Mandatory integrity protection for signaling over the air
  • Authentication and Key Agreement (UMTS AKA) with key freshness guarantee
  • Encryption terminating in a protected location (RNC)
  • Public design and evaluation of strong cryptographic algorithms
  • Sufficiently long encryption and integrity keys (CK, IK) of 128 bits each
  • Core network signaling protected by Network Domain Security (a profile of IPsec/IKE)

Description

Learn about how the GUAMI and 5G-TMSI uniquely identify UE within the AMF in 5G networks. Understand the assignment of 5G-GUTI and the importance of ensuring the uniqueness of 5G-TMSI values among AMFs sharing the same GUAMI.