Defeating the Downgrade Attack on Identity Privacy in 5G

  • Mohsin KhanEmail author
  • Philip Ginzboorg
  • Kimmo Järvinen
  • Valtteri Niemi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11322)


3GPP Release 15, the first 5G standard, includes protection of user identity privacy against IMSI catchers. These protection mechanisms are based on public key encryption. Despite this protection, IMSI catching is still possible in LTE networks which opens the possibility of a downgrade attack on user identity privacy, where a fake LTE base station obtains the identity of a 5G user equipment. We propose (i) to use an existing pseudonym-based solution to protect user identity privacy of 5G user equipment against IMSI catchers in LTE and (ii) to include a mechanism for updating LTE pseudonyms in the public key encryption based 5G identity privacy procedure. The latter helps to recover from a loss of synchronization of LTE pseudonyms. Using this mechanism, pseudonyms in the user equipment and home network are automatically synchronized when the user equipment connects to 5G. Our mechanisms utilize existing LTE and 3GPP Release 15 messages and require modifications only in the user equipment and home network in order to provide identity privacy. Additionally, lawful interception requires minor patching in the serving network.


3GPP IMSI catchers Pseudonym Identity privacy 5G 


  1. 1.
    Soltani, A., Timberg, C.: Tech firm tries to pull back curtain on surveillance efforts in Washington, September 2014. Accessed 14 July 2017
  2. 2.
    PKI Electronic Intelligence: 3G UMTS IMSI Catcher. Accessed 6 July 2018
  3. 3.
    Dabrowski, A., Pianta, N., Klepp, T., Mulazzani, M., Weippl, E.: IMSI-catch me if you can: IMSI-catcher-catchers. In: Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014, pp. 246–255. ACM, New York (2014)Google Scholar
  4. 4.
    Ney, P., Smith, J., Gabriel, C., Tadayoshi, K.: SeaGlass: enabling city-wide IMSI-catcher detection. In: Proceedings on Privacy Enhancing Technologies. PoPETs (2017)Google Scholar
  5. 5.
    3GPP: TS 22.261 Service requirements for next generation new services and markets (2018).
  6. 6.
    3GPP: TS 33.501 Security architecture and procedures for 5G System, March 2018.
  7. 7.
    Van den Broek, F., Verdult, R., de Ruiter, J.: Defeating IMSI catchers. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, CCS 2015. ACM (2015)Google Scholar
  8. 8.
    Khan, M.S.A., Mitchell, C.J.: Improving air interface user privacy in mobile telephony. In: Chen, L., Matsuo, S. (eds.) SSR 2015. LNCS, vol. 9497, pp. 165–184. Springer, Cham (2015). Scholar
  9. 9.
    Norrman, K., Näslund, M., Dubrova, E.: Protecting IMSI and user privacy in 5G networks. In: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, MobiMedia 2016. ICST (2016)Google Scholar
  10. 10.
    Ginzboorg, P., Niemi, V.: Privacy of the long-term identities in cellular networks. In: Proceedings of the 9th EAI International Conference on Mobile Multimedia Communications, MobiMedia 2016. ICST (2016)Google Scholar
  11. 11.
    Khan, M., Mitchell, C.: Trashing IMSI catchers in mobile networks. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2017), Boston, USA, 18–20 July 2017. Association for Computing Machinery (ACM), United States, May 2017Google Scholar
  12. 12.
    Khan, M., Järvinen, K., Ginzboorg, P., Niemi, V.: On de-synchronization of user pseudonyms in mobile networks. In: Shyamasundar, R.K., Singh, V., Vaidya, J. (eds.) ICISS 2017. LNCS, vol. 10717, pp. 347–366. Springer, Cham (2017). Scholar
  13. 13.
    3GPP: TS 23.003, 15.4.0 Numbering, addressing and identification, June 2018.
  14. 14.
  15. 15.
    Khan, M., Ginzboorg, P., Niemi, V.: IMSI-based routing and identity privacy in 5G. In: Proceedings of the 22nd Conference of Open Innovations Association FRUCT, Jyvaskyla, Finland, May 2018Google Scholar
  16. 16.
    3GPP: TS 33.401 V15.0.0 Security architecture (Release 15), June 2017.
  17. 17.
    3GPP: TS 23.012 V14.0.0 Location management procedures (Release 14), March 2017.
  18. 18.
    Herzberg, A., Krawczyk, H., Tsudik, G.: On travelling incognito. In: 1994 First Workshop on Mobile Computing Systems and Applications. IEEE Xplore (1994)Google Scholar
  19. 19.
    Asokan, N.: Anonymity in a mobile computing environment. In: First Workshop on Mobile Computing Systems and Applications. IEEE, Santa Cruz (1994)Google Scholar
  20. 20.
    Køien, G.M.: Privacy enhanced mutual authentication in LTE. In: 2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), pp. 614–621, October 2013Google Scholar
  21. 21.
    Khan, M., Niemi, V.: Concealing IMSI in 5G network using identity based encryption. In: Yan, Z., Molva, R., Mazurczyk, W., Kantola, R. (eds.) NSS 2017. LNCS, vol. 10394, pp. 544–554. Springer, Cham (2017). Scholar
  22. 22.
    Certicom Research: SEC 1: Elliptic Curve Cryptography. Standards for Efficient Cryptography, Ver. 2.0, May 2009.
  23. 23.
    Certicom Research: SEC 2: Recommended Elliptic Curve Domain Parameters. Standards for Efficient Cryptography, Ver. 2.0, January 2010.
  24. 24.
    NIST: Advanced Encryption Standard (AES). FIPS PUB 197 (2001)Google Scholar
  25. 25.
    NIST: Recommendation for Block Cipher Modes of Operation: Methods and Techniques. SP 800–38A (2001)Google Scholar
  26. 26.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104, February 1997Google Scholar
  27. 27.
    NIST: Secure hash standard (SHS). FIPS PUB 180-4 (2012)Google Scholar
  28. 28.
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006). Scholar
  29. 29.
    Langley, A., Hamburg, M., Turner, S.: Elliptic Curves for Security. RFC 7748, January 2016Google Scholar
  30. 30.
    Interactive digital media GmbH: Mobile Country Codes (MCC) and Mobile Network Codes (MNC).
  31. 31.
    Wikipedia: List of mobile network operators.
  32. 32.
    3GPP: TS 33.106: 3G security; Lawful interception requirements (2018).
  33. 33.
    3GPP: TS 33.126 V15.0.0 Lawful Interception requirements, June 2018.

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Mohsin Khan
    • 1
    • 2
    Email author
  • Philip Ginzboorg
    • 3
    • 4
  • Kimmo Järvinen
    • 1
    • 2
  • Valtteri Niemi
    • 1
    • 2
  1. 1.University of HelsinkiHelsinkiFinland
  2. 2.Helsinki Institute for Information TechnologyHelsinkiFinland
  3. 3.Huawei TechnologiesHelsinkiFinland
  4. 4.Aalto UniversityEspooFinland

Personalised recommendations