Enhancing Location Privacy in LTE by the Use of pseudonyms

اسم الباحث     :    Abdulrahman A. Muthana Mamoon M. Saeed Khalil S. Al-WagihFuad H. Abdulrazzak
سنة النشر     :    2017
ملخص البحث     :   

Abstract—

The mechanisms adopted by cellular technologies for user identification allow an adversary to collect information about individuals and track their movements within the network; and thus exposing privacy of the users to unknown risks. Efforts have been made toward enhancing privacy preserving capabilities in cellular technologies, culminating in Long Term Evolution LTE technology. LTE security architecture is substantially enhanced comparing with its predecessors 2G and 3G. With better key management and use of pseudonyms (e.g., TMSIs and C-RNTIs) for user identification, LTE networks provide better protection of user privacy. However, LTE does not eliminate the possibility of user privacy attacks. LTE is still vulnerable to user anonymity, linkability, and traceability attacks. This paper includes an evaluation of LTE security architecture and proposes a security scheme for the enhancement of privacy-preserving capabilities of LTE architecture. The scheme is based on introducing of pseudonyms that replace the user permanent identifier (IMSI) and on enhancing the allocation procedures of the pseudonyms used for identification. The scheme provides secure and effective location management in respect to the protection of user privacy in LTE. The scheme is formally verified using proVerif and proved to provide an adequate assurance of user privacy protection.

Index Terms—LTE (Long Term Evolution), Anonymity, C-RNTI (Cell – Radio Network Temporary Identifier), User Privacy, Location Privacy.

1. INTRODUCTION

   Recently protecting user location privacy in cellular networks has received an increasing interest more particularly in Long Term Evolution (LTE) cellular technology. LTE cellular technology, which is recently proposed by the Third Generation Partnership Project [1], has security enhancements comparing to its predecessors: Global System Mobile Communication (GSM) and Universal Mobile Telecommunications System (UMTS). LTE security architecture is substantially different from its predecessors in GSM and UMTS and offers a range of security features.

   To protect the user location privacy, the LTE allocates various different temporary identities such as Global User Temporary Identifier (GUTI), temporary mobile subscriber identifier (TMSI), and cell radio network temporary identifier (C-RNTI) to a single user equipment (UE) at different levels of LTE network architecture for different services. The UE can use these identities instead of the International Mobile Subscriber Identifier (IMSI) to location itself. This strategy aims at eliminating the IMSI exposure problem and mitigating user location privacy attacks. 

   Despite this security strategy the LTE still has a number of security flaws [2-6]. The user location is still vulnerable to privacy attacks. There are some occasions when the UE is requested to identify itself with its permanent identifier IMSI. Such situations occur when the network fails to retrieve the temporary identifiers of the UE and asks the UE to transmit the UE's IMSI, which in turn transmits it (in clear text) [2]. The IMSI can be intercepted by an attacker, who then could track the movements of the user, and thus violating the user's privacy.

   In this paper we analyze the location privacy issue in LTE. We also present a solution for enhancing location privacy. The solution provides a high level of user anonymity within LTE network through introducing of pseudonyms that replaces the user temporary identities (C-RNTIs). User location privacy is preserved with minimal modifications at network architecture. The proposed solution design strategy aims at keeping the messaging system away as much as possible from the modifications and changes. We believe that this solution could be fit easily in current cellular network architecture.

   Our main contribution is the demonstration how a particular realization of an existing normal protocol employed by LTE can be obtained that substantially enhances the user location privacy preserving capability in LTE. The privacy enhancement is obtained with minimal changes on the network entities (i.e., eNB and UE) and with no changes in the message system.

   The remainder of this paper is organized as follows: Section 2 describes location procedure privacy issue in LTE. A summary of related work is given in Section 3. Section 4 and 5 present the proposed solution and its security analysis and Section 6 concludes.